Encryption key rotation You can perform encryption key rotation from the instance. You can add a new key, change the default key assignment, and then schedule a mass key rotation job. Before setting an encryption key as the default key, make the key available to each proxy. This ensures that the proxies have the key to encrypt data when the key is assigned as the default key. All proxies must have access to a key before it can be assigned as the default key. Note: Before removing a key from the proxy, ensure that no data on the instance uses the key. You can do this by setting up and running a mass key rotation job.