# Rotate Encryption Keys ![](/files/bV66cgZUHAhsDBXbIqYV) ## How to Rotate CS:Govern Encryption Keys This article applies to CS:Govern installations which choose to use the built-in encryption key generation/management system. The built in system uses what is native to the respective database (for example: PostgreSQL uses AES256 keys and pgcrypto) and this is what most installations use. This article also applies to installations that have opted to manage their own keys. When encryption keys are rotated: * New encryption keys are computed and stored in CS:Govern as the current keys. * Future encryption will be performed with the new keys. * Previously encrypted records will continue to use their original keys until a database update/insert forces them to use the new keys. The key rotation operation is simple: * Select Tools => Rotate Encryption Keys option from the application menu bar in the top left of the application GUI.. * Click on the *Rotate Encryption Keys* button. Once done, the new encryption keys are installed in the default CS:Govern key store and will be used for future protection. ![](/files/XN5jSuu7QgYhQKrLKXuZ) ![](/files/zFJtGGVBT78aKB7jo4qz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://learn.capstorm.com/cs-govern/common-tasks/rotate-encryption-keys.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.