# ADR-027: No key rotation utility in this package

## Status

Accepted

## Context

Key rotation (decrypt with old key, re-encrypt with current key) is a necessary operation for long-lived encrypted data. The question is whether the storage package provides a rotation utility.

## Decision

Key rotation is an application-level workflow: find all nodes with `keyVersion < currentVersion`, decrypt with old key, encrypt with current key, update node. The storage package provides the building blocks (`encrypt()`, `decrypt()`, `EncryptedDataSchema`), not the rotation workflow. The hub's background sweep pattern is a good reference implementation.

## Consequences

- No rotation utility in this package — application orchestrates the workflow
- `keyVersion` field in `EncryptedData` enables rotation detection
- The building blocks (encrypt, decrypt, schema validation) are provided

## References

- [encrypted-data.md](../encrypted-data.md)