Back to runbook library
security
Rotating Encryption Keys
Rotate connector and environment secret material while preserving decryptability for existing workspace configuration.
Estimated time
15 min
Severity
critical
Procedure
1
Create the replacement key
Provision the new key in the secret manager and verify runtime access in staging.
2
Re-encrypt stored connector secrets
Rotate stored encrypted values in controlled batches and watch for read failures during the migration window.
3
Invalidate the previous key
Disable or retire the old key only after decryption, workflow smoke tests, and audit review are complete.