Key rotation
Rotate without re-encrypting your stored envelopes.
~ 1 min read
Rotation in Cipher is non-destructive. New encrypts use the new key; old envelopes stay decryptable until the old key’s grace window closes.
How it works
- You (or the auto-rotator) issue a new key version.
- The SDK starts using the new version for
encrypt. decryptaccepts envelopes sealed under any key version that hasn’t expired.- Old keys retire after the grace window — default 30 days.
Trigger rotation
cipher keys rotate sk_live_xxxYou can also schedule:
cipher keys rotate sk_live_xxx --schedule "0 0 * * 0"
Last updated
Edit this page