What is Key Rotation?

Every key has a useful lifespan. The longer a key remains in use, the more data is encrypted under it (increasing the material available for cryptanalysis), the more opportunities exist for it to be leaked or stolen, and the greater the damage if it is compromised. Key rotation limits this exposure by ensuring that any single key protects only a bounded amount of data over a bounded time period.

Rotation strategies vary by key type. Symmetric encryption keys should be rotated based on usage volume or time — many standards recommend rotation before a key encrypts more than 2^32 blocks. API keys and service credentials are typically rotated on a calendar schedule (30, 60, or 90 days) or immediately upon suspected compromise. TLS certificates have built-in expiration dates that force rotation.

Effective key rotation requires systems designed for it. Applications should support multiple active keys simultaneously (to decrypt old data while encrypting new data with the latest key), and the rotation process should be automated to avoid manual errors. Key wrapping and envelope encryption simplify rotation: rotating a master key only requires re-wrapping the data keys, not re-encrypting all the data.

How Vaulted uses Key Rotation

Vaulted's ephemeral design sidesteps the traditional key rotation problem. Each secret gets a unique AES-256-GCM key that exists only for the lifetime of that secret — there is no long-lived key to rotate. Once the secret self-destructs (via view limit or expiration), both the ciphertext on the server and the key in the shared link become irrelevant. This per-secret key model provides stronger guarantees than periodic rotation because no single key ever protects more than one secret.