From afcb18c23e506127daaeb295362f8063313033dc Mon Sep 17 00:00:00 2001
From: Brian Shumate <brianshumate@users.noreply.github.com>
Date: Tue, 12 Nov 2024 18:53:20 +0000
Subject: [PATCH] backport of commit afdf42b0b6eab06bf270e6b998651e32cbeb3759

---
 .../content/docs/commands/operator/rotate.mdx | 36 +++++++++++++++----
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/website/content/docs/commands/operator/rotate.mdx b/website/content/docs/commands/operator/rotate.mdx
index a9de0d0fd489..671b64ffe0dd 100644
--- a/website/content/docs/commands/operator/rotate.mdx
+++ b/website/content/docs/commands/operator/rotate.mdx
@@ -10,14 +10,18 @@ description: |-
 
 # operator rotate
 
-The `operator rotate` rotates the underlying encryption key which is used to
-secure data written to the storage backend. This installs a new key in the key
-ring. This new key is used to encrypted new data, while older keys in the ring
-are used to decrypt older data.
+The `operator rotate` command rotates the underlying encryption key, which
+secures data written to storage. This installs a new key in the key ring. 
+This new key encrypts new data, while older keys in the ring decrypt
+older data.
 
-This is an online operation and does not cause downtime. This command is run
+This is an online operation and does not cause downtime. This command runs
 per-cluster (not per-server), since Vault servers in HA mode share the same
-storage backend.
+storage.
+
+As of **Vault 1.7**, Vault will automatically rotate the encryption key before
+reaching 2<sup>32</sup> encryption operations, in adherence with NIST SP800-32D
+guidelines.
 
 ## Examples
 
@@ -29,6 +33,26 @@ Key Term        3
 Install Time    01 May 17 10:30 UTC
 ```
 
+View the current automatic rotation policy:
+
+```shell-session
+$ vault read sys/rotate/config
+```
+
+Configure a time interval for automatic key rotation:
+
+```shell-session
+$ vault write sys/rotate/config interval=2160h
+Success! Data written to: sys/rotate/config
+```
+
+Configure the maximum number of encryption operations per key:
+
+```shell-session
+$ vault write sys/rotate/config max_operations=123456789
+Success! Data written to: sys/rotate/config
+```
+
 ## Usage
 
 The following flags are available in addition to the [standard set of