# Key rotation
Security comes in many forms, one of them is how the data is stored securely.
With regulations such as GDPR, data protection has become increasingly important for all organizations, big and small.
By default, Workato encrypts all data at rest. Key rotation automatically rotates encryption keys every hour. New rotated keys are considered active keys used for encrypting the data for storage. Active keys become inactive at the end of the hour from when it was generated. Inactive keys are then only used for decrypting data.
By regularly rotating encryption key used every hour, volume of data that remains unprotected is limited if a key is compromised.
Workato follows industry best practice to store encryption key and encrypted data in separate storage providing greater level of protection against data compromise.
At the end of data retention period, all encrypted data and the key used to encrypt it are destroyed
Key rotation restricts the usage of encryption key to just one hour
# How it works
Example encryption key rotation
- Workato key management generates new encryption key
- For next one hour, the newly generated encryption key
Key1is considered active key and is used to encrypt the data
- At the end of one hour, encryption key is rotated and new
Key2key is generated
Key2is used to encrypt data beginning
Key1becomes inactive and is used only for decrypting data
Key2becomes inactive at
11:00 AMand is used only for decrypting data
- When data retention period ends, the encryption key and the encrypted data is destroyed
- Above process repeats every hour
Do I need to do anything to get key rotation?
The encryption key rotation is completely transparent and automatic for Workato customers.