Guides

Rotating an Encryption Key

Rotate the encryption key for your environment secrets with the Hyphen CLI

Suggest Edits

🚀

Hyphen helps you prevent downtime

When you rotate your encryption key, old versions of your secrets can still be fetched and decrypted! This allows you to change your keys and not have to rush to change every application at once.

When you have given the new key to your applications, developers can delete the old version and you're good to go.

Rotating encryption keys is a critical security practice that helps safeguard your sensitive data over time. Here are key reasons why you should rotate your encryption keys:

  1. Mitigate Potential Threats: Over time, encryption keys can become more vulnerable, either through inadvertent exposure or prolonged use. Regular key rotation reduces the risk of keys being compromised.
  2. Compliance Requirements: Many security standards, such as PCI-DSS and GDPR, require regular key rotation to maintain data protection and reduce vulnerabilities.
  3. Limit the Scope of Data Exposure: In case an encryption key is ever compromised, rotating the key ensures that past data remains secure by limiting the time a single key is in use.
  4. Strengthen Security Hygiene: Regularly rotating encryption keys is part of a healthy security practice that ensures your organization stays proactive in safeguarding its secrets.
  5. Respond to Security Events: If there is ever a suspected breach or leak of an encryption key, rotating the key immediately helps neutralize the risk and prevent unauthorized access to your secrets.

Hyphen allows you to rotate your encryption keys with minimal effort while ensuring your secrets remain secure. Here’s how to rotate an encryption key for your project.

Prerequisites

  • You have installed the Hyphen CLI (see installation guide).
  • Signed in to your Hyphen account via the CLI with the hx auth command
  • You have access to an existing project that contains the app secrets in your Hyphen organization

Rotate your encryption keys with the Hyphen CLI

Navigate to the directory where your app’s source code is located.

Run the this command:

hx env rotate-key [flag]

This will rotate the encryption key and update all environments within your app.

Flags and Options

  • --force: Use this flag to force overwrite locally modified environment files that haven’t been pushed yet. Without this, the CLI may warn you about unpushed changes before proceeding.
  • -e, --environment: Specify the environment ID (e.g., pevr_12345) if you need to rotate keys for a specific environment.
  • -p, --project: Provide the project ID (e.g., proj_123) to rotate the key for a specific project.
  • -v, --verbose: Enables verbose output to get more detailed information during the operation.
  • -y, --yes: Automatically answer “yes” for prompts, allowing the key rotation process to proceed without manual confirmations.
  • -n, --no: Automatically answer “no” for prompts if you want to cancel actions when asked.

Example

hyphen env rotate-key

This will do the following:

  1. Pull the latest
  2. Generate a new encryption key (always done client side)
  3. Update your .hxkey files
  4. Push new versions of your environments encrypted with the new key.

What happens next?

Share the new .hxkey with your team and update all your services / applications to use the new key. Once everyone has the new key simply delete the old versions of your secrets.

Updated about 1 month ago