A key rotation policy specifies how often an organization must rotate their keys between different sets of encrypted files within an application.

You can regularly rotate your keys to comply with company policy and to also help to reduce the amount of content encrypted with just a single key. Only Encryption Administrators have permission to rotate keys.

As an Encryption Administrator you can rotate the key for a workspace with a BYOK Encryption state of Encrypted by using the Reassign Key button.

To rotate a key, the workspace must be in the Ready state.

Warning: When you reassign the encryption key for a workspace, this does not decrypt the workspace. Reassignment is carried out offline and that workspace is not available until reassignment is complete.

To rotate a key for an encrypted workspace:

  1. Access Administration from the Application menu.
  2. Select BYOK > Workspaces.
  3. Select the workspace for which you want to rotate the encryption key.
  4. Select Reassign Key.
    All previous versions of this workspace will remain encrypted with the previous key. We recommend that you make a note of the previous key that displays in the dialog for future reference.
  1. Select Continue.
  2. Select the Encryption Key that you want to use.
  3. Select Re-Assign Key.
    The BYOK Encryption Status changes to In Progress. When the operation is complete, the BYOK Encryption Status changes to Encrypted.
  4. Select Refresh to get the latest state of every workspace.