/sys/rotate/config

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

The /sys/rotate endpoint is used to configure automatic key rotation.

Configure automatic key rotation

This endpoint configures the automatic rotation of the backend encryption key. By default, the key is rotated after just under 4 billion encryptions, to satisfy the recommendation of NIST SP 800-38D. One can configure rotations after fewer encryptions or on a time based schedule.

Create or update the auto rotation configuration

Parameters

• max_operations (int: 3865470566) - Specify the limit of encryptions after which the key will be automatically rotated. The number must be between 1,000,000 and the default.
• interval `(string: "") - If set, the age of the active key at which an automatic rotation is triggered. Specified as a Go duration string (e.g. 4320h), the value must be at least 24 hours.
• enabled (bool: true) - If set to false, automatic rotations will not be performed. Tracking of encryption counts will continue.

Sample payload

{
  "max_operations": 2000000000,
  "interval": "4320h"
}

Sample request

$ curl \
    --request POST \
    --header "X-Vault-Token: ..." \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/rotate/config

Get the auto rotation configuration

Sample request

$ curl \
    --request GET \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/rotate/config

Sample response

{
  "request_id": "f3d91b4a-69bf-4aaf-b928-df7a5486c130",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "max_operations": 2000000000,
    "interval": "4320h",
    "enabled": true
  },
  "warnings": null
}