Rotation of vault keys

arik.shifer.dev · February 13, 2025, 12:21am

From the docs page about key rotation (Key Rotation | Vault | HashiCorp Developer) there are two separate keys:

internal encryption key - Encrypts and protects data written to the storage backend.
root key - “Master” key that seals Vault and protects the internal encryption key.

Is there a way to manually and/or periodically rotate the root key?

I see that there is sys/rotate and sys/rotate/config which say thay handle “rotation of the backend encryption key”. Does this refer to the “internal encryption key” or “root key” from the list above?

Also there is /sys/rekey that deals with shares of the root key. It seems like it generates new key shares, but does this actually rotate the value of the key itself or just create new shares from which the same key can be constructed?

jnapl1 · February 26, 2025, 9:31pm

sys/rotate and sys/rotate/config handles the internal encryption keys.

sys/rekey does generate a new root key. source

Topic		Replies	Views
Config option for /sys/rotate/config Vault	1	153	November 8, 2022
AWS iam key rotation Vault	0	204	January 3, 2023
Automate Database and AWS Secret Engine root credential rotation Vault	2	285	July 20, 2020
How database root password rotation works? Vault vault	4	1921	October 21, 2021
Secret rotation after a period of time Vault	2	545	December 5, 2022

Rotation of vault keys

Related topics