Rotate data keys for SOPS-encrypted files.
This command generates a new data encryption key and re-encrypts all values
in the target file(s). This is the same behavior as the native 'sops rotate'
command, extended with batch directory support.
When the target is a file, only that file is rotated. When the target is a
folder, all SOPS-encrypted YAML and JSON files in the folder are rotated.
Use --recursive to include subdirectories.
Optionally, master key recipients can be added or removed during rotation:
--add-key adds a new master key recipient
--remove-key removes an existing master key recipient
By default, the command shows which files will be affected and prompts for
confirmation. Use --force to skip the confirmation prompt. In non-interactive
environments (no TTY), the prompt is automatically skipped.
Key type is auto-detected from the key format:
# Rotate all encrypted files in a folder (with confirmation)
ksail cipher rotate ./k8s
# Rotate without confirmation prompt
ksail cipher rotate ./k8s --force
# Rotate recursively through subdirectories
ksail cipher rotate ./k8s --recursive
ksail cipher rotate secrets.yaml
# Add a new age recipient during rotation
ksail cipher rotate ./k8s --add-key age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Remove an old age recipient during rotation
ksail cipher rotate ./k8s --remove-key age1oldkey...
# Replace a recipient (add new, remove old)
ksail cipher rotate ./k8s --add-key age1newkey... --remove-key age1oldkey...
ksail cipher rotate <file/folder> [flags]
--add-key string public key to add as a master key recipient
-f, --force skip confirmation prompt and rotate immediately
-r, --recursive scan subdirectories when target is a folder
--remove-key string public key to remove from master key recipients
--benchmark Show per-activity benchmark output
--config string Path to config file (default: ksail.yaml found via directory traversal)
