Edit

opencenter secrets keys rotate

Rotate SOPS files or cluster encryption keys

Synopsis

Rotate SOPS files or cluster encryption keys.

Without --cluster, --type, or --complete, this command rotates the local Age key and re-encrypts SOPS files under --path.

With --cluster, it rotates a cluster encryption key. Use --type age or --type ssh to choose the key type, and add --complete to finish a dual-key rotation by removing the old key.

If any step fails, the old key is restored automatically.

opencenter secrets keys rotate [flags]

Options

      --cluster string    cluster name or organization/cluster for cluster key rotation
      --complete          complete dual-key cluster rotation by removing the old key
      --dry-run           Show what would be done without making changes
  -h, --help              help for rotate
      --key-file string   Path to Age key file (default: ~/.config/sops/age/keys.txt)
      --path string       Path to search for SOPS files to re-encrypt (default ".")
      --type string       cluster key type to rotate: age or ssh

SEE ALSO

  • opencenter_secrets_keys.md[opencenter secrets keys] - Manage SOPS encryption keys

Auto generated by spf13/cobra on 28-Apr-2026