Introduction
Rotate disk encryption keys on managed devices without disabling or re-enabling encryption. Use this action to meet key rotation compliance requirements, respond to potential key exposure, or enforce regular key refresh policies across your environment.
Rotate Disk Encryption Key
From the automation pipeline in edit mode, click + Add action and select Rotate disk encryption key from the Security category. The action panel opens with two sections: Action type (pre-set to Rotate disk encryption key) and Step configuration.
Disk Drive
π₯οΈ PLATFORM NOTE:
Windows: Both options are available. Any drive rotates keys on all BitLocker-protected drives; System drive only targets the boot/OS drive.
macOS: Always treated as System drive only, regardless of which option is selected. Uses FileVault.
Linux: Not supported. This action is not implemented on Linux.
The Disk drive dropdown controls which drives Level rotates the encryption key on.
Option | Behavior |
Any drive | Rotates keys on all encrypted drives on the device. Windows only. |
System drive only | Rotates the key on the OS drive only. Applies to both Windows and macOS. |
βΉοΈ NOTE: Key rotation doesn't decrypt or re-encrypt the drive's data. It generates a new recovery key and invalidates the old one. Level stores the updated key automatically β retrieve it from the Disk widget on the device's Overview tab.
Conditions
The Conditions section lets you restrict when this action runs based on device attributes or the outcome of a previous action. Expand the section to add conditions.
See Action Conditions for the full reference on condition types, operators, and values.
Additional Options
Expand Additional options for execution settings including action name, failure behavior, output variables, and retries.
See Actions Overview for the full reference on additional options available on every action.
FAQ
Does this action work on Linux? No. Disk encryption is not implemented for Linux. If your automation targets a mixed-OS group, only Windows and macOS devices will execute this step.
What encryption does this rotate keys for on each platform? BitLocker on Windows and FileVault on macOS.
Why is "Any drive" labeled Windows only? macOS always targets the system drive only, regardless of which option is selected. The Any drive option has no additional effect on macOS.
What happens if the device doesn't have encryption enabled? The action will fail. Encryption must be active before a key can be rotated. Use Action Conditions to check encryption status first, or pair this action after an Enable Disk Encryption step in your automation.
Does key rotation interrupt the end user or require a reboot? No, no reboot is required for either platform. On Windows, Level manages key protectors via
Add-BitLockerKeyProtectorandRemove-BitLockerKeyProtectorβ metadata operations on the volume that don't affect the encryption state or require a restart. On macOS, Level callsfilevault.ChangeRecoveryto rotate the personal recovery key, which is also a background operation with no user interaction or reboot required.Where does the new recovery key get stored after rotation? Level stores it automatically β you don't need to escrow it manually. To retrieve it, open the device in Level and look at the Disk widget on the Device Overview tab. Encrypted partitions show a lock icon and a View encryption keys link. The keys panel has two tabs: Active (the current key with creation date) and History (previous keys and when they were archived). See Device Overview for details.
What happens if the device is offline when the action runs? The action queues and resumes once the device comes back online.
Who can add or modify this action in an automation? Technicians with permission to edit automations in the relevant group. See Workspace β Permissions for access control configuration.