Credential rotation overview
Credential rotation is the practice of replacing a privileged password, SSH key, or token on a scheduled or on-demand basis. This article explains how rotation works in VaultPAM and how to configure rotation policies.
For step-by-step instructions to rotate a credential manually right now, see Rotate a credential.
What rotation means
When a credential is rotated, VaultPAM generates a new secret and updates the value stored in the Safe. The old secret is discarded. If the credential is linked to a managed account on a target system, VaultPAM also pushes the new value to that system.
Rotation reduces the exposure window: even if a credential is compromised, it becomes invalid after the next rotation.
Manual vs automatic rotation
| Mode | When it happens | Who triggers it |
|---|---|---|
| Manual | On demand | Operator or Admin from the Safe view |
| Automatic | On a configured schedule | VaultPAM rotation engine |
| Event-triggered | After a session ends or a specific event | Configurable per Safe |
Setting rotation frequency
Rotation frequency is configured per Safe:
- Go to Safes and open the Safe you want to configure.
- Select Settings > Rotation policy.
- Set the rotation interval (daily, weekly, monthly, or custom in days).
- Optionally enable Rotate after session to rotate the credential automatically at the end of each session.
- Save the policy.
Success state: The Safe shows the next scheduled rotation date and time. Rotation events appear in the audit log.
Compliance rationale
Regular credential rotation is required or recommended by:
- NIS2 Article 21 -- access control and least-privilege measures
- SOC 2 CC6.1 -- logical access controls
- CIS Control 5 -- account management
A 90-day rotation maximum is a common baseline for privileged accounts. For service accounts with automated checkout, shorter intervals (7-30 days) are recommended.