Skip to main content

Rotate data encryption keys

post

/api/pvlt/1.0/system/admin/keys/rotate

Rotates all the KMS keys that Vault uses to encrypt properties, tokens, and more.

When the keys are rotated, new data is encrypted with the new key. All old keys are retained, so that content encrypted with previous keys can be decipherable.

The role that performs this operation must have the CapKMSWriter capability. See Access control for more information about how capabilities are used to control access to operations.

Possible responses

The request is successful.

The request is invalid.

application/json

object required*

Additional properties: falseProperties:

context - object required*
The error context.
Example: [object Object]Type of additional properties:
error_code - string required*
The error code.
Example: PVxxxx
message - string required*
The error message.
Example: The object is not found.

Example
{
  "error_code": "PV1001",
  "message": "The access reason is missing.",
  "context": {
    "reason": null
  }
}

Authentication credentials are incorrect or missing.

application/json

object required*

Additional properties: falseProperties:

context - object required*
The error context.
Example: [object Object]Type of additional properties:
error_code - string required*
The error code.
Example: PVxxxx
message - string required*
The error message.
Example: The object is not found.

Example
{
  "error_code": "PV1005",
  "message": "The request is unauthorized.",
  "context": {}
}

The caller doesn't have the required access rights.

application/json

object required*

Additional properties: falseProperties:

context - object required*
The error context.
Example: [object Object]Type of additional properties:
error_code - string required*
The error code.
Example: PVxxxx
message - string required*
The error message.
Example: The object is not found.

Example
{
  "error_code": "PV1007",
  "message": "The operation is forbidden due to missing capabilities.",
  "context": {
    "username": "WebServer"
  }
}

The requested resource is not found.

application/json

object required*

Additional properties: falseProperties:

context - object required*
The error context.
Example: [object Object]Type of additional properties:
error_code - string required*
The error code.
Example: PVxxxx
message - string required*
The error message.
Example: The object is not found.

Example
{
  "error_code": "PV1004",
  "message": "The collection is not found.",
  "context": {}
}

A conflict occurs.

application/json

object required*

Additional properties: falseProperties:

context - object required*
The error context.
Example: [object Object]Type of additional properties:
error_code - string required*
The error code.
Example: PVxxxx
message - string required*
The error message.
Example: The object is not found.

Example
{
  "error_code": "PV3218",
  "message": "Concurrent conflicting updates to the same object.",
  "context": {}
}

An error occurs on the server.

application/json

object required*

Additional properties: falseProperties:

context - object required*
The error context.
Example: [object Object]Type of additional properties:
error_code - string required*
The error code.
Example: PVxxxx
message - string required*
The error message.
Example: The object is not found.

Example
{
  "error_code": "PV1000",
  "message": "Something went wrong",
  "context": {}
}

The service is unavailable.

application/json

object required*

Additional properties: falseProperties:

context - object required*
The error context.
Example: [object Object]Type of additional properties:
error_code - string required*
The error code.
Example: PVxxxx
message - string required*
The error message.
Example: The object is not found.

Example
{
  "error_code": "PV1009",
  "message": "The operation timed out on the server.",
  "context": {}
}

Try the API

Authorization

API key:

Navigate to the docs of your local Vault installation to try the API directly from there.

Code examples

Example