By default, encryption keys have a reminder date one year after creation. The Reminder Date column displays a date to serve as a cue to rotate each encryption key.
When it is time to rotate an encryption key:
- The key shows as disabled in the Status column of the Encryption Keys page.
- The key is removed from the list of available keys shown in the Key drop-down of the Encrypted Workspaces page.
- Workspaces encrypted with that key remain encrypted, including backup versions of the workspace.
- You can enable it. See Enabling an encryption key.