Key rotation

The encryption keys are versioned for seamless key rotation. Each key type includes a current key, used for both encryption and decryption, and a set of previous or rotated keys, used exclusively for decryption.

New encryption keys are automatically generated when the existing keys reach a certain age, currently set at 23 months. The newly generated key becomes the current key, while the previous key is moved to the list of rotated keys, for decryption of data encrypted with earlier key versions.

In normal operation, manual rotation of encryption keys is not required. However, administrative options are available to rotate the keys if necessary.