Make data key rotation with -r a separate mode

This patch changes the behavior of `-r` to make it behave like the encrypt, decrypt or editing mode: it is now a full roundtrip over an existing encrypted file that decrypts, creates a new data key, encrypts and encrypts the data key with all master keys. This new mode makes it a lot easier to rotate data keys without having to edit files.
2026-02-05 12:45:21 +01:00 · 2015-11-24 19:51:35 -05:00
parent a065ebbac4
commit 9a388912f9
4 changed files with 72 additions and 58 deletions
--- a/2
+++ b/2
@@ -79,6 +79,8 @@ functional-tests-once:
 		python sops/__init__.py -e -p "1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A" /tmp/testdata.$$type > /tmp/testdataenc.$$type; \
 		echo "Testing $$type re-decryption" && \
 		python sops/__init__.py -d /tmp/testdataenc.$$type > /dev/null || exit 1; \
+		echo "Testing removing PGP key to $$type encrypted file" && \
+		python sops/__init__.py -r --rm-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 /tmp/testdataenc.$$type || exit 1; \
 	done

 pypi: tests functional-tests
--- a/README.rst
+++ b/README.rst
@@ -171,11 +171,11 @@ syntax as the `--kms` and `--pgp` arguments when creating new files.

 .. code:: bash

-	# add a new pgp key to the file while editing
-	$ sops --add-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml
+	# add a new pgp key to the file and rotate the data key
+	$ sops -r --add-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml

-	# remove a pgp key from the file while editing
-	$ sops --rm-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml
+	# remove a pgp key from the file and rotate the data key
+	$ sops -r --rm-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml

 Alternatively, invoking `sops` with the flag **-s** will display the master keys
 while editing. This method can be used to add or remove kms or pgp keys under the
@@ -202,6 +202,10 @@ When the file is saved, `sops` will update its metadata and encrypt the data key
 with the freshly added master keys. The removed entries are simply deleted from
 the file.

+When removing keys, it is recommended to rotate the data key using `-r`,
+otherwise owners of the removed key may have add access to the data key in the
+past.
+
 Assuming roles and using KMS in various AWS accounts
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

@@ -262,15 +266,13 @@ Key Rotation
 ~~~~~~~~~~~~

 It is recommended to renew the data key on a regular basis. `sops` supports key
-rotation via the `-r` flag. A simple approach is to decrypt and reencrypt all
-files in place with rotation enabled:
+rotation via the `-r` flag. Invoking it on an existing file causes sops to
+reencrypt the file with a new data key, which is then encrypted with the various
+KMS and PGP master keys defined in the file.

 .. code:: bash

-	for file in $(find . -type f -name "*.yaml"); do
-		sops -d -i $file
-		sops -e -i -r $file
-	done
+	sops -r example.yaml

 Examples
 --------
--- a/example.yaml
+++ b/example.yaml
@@ -1,71 +1,71 @@
 # The secrets below are unreadable without access to one of the sops master key
-myapp1: ENC[AES256_GCM,data:Lu8R0GhsXNZghMz2nQhMY+g4cIez,iv:F93qChfY13N0AYf1Lea9g7TeJ7JUSwK/asHkrYqCYHU=,tag:FlDZqR21nmiyuRFJQsp16g==,type:str]
+myapp1: ENC[AES256_GCM,data:QsGJGjvQOpoVCIlrYTcOQEfQzriw,iv:ShmgdRNV6UrOJ22Rgr7habB74Nd/YFxU4lDh6jy6n+8=,tag:8GT6U8lzrI27DcFc1+icgQ==,type:str]
 app2:
    db:
-        user: ENC[AES256_GCM,data:7QZ4,iv:W+zTDj2CwBjpAmAFZAjQ2RDDLhq0Tk/3rEcZbdgB2No=,tag:6psopjJ1G/o2lzcGeuWbFw==,type:str]
-        password: ENC[AES256_GCM,data:1kWyBaqP3w==,iv:7AiNASKexyCy0nyqnm4XmIZCUeQTTUl3tdadw08gZsw=,tag:lCF41WwaaMiDWy8o4sknUw==,type:str]
+        user: ENC[AES256_GCM,data:Arbb,iv:7bjm4ZaVFlxNk3O4M1P67TqfFtXTOHOe5x9rjF6/R9o=,tag:d4+O8BUj+02qaeJorev2ww==,type:str]
+        password: ENC[AES256_GCM,data:9/jSxNCq0A==,iv:5mk+GS016hKGj6gVfQDMSyuuPy7/SVHLsqQXK3p1nds=,tag:AtK4nPFoSOOgdw6IZmiZmw==,type:str]
    # private key for secret operations in app2
    key: |-
-        ENC[AES256_GCM,data:RtzGDC+P01XyIZhD6xwpUEicxuO+7q31UbmKyVy318NHUOQqkgkZHoe9CQasF0uJmaFpO5W7Jx+bnBPaQ5uSOqjaSV10ShU4YiMraf7+cTZiX0pXpKfqpp0WMPiD04rNg1BC+HxKsd0KWO7kK24ghDg6zQPAg0rPUbnHk2SoRAkyUjX5ac+FsFyPULxHjdyWe+otHrJPC5pza/STYN/S3EU1gJRa1RcLBkzw6Jsb+P06T55whIZsRt/DSpcqURs7Er6sQS+Wn6yN6nglvcSKGDh4Sg3TkS283w9lUpVvmzTso9M01bW+cB9O/p4OxgK8q8reOZGSwIrj3Vhns5OzXaKeeHzeFIBCFmyYv1sCN5NNhETBBU/8zxQItbKinp8Xa3PZb8QfMQo2OuBNme8Hf/bPvB34WnXMAHGjMzXvFp5v1/ep/K5V2tgNWpWN2QQT7B06ETFM7SCIJZVgoS8/vYrPY36+1TKfJtua70g0Im6yOgplpEXlBRjvxp/6gmjY5gxCyGnPYVe6UXWvUFfuVivgASogUriwRXdaTt2XBQPAHGwfe1uYVEqqpRc5AKuK90UGCcbKiJlknXGbGR9jpktQj1fCcwpAlclPo7CH0QTiYteJfKKK6xZlxPrdACA1S4NTLpkd4w03rTlPLAK7W9g=,iv:IboZbpgTJXBGBv//zB6p+KWjPCucfMyBfbS8AaNxwxM=,tag:KstjLUAjPdw7/yM1PgS7lQ==,type:str]
-number: ENC[AES256_GCM,data:jEgbjfL7+SCTSosGPQ==,iv:spC5b7q41H5zv8YLjgQJzpep4s2/K31CrG9M9ejOYT0=,tag:UQAh66JSlYHxFsaAJWM8MQ==,type:float]
+        ENC[AES256_GCM,data:UFSoBpaS7n5nipCTZeIA9HCsW619k0FO2/xKqu7eU4cMOHHrvk5fCbEAdXpz9HLiDTtXuRgA2ZdMSfD9X/mqHC3x0BNoFUtdpy7ZdPHUKiMgZEcI9lqUxEIREa9RU6thjTp0x5owxvyv4I9KqtSWFIJOhxwR1tjEGe0W+ErdXCXoI8D8/cVWDnMIFSjER1ks3dcgsldaaaV5ahUK/EmP/RqZhf1f0VEgd1+dZKO2fAjLX5kLEYDn2hkAfJZWfKzcpcFFWijeS/AYtyRnAV5eAv0R8k8vTm7w5kOMix4bJgqZ8HnouJ1sxl0H13TktLjshDftpybVfKRZ9ynOOit8nj6PRIOICdc/+gPSg7JLjEP57Q4EKctUeljFAjcyfan9mJljznXUeAJodO2lJup5QaNTXDTAC9KsRn1g2F05TUAxoEJGkli4zPK1EtuO4YwoajNCIW+s/3cjS+1me3gofHu4X6fkW3OxofboFTamO5BFQWd/A6e/DMipz5jcFqTGs8T108uPAabomoshDCpZGGYism2FrzpQHChkQHtv2387JP8/9fQI6GaHalrtXD3rg9W9T80+u3Z2HhkVdyusa/yWXnEanJi8G7uWq+9DpR3svub+Rf8EZYVQHBejjyP9Zl6fkytWbWDDtA4JlIdPnkU=,iv:oLuu8Xnv0AGS02t/eFRsZ+WHB/enNPDErlIxb4tAVh8=,tag:u9d4iOnDOENzWmm7hdg7Sg==,type:str]
+number: ENC[AES256_GCM,data:KIpKMuwET3zDczZQ+w==,iv:ocf+UunCIQAbZsZzeDmT4BljsSb7F6ybQ26D9AViR2k=,tag:tUmZy0ZPCyKgwasePeZelw==,type:float]
 an_array:
- ENC[AES256_GCM,data:rWwz6kkyFwYLO+I=,iv:wmx12WrPQlvPkM47AdjkJ6lqu5EDQILy+gWEySS5+L0=,tag:HLOb5MlYHt7D7vz6YUe2IQ==,type:str]
- ENC[AES256_GCM,data:BGylHf7DWr5GdFI=,iv:hjeunPNNIXUEMTRNOQZqToJ07uEEeCkwNjF2qXiQq/8=,tag:ldq/VuEYPdoQOKD/jQvLbA==,type:str]
- ENC[AES256_GCM,data:ZF4QnOTjJIcK18fsBT3dQ7bz4wHi3pu7Z43YSOn+i+yvRlEHl4jooeRbnfHkl+9sTVQcBtUUtGPBbw==,iv:hIOfO68FLrX1BKlGEmCRP6WAII43eSuxb+tyECr8jjc=,tag:gqYothutne6ao10Dqq0K8A==,type:str]
- ENC[AES256_GCM,data:dyM1KSNFG4M1llxe1q859Q==,iv:9LkBElhS+xOEtS0nFlTCRU0uVMTwhMpG+gxX6OsFdL8=,tag:R5f+uaPJiH49EJdBD/wM6w==,type:str]
+- ENC[AES256_GCM,data:An4qJsfBO1bVAZo=,iv:swgh9CSBihQf4JnLLKVFsT2TPyKok6MY0Uet//nAK1k=,tag:4mrt6IKFWjuEIbm6gylo7Q==,type:str]
+- ENC[AES256_GCM,data:xakhro9jY0kNqpc=,iv:hucFzENuWLRK15IK3mbBELE8+eZWoSfgW724Gi7yWCU=,tag:YSFJcTFLRTJCCb6h3TLb2Q==,type:str]
+- ENC[AES256_GCM,data:aGXaMsUIQBAMqutjqZPtU2hzwInryp7zao33Vt7JPY20S8eNFplGfyugRHlWbLTPQ5RHjYoPrQAyUQ==,iv:J4srvF83nPbkXKu674gINReMJasUppW4osTi/HWTGXs=,tag:g2pUXrfP5ZjA/0oYJ4yViA==,type:str]
+- ENC[AES256_GCM,data:nLmw6dwybYVA65FXDbgD8Q==,iv:E047Yxv3tlwKIDrg2rm0Yng3DIdmqOPKlukcyLSsqO0=,tag:oCtYybAn4SnlpVAdwKOLnQ==,type:str]
 somebooleans:
- ENC[AES256_GCM,data:8dRL+w==,iv:UeD05OGraBU42aaG3DVwGUBycWSKLmSSuOP5sfRe6t8=,tag:XfJ4E7bb0AOr6LpLFRC3dg==,type:bool]
- ENC[AES256_GCM,data:d0Cpo+Q=,iv:BG+aIgUfHwdVRxvv+Nh1PQPnErQWVeDmlGiWparFLts=,tag:9Nne/LYstnqFFGLEh8XD6w==,type:bool]
+- ENC[AES256_GCM,data:LZkyvg==,iv:a9QepfteG4ZWipwWEnb3JRDztHCWNNxdbfC6L2op0dM=,tag:CY1rv9Nntbz2pMMz/A9OvQ==,type:bool]
+- ENC[AES256_GCM,data:+BODbI4=,iv:+mWt88WI1hZcRL+L4XI9qprTaDzU0XlK5CpGJnQ09go=,tag:2UULI8UhgeyiVyzeNRrOTg==,type:bool]
 this:
    is:
        a:
            nested:
-                value: ENC[AES256_GCM,data:TzfuYK7BOwJlmlxydTmtPKlfIvSxoaIMiqrt,iv:q+YKcwFOImx8VX4Ti1ECjBWLz32gtkxzBDq12uOsmvk=,tag:GXz+BkXKbblwfEc/dZLgzg==,type:str]
+                value: ENC[AES256_GCM,data:96iQFcKdmKcocHCnOm7MR78W7uFZPGoZWRyH,iv:AQ3HwSFXhP3Mx4PoLvsyb9fwsYRaQZsV3NRH5dGhrXw=,tag:l6KHQfmm/QbnmPdLvCfocQ==,type:str]
 sops:
-    mac: ENC[AES256_GCM,data:svdUk+7ahpTaWBUdXqgEy5+K6uMm210Jrm3fPvsx2VaCiONv5QIDQbUipRFOpGKubKfhJk9XPcr+4MaE6oUxW8snxkN0p1BMAqpZhQ31xdwila318TckJltgPQQfAl59CNsLf1EgweBTWhvZL5sWGOEMXfMAHuHWzN4v1CmAU3w=,iv:vyFzhy4LwFQ6pNJulze9BBt9sfIfLwhhmlrIAroO+JE=,tag:AihY+oO3J7mon003SHYrfQ==,type:str]
+    mac: ENC[AES256_GCM,data:Rss45wMkMNDFkKj+N5fYw2OCDFAcmF9OPS/0X+FPTUiz/BOwEqFf+158MND4Q8CgYfmaU4wE7KLi1EwLev51+ajhlBA7rmUWsW6/j/we6pDIlO95Lfe/lTkBqiWmM5enIvwFn9zIey6OEkv2Ugi2W9abt3gbMSOxOwTt5oGDnGw=,iv:kpPWC+LdLj/uC+L+0mBqAEYkRcZEvBchdJaActU7DBs=,tag:X1FdKXT3rQugCOswl0eMyg==,type:str]
    version: 1.0
    kms:
-    -   created_at: '2015-10-25T12:52:27Z'
-        enc: CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAgB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAykG26ZbESEOy9KtoQCARCAO4cK6asAUiZBDmIgWk98BTvxUkvUmXYF2dxkP+Pr6F+r2oO7jhyB/FqyV5WAHCmdljs6DzBvB0FSKgdL
+    -   created_at: '2015-11-25T00:32:57Z'
+        enc: CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAgB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyzrMwHaX8rsBh/iNACARCAO/eeScqy8gZpfvDoHilBD+cw+1n6iFsTQmEQJro4QY8p+LUXSLFsnUge8xcADZrIGBup9BBJbdR+qyot
        arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e
-    -   created_at: '2015-10-25T12:52:27Z'
-        enc: CiBdfsKZbRNf/Li8Tf2SjeSdP76DineB1sbPjV0TV+meTxKnAQEBAgB4XX7CmW0TX/y4vE39ko3knT++g4p3gdbGz41dE1fpnk8AAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyCYH1/pZUBOw+MIuwCARCAOxndAiSkud0QizKFYXWI1u0/EJO5+QB5vU6L++f8O8fxPl49Jt3vryWwUJHpL8qQ/J+SqJ4d27A2OV4+
+    -   created_at: '2015-11-25T00:32:57Z'
+        enc: CiBdfsKZbRNf/Li8Tf2SjeSdP76DineB1sbPjV0TV+meTxKnAQEBAgB4XX7CmW0TX/y4vE39ko3knT++g4p3gdbGz41dE1fpnk8AAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzonxxlGDduanr16MwCARCAO70FBqnx7K2xaY8++gATYtsLgJfq5aW8lRWK515g5fEDpn/+PbrGSY9YxsFul024+fIev+8r3AKDX7K3
        arn: arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d
    pgp:
    -   fp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A
-        created_at: '2015-10-25T12:52:27Z'
+        created_at: '2015-11-25T00:32:57Z'
        enc: |
            -----BEGIN PGP MESSAGE-----
            Version: GnuPG v1

-            hIwDEEVDpnzXnMABA/9tz5qIUwbl6KRJNkP2wTzj7cvIb/7esm3AN85nr6Dli5t0
-            bzzq2OF6WGuyzBGJVLFwaizSFVVgLcxeNnMMgJWH5llt4kp8gJxcBfLgYVvlYm+g
-            Wguqmj0Ecx2/XbpqReEM4c68uFvQqEsKURRanFOnweb03IJfem05xPE+jwmvCtJe
-            AZLwWIpuP6qDY1DzEFZ07A0bmixal3c7OAIQSxM5hw4KAJJAilKbLEVqF5OjBn/D
-            7qDIh9PqfdGnEAfREfbJFL0zH9xQxEPZ1l1DSNN9ZnHMv+UmiGAX9gCN2OjX0g==
-            =YXAh
+            hIwDEEVDpnzXnMABBACBf7lGw8B0sLbfup1Ye51FNpY6iF/4SPTdjeV4OB3uDwIJ
+            FRa6z7VR+FrtWyyNYRNB2Wm5eegnEEWwui6hFw7tvlhkN8C5hWQ0B47oYMTstZDR
+            TR3Eu7y70u3YLoQKZgDnPb6hQplGIoYVd/EMpDgKmKnmz5oCiIkEI68T3aXo5tJc
+            AZhplIlk9eSMHIW9CmGkNp5HtZlQWzVSdGdcQcIUBG4F+Vf40max9u0Jkk1Se1do
+            BJ+D4Kl5dZXBj3njvo4YdZ+FGoYPfMlX1GCw0W4caUu6tD8RjuzJA+fYo2Q=
+            =Cnu4
            -----END PGP MESSAGE-----
    -   fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21
-        created_at: '2015-11-24T14:19:08Z'
+        created_at: '2015-11-25T00:32:57Z'
        enc: |
            -----BEGIN PGP MESSAGE-----
            Version: GnuPG v1

-            hQIMA0t4uZHfl9qgAQ/+LGpXd7Vn5RYK52Kpp1FPqUHiu3Yt1XylFSXT4BzHSxa9
-            PR4sz83rDkeRwfitFf4ll1MB7zhCiekTUvBWUkdSZHLj9o+XX/7E3OvZ+B7HFG90
-            +MLb7h2Cp8KRgEHBppxtbkNOmzgbDZ0s9vqxm+JU3IJzqmq1Roc2P4FVYtUgQxlY
-            spYxWzhizLxO/TJlERA8YV921vbKHhIP4I4KoWUk8gYR31b1kakrRcKI8/SDmbe8
-            6TlaPIZDxuSzY+toaesClJSkv7pMCByzyVgXbdgtHMReU8y4MSEjvhBcxrsZ3X8m
-            awJpw45DuZl+xhPGgFik/ERHewxMnoRUjmxHgfWLVkR8uP+FHXjbMiIAk0wMekGC
-            UbzbpESh5zLa2zlCgPshgYnEJobua0BrC+x3pVV8RFRrkKJXL1NuZ1gX4oFHePuV
-            O9UiVrsi5wpL2+jkAKqs/buDeOH4piWFoD03NAXX1SbHOHg6W/ji5C5Hen1WloXN
-            +NRffmmujiPFM2FzZWKiWDZgP+VopA3IHFUYv/TeepZUa3ldsaYh8tr1UAZswvG2
-            lG5HGs7yMw1IPATWfpxhe0f2vzSKGc13Y+y0YEWqd6FH6ixo97XOMvVmRvl550o/
-            iDN8v5xHUG7tKTNAB5aU7IFldUjwUcCqky7e4twNRJkcid6oXWBpBcgbcJLPvVnS
-            XgHYdVzf3Rvb+Jb5UlNs33wH5j1EHp7MVEIs1Gp8fySlW8m7Ui6lagPfyqb0n3nD
-            OujQzMRAaTP2iWEAQICXW1gnnDDyg2o5+WnnVVzX+YVYxCTLq66wnvB2M/yAcuM=
-            =ulPs
+            hQIMA0t4uZHfl9qgAQ/8Da1b/hWg6wv8ZoieIv/AlTp2Qa45dmP0yUO38vu3yn+8
+            pl5YobTljaSW9EJ0rpR70/9QW7/EveJ81XpjEI4OFUb5c8OF/gz2IEW8B7Gwbi1B
+            joeqU/H/u2PYTnAfB4dP8g99sd0s8o6RQNQDHimlczh9/QTcVYogHBeaNnpfavpm
+            128b0zkG0wH3BRYKwRIhk/506H4XFSOqSkN8x1p9UrN481O9vNP2XnCiTBLAWzHY
+            6En8WUrHh0jLMAQ3MaYZCa+x3Dp+rfobqQA/4tvqA3Ai1duNfWNMk6p43kq8xErC
+            yIX0Kb0RKz3Sy7HxP2LvF1HfKWMkZ9wsleJAhJ+ChvCTsKL2PTYoRPtLVbCXi/Cn
+            Y52aeMM9KbauXMq179Kb36HHhCGE0Ad1nBBcLxJ+TY6B98jt+YthmPe8GUMDyXKl
+            fimpQ1qES2CE1YHnryfr/rlSl81VVOMisKW1jEBmqpMNw1Y3YMjBEWfsouQuX0rV
+            ywb7G2vHC/OLV4gsgaPgHUDU3Mp4cYoel0YuffHaXFlkDiqU+T96l0T485QR+BCf
+            F9YR3ZDYoHryWIqQYtz910KmPWUXX/h54ro7/8Rngt4DoB9dJ2PG6apa+VZqW9/5
+            4yEvv+CREkFjzjjGRqy1GOxVmombSETo+XQiQS4pj37JwmtgscaEW9hbKDU8twzS
+            XAGgfDxo0DklfEKFkccH8G40SS9bD1ilNVoOU513lZF8X21ZDm+fP5MyOU45pRYT
+            H6JUTisfwKa2t319jR0cfy81dMxUjwTAdNBOiE0nj+Iz0i3ekBIl/wmtVWpJ
+            =dWBE
            -----END PGP MESSAGE-----
-    lastmodified: '2015-11-24T14:19:08Z'
+    lastmodified: '2015-11-25T00:32:57Z'
    attention: This section contains key material that should only be modified with
        extra care. See `sops -h`.
--- a/sops/init.py
+++ b/sops/init.py
@@ -114,14 +114,14 @@ def main():
    argparser.add_argument('-e', '--encrypt', action='store_true',
                           dest='encrypt',
                           help="encrypt <file> and print it to stdout")
+    argparser.add_argument('-r', '--rotate', action='store_true',
+                           dest='rotate',
+                           help="generate a new data encryption key and "
+                                "reencrypt all values with the new key")
    argparser.add_argument('-i', '--in-place', action='store_true',
                           dest='in_place',
                           help="write output back to <file> instead "
                                "of stdout for encrypt/decrypt")
-    argparser.add_argument('-r', '--rotate', action='store_true',
-                           dest='rotate',
-                           help="generate a new data encryption key and "
-                                "encrypt all values with the new key")
    argparser.add_argument('--extract', dest='tree_path',
                           help="extract a specific key or branch from the "
                                "input JSON or YAML document. (decrypt mode "
@@ -200,10 +200,6 @@ def main():
        else:
            print("%s doesn't exist, creating it." % args.file)

-    if args.rotate:
-        # if rotate is set, force a data key generation even if one exists
-        need_key = True
-
    if args.encrypt:
        # Encrypt mode: encrypt, display and exit
        key, tree = get_key(tree, need_key)
@@ -230,6 +226,20 @@ def main():
        write_file(tree, path=dest, filetype=otype)
        sys.exit(0)

+    if args.rotate:
+        # Rotate mode: generate new data keys and reencrypt the file
+        key, tree = get_key(tree)
+        tree = walk_and_decrypt(tree, key, ignoreMac=args.ignore_mac)
+        key, tree = get_key(tree, True)
+        tree = walk_and_encrypt(tree, key)
+        tree = add_new_master_keys(tree, args.add_kms, args.add_pgp)
+        tree = remove_master_keys(tree, args.rm_kms, args.rm_pgp)
+        tree = update_master_keys(tree, key)
+        path = write_file(tree, path=args.file, filetype=otype)
+        print("Data key rotated and file written to %s" % (path),
+              file=sys.stderr)
+        sys.exit(0)
+
    # EDIT Mode: decrypt, edit, encrypt and save
    key, tree = get_key(tree, need_key)