Skip to content
Kānuka

Rotating Your Keypair

The rotate command generates a new keypair for your user account. This is useful for periodic security rotation or if you suspect your private key may have been compromised.

When to rotate

Section titled “When to rotate”

Consider rotating your keypair when:

  • Periodic security hygiene - Regular key rotation limits exposure
  • Suspected compromise - If your private key may have been accessed
  • Changing machines - When moving to a new computer
  • After a security incident - As part of incident response

Rotating your keypair

Section titled “Rotating your keypair”

To rotate your keypair:

Terminal window
kanuka secrets rotate

This prompts for confirmation before proceeding:

Warning: This will generate a new keypair and replace your current one.
  Your old private key will no longer work for this project.


Do you want to continue? [y/N]: y


Rotating your keypair...
  Generating new keypair...
  Decrypting symmetric key with old private key...
  Re-encrypting symmetric key with new public key...
  Updating public key in project...
  Saving new private key...
Done: Keypair rotated successfully


Your new public key has been added to the project.
Other users do not need to take any action.

What happens during rotation

Section titled “What happens during rotation”
  1. Your current private key decrypts the project’s symmetric key
  2. A new 4096-bit RSA keypair is generated
  3. The symmetric key is re-encrypted with your new public key
  4. Your new public key replaces the old one in the project
  5. Your new private key is saved to your local key store
  6. Your old private key is overwritten

After rotation:

  • You can continue to decrypt secrets with no additional steps
  • Other users are unaffected - they keep their existing keys
  • The project’s symmetric key remains the same

Skipping confirmation

Section titled “Skipping confirmation”

In automated environments, use --force to skip the confirmation prompt:

Terminal window
kanuka secrets rotate --force

Rotate examples

Section titled “Rotate examples”
Terminal window
# Rotate with confirmation prompt
kanuka secrets rotate


# Rotate without confirmation (for automation)
kanuka secrets rotate --force

Using with passphrase-protected keys

Section titled “Using with passphrase-protected keys”

If your current private key is passphrase-protected, Kānuka will prompt for the passphrase to decrypt the symmetric key.

When generating the new keypair, you can optionally protect it with a passphrase as well.

After rotating

Section titled “After rotating”

After rotation:

  1. Commit the changes - Your new public key needs to be shared
  2. Push to remote - So the team has your updated public key
Terminal window
git add .kanuka/public_keys/
git commit -m "Rotate keypair for $(whoami)"
git push

Rotation vs sync

Section titled “Rotation vs sync”
CommandWhat it rotatesWho is affected
rotateYour personal keypairOnly you
syncProject’s symmetric keyAll users

Use rotate for your personal key rotation. Use sync to rotate the project-wide encryption key for everyone.

Next steps

Section titled “Next steps”