// glossary / key-rotation

Key rotation.

Good hygiene for any long-lived key. Rotation is the practice of periodically generating a fresh keypair, publishing the new public key, and retiring the old one — so a future compromise has a bounded blast radius.

// definition

Key rotation is the controlled replacement of an existing keypair with a new one, followed by migrating recipients and signers to the new public key and retiring the old.

What it is

You generate a new identity, publish its public key, ask correspondents to start encrypting to it, and stop using the old key for new files. Old files stay readable with the old identity until you re-encrypt or retire them.

Why it matters

Rotation limits exposure. If a key is ever compromised, only data tied to that key during its active window is at risk. It also lets you upgrade from older key types or move a key into hardware over time.

// in AgePony AgePony makes it easy to generate a new identity and publish its public key. Keep your previous identity available to read older files until you have migrated them.

Related terms

Common questions.

How often should I rotate?

There is no fixed rule; rotate on a schedule that fits your risk, and immediately after any suspected exposure.

Do old files break?

No — keep the old identity to decrypt them, then re-encrypt to the new key if you want.

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store Get it on Google Play