How to rotate the encryption key?

Some sensitive information is stored in an encrypted manner in the database using an encryption key that is stored outside of the database. This helps secure the information in case there is ever a database breach. Since version 2.5.0 all secrets are encrypted, without any custom configuration from the admin.

In case the host server is breached, or if secrets need to be re-encrypted for another reason, rotating the encryption key is an option.

(1) How do I rotate an encryption key if I never set one?

If you never set one, your host machine derived the encryption from the JWT_SECRET environment variable. 
You can rotate it by setting the ENCRYPTION_KEY environment variable and restarting the service. It will automatically upgrade all the encrypted secrets to the new key. 

(2) I previously set an encryption key. How do I rotate to a new one?

If your host server already uses an ENCRYPTION_KEY, move the current one to the ENCRYPTION_KEY_OLD environment variable. After doing so, create a new ENCRYPTION_KEY and restart the service. It will automatically upgrade all the encrypted secrets to the new key.