Agent Key Rotation

Why Key Rotation Matters

Regular key rotation is a critical security practice. It limits the window of exposure if a key is compromised and is often required by compliance frameworks such as SOC 2, ISO 27001, and FedRAMP. Rotating keys periodically ensures that even if an attacker obtains an old key, they cannot use it to impersonate an agent or forge actions.

Steps

  1. Check current keys

    truss agent keys <agent-id>

    This lists the active public key alongside all historical keys and their rotation timestamps.

  2. Generate a new key pair

    Create a new Ed25519 key pair using the Truss SDK or an external tool such as OpenSSL:

    openssl genpkey -algorithm ED25519 -out private.pem
openssl pkey -in private.pem -pubout -out public.pem

  3. Update the organization's public key

    truss org update --public-key "$(cat public.pem)"

    This replaces the active public key. The old key is retained in the rotation history for verification of previously signed actions.

  4. Verify the new key is active

    truss agent get <agent-id>

    Confirm the active_key_thumbprint field reflects the new key.

Rotation History

The truss agent keys command shows the full rotation history including timestamps for every key swap. Use this to audit compliance with your organization's key rotation policy.

PreviousGuidesNextAlert Configuration