A security auditor requires that all encryption keys used to protect customer data must be periodically rotated according to company policy. The company uses Vault's Transit secrets engine. What is the recommended approach to rotate the encryption key?
This creates a new key version; old ciphertexts remain decryptable with the previous version.
Why this answer
Option B is correct because the Vault Transit secrets engine provides a dedicated `rotate` endpoint that creates a new encryption key version while keeping the previous version available for decryption of existing ciphertext. This allows the key to be rotated without re-encrypting all data, and the new key version is automatically used for future encryption operations. The `-f` flag forces the rotation without requiring interactive confirmation.
Exam trap
HashiCorp often tests the misconception that 'rewrapping' is the same as 'rotating,' but rewrapping only re-encrypts data under a new key version without creating a new key version, whereas rotation creates a new key version and is the correct first step in a key lifecycle management process.
How to eliminate wrong answers
Option A is wrong because Vault's 'rewrap' endpoint re-encrypts ciphertext under a new key version but does not rotate the key itself; rotation is a separate operation that creates a new key version. Option C is wrong because deleting the existing key would render all previously encrypted data permanently undecryptable, violating data integrity and availability requirements. Option D is wrong because generating a new key with a different name and updating application configuration is an operational workaround that adds complexity and does not leverage Vault's built-in key versioning, which is the recommended approach for seamless rotation.