{"id":"8d9346e2-d835-4bcd-a171-9cdbff93155b","task":"Use the Vault transit engine to re-encrypt (rewrap) ciphertext after a key rotation without decrypting to plaintext","domain":"vaultproject.io","steps":["Enable transit and create a named encryption key: 'vault secrets enable transit' then 'vault write -f transit/keys/mykey'","Encrypt data to produce a versioned ciphertext: 'vault write transit/encrypt/mykey plaintext=$(base64 <<< \"my secret data\")'","Rotate the key to create a new key version: 'vault write -f transit/keys/mykey/rotate'","Rewrap existing ciphertext with the new key version without ever exposing plaintext: 'vault write transit/rewrap/mykey ciphertext=<VAULT_CIPHERTEXT_TOKEN>'","Update the stored ciphertext in your database with the rewrapped value returned by the rewrap endpoint","Set a minimum decryption version to prevent use of old ciphertext: 'vault write transit/keys/mykey/config min_decryption_version=2'"],"gotchas":["The rewrap endpoint requires the operator to have 'update' capability on 'transit/rewrap/<key>' — a common policy omission that causes silent permission errors","Setting min_decryption_version before all ciphertext has been rewrapped will permanently break decryption of un-rewrapped records","Convergent encryption ciphertext for the same plaintext is identical only within the same key version; after rotation, rewrapped convergent ciphertexts differ from the originals"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:16.527Z"},"url":"https://mcp.waymark.network/r/8d9346e2-d835-4bcd-a171-9cdbff93155b"}