Tenant KMS Key Rotation
Rotation creates a new tenant master key version wrapped under your KMS key. New writes immediately use the new version; existing ciphertext stays readable because the retired version remains available for unwrap. A background rewrap job migrates existing data to the new version automatically.What happens during rotation
- A new 32-byte master key is generated and wrapped using your KMS key → new
activeversion - The previous
activeversion is moved toretired - New encrypts (new secrets, new CA key versions, new DB passwords) use the new active version immediately
- Existing ciphertext wrapped by the retired version continues to unwrap successfully
- A background rewrap job is enqueued to re-encrypt all existing tenant data under the new active version
When to rotate
- Suspected compromise of the old master key version
- Scheduled compliance rotation (annual, quarterly — check your policy)
- Post-breach seal/unseal cycle — rotate after any event where you were unsure of KMS security
- KMS key rotation on the cloud provider side — rotate the KnoxCall master key after rotating the underlying KMS key so new wraps use the new KMS key version
How to rotate
Via admin UI
- Go to Settings → Security → Tenant Master Key → Customer KMS
- Click Rotate key
- Confirm the dialog
Via API
Rotation requires a recent step-up verification within a 5-minute window. Complete a fresh step-up (passkey or 2FA) viaPOST /auth/passkey/verify-step-up or POST /auth/2fa/verify-step-up on the same admin session immediately before calling rotate — the gate checks the server-side verification record, so no separate step-up header is sent on the rotate request itself.
rewrap_lease_id is the identifier for the background rewrap job described below. It is null if the rewrap lease failed to issue — the rotation itself still succeeded in that case; contact support to trigger the rewrap manually.
Background rewrap
After rotation completes, KnoxCall immediately enqueues atenant_rewrap background job. This job re-encrypts all existing tenant data under the new active master key version:
- Processes 100 rows per batch (interleaved: 50 from
secret_environment_configs, 50 fromintegration_configs) - Batches run every 5 seconds
- The
target_versionis pinned at job creation time — even if another rotation occurs mid-flight, all rows processed by this job land on the same version (prevents split-version state across a rotation boundary) - Rows already on the target version are skipped and counted as complete
- The lease expires after 7 days — if a persistent KMS error prevents rewrap from completing in that window, contact support
Audit trail
Every rotation is logged in the critical audit chain:
The log entry includes
new_version, wrap_method, rewrap_lease_id, and the IP that triggered it.
Key version lifecycle
Checking key versions
keys array contains all versions:
Sealed state and unseal
What happens if KMS becomes unreachable after rotation
Tenant master key concepts
Version lifecycle and cryptographic erasure background
Tenant KMS API reference
Rotate endpoint reference
Audit Logs
View the rotation audit trail