A key rotation policy specifies how often an organization must rotate their keys between different sets of encrypted files within an application.

You can regularly rotate your keys to comply with company policy and to also help to reduce the amount of content encrypted with just a single key. Only Encryption Administrators have permission to rotate keys.

As an Encryption Administrator you can rotate the key for a workspace with a BYOK Encryption state of Encrypted by using the Reassign Key button.

Note: To rotate a key, the workspace must be in the 'Ready' state. See Ready Workspaces.

Warning: When you reassign the encryption key for a workspace, this does not decrypt the workspace. Reassignment is carried out offline and that workspace is not available until reassignment is complete.

To rotate a key for an encrypted workspace:

  1. In the Anaplan Administration sidebar, under BYOK, select Workspaces.
  2. Select the workspace for which you want to rotate the encryption key.
  3. Click Reassign Key.
    Note: All previous versions of this workspace will remain encrypted with the previous key. We recommend that you make a note of this key for future reference.
    Reassign Key popup with Cancel and Continue buttons and a warning indicating that previous versions of the workspace remain encrypted with the old key.
  4. Click Continue.
  5. Select the Encryption Key that you want to use.

    Re-Assign Key popup Select the Encryption Key you want and confirm

  6. Click Re-Assign Key. BYOK Encryption Status changes to In Progress. When the operation is complete, the BYOK Encryption Status changes to Encrypted.
  7. Click Refresh to get the latest state of every workspace.


We update Anapedia regularly to provide the most up-to-date instructions.