Key Rotation Guide

Guide for rotating the master encryption key used to encrypt Key B in the database.

When to Rotate

Suspected key compromise
Employee departure with key access
Scheduled rotation (recommended: annually)
Security audit requirement

Rotation Process

1. Generate New Key

openssl rand -base64 32

2. Set New Key in Wrangler

wrangler secret put MASTER_ENCRYPTION_KEY_NEW

3. Deploy Migration Script

Re-encrypt all existing seals with new key (requires custom migration script).

4. Update Production Key

wrangler secret put MASTER_ENCRYPTION_KEY
# Enter the new key value

5. Remove Old Key

wrangler secret delete MASTER_ENCRYPTION_KEY_NEW

Downtime

Key rotation requires brief downtime (5-10 minutes) during re-encryption.

Rollback

Keep old key in secure backup for 30 days in case rollback is needed.

Testing

Always test rotation in staging environment first.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Key Rotation Guide

When to Rotate

Rotation Process

1. Generate New Key

2. Set New Key in Wrangler

3. Deploy Migration Script

4. Update Production Key

5. Remove Old Key

Downtime

Rollback

Testing

Uh oh!

FilesExpand file tree

KEY-ROTATION.md

Latest commit

History

KEY-ROTATION.md

File metadata and controls

Key Rotation Guide

When to Rotate

Rotation Process

1. Generate New Key

2. Set New Key in Wrangler

3. Deploy Migration Script

4. Update Production Key

5. Remove Old Key

Downtime

Rollback

Testing