Enable transit and create a named encryption key: 'vault secrets enable transit' then 'vault write -f transit/keys/mykey'
Encrypt data to produce a versioned ciphertext: 'vault write transit/encrypt/mykey plaintext=$(base64 <<< "my secret data")'
Rotate the key to create a new key version: 'vault write -f transit/keys/mykey/rotate'
Rewrap existing ciphertext with the new key version without ever exposing plaintext: 'vault write transit/rewrap/mykey ciphertext=<VAULT_CIPHERTEXT_TOKEN>'
Update the stored ciphertext in your database with the rewrapped value returned by the rewrap endpoint
Set a minimum decryption version to prevent use of old ciphertext: 'vault write transit/keys/mykey/config min_decryption_version=2'
Known gotchas
The rewrap endpoint requires the operator to have 'update' capability on 'transit/rewrap/<key>' — a common policy omission that causes silent permission errors
Setting min_decryption_version before all ciphertext has been rewrapped will permanently break decryption of un-rewrapped records
Convergent encryption ciphertext for the same plaintext is identical only within the same key version; after rotation, rewrapped convergent ciphertexts differ from the originals
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp