HashiConf More sessions have been added to the conference agenda. Buy your pass and plan your schedule. Register
Vault
Vault Home

/sys/rotate

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

Restricted endpoint

Clients must call the API path from the root namespace.

The /sys/rotate endpoint is used to rotate the encryption key.

Rotate encryption key

This endpoint triggers a rotation of the backend encryption key. This is the key that is used to encrypt data written to the storage backend, and is not provided to operators. This operation is done online. Future values are encrypted with the new key, while old values are decrypted with previous encryption keys.

This path requires sudo capability in addition to update.

MethodPath
POST/sys/rotate

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    http://127.0.0.1:8200/v1/sys/rotate
Edit this page on GitHub