PHI encryption key rotation (legacy `PHI_ENCRYPTION_KEY`)

Outcome

The legacy PHI_ENCRYPTION_KEY environment variable used for AES-256 field-level encryption of SSN data is rotated; existing rows are re-encrypted; services pick up the new key.

Newer tenants use per-tenant DEKs, not the env var. See PHI encryption at rest for the per-tenant rotation path. This chapter covers only the legacy env-key surface that still applies to member.ssn_encrypted.

Prerequisites

PLATFORM_ADMIN and access to the env var configuration.
A maintenance window — re-encryption requires a brief read-pause for member SSNs.
openssl and psql access.

Rotation procedure

Generate the new key and store it in your secret manager immediately:
```
openssl rand -base64 32
```

Re-encrypt existing data with old key, then new key, in a maintenance window:

UPDATE member.member
SET ssn_encrypted = pgp_sym_encrypt(
  pgp_sym_decrypt(ssn_encrypted, '<OLD_KEY>'),
  '<NEW_KEY>'
)
WHERE ssn_encrypted IS NOT NULL;

Update PHI_ENCRYPTION_KEY in environment configuration.
Restart all services that access member data (Member Service, Eligibility Service).

Verify by decrypting a test record:

SELECT pgp_sym_decrypt(ssn_encrypted, '<NEW_KEY>') AS ssn
  FROM member.member
 WHERE ssn_hash IS NOT NULL
 LIMIT 1;

Validation

Check	Expected
New key generated and stored	Yes
Re-encryption query succeeds for all rows	`UPDATE … OK`
Service restart	Pods come up green
Test decrypt with new key	Returns plaintext SSN

Troubleshooting

Symptom	Cause	Fix
Re-encrypt query fails partway	One row's encryption broken	Find via `WHERE pgp_sym_decrypt(ssn_encrypted, '<OLD>') IS NULL`; investigate before retrying.
Service won't start after restart	Env var not set / typo'd	Roll back env config; restart with old key.
Test decrypt returns gibberish	Wrong key, or row was missed by re-encryption	Decrypt with old key to confirm; retry the migration query for that row.

Note on roadmap

This env-keyed approach is legacy. The replacement per-tenant DEK rotation is the go-forward model. A follow-up will migrate member.ssn_encrypted itself to per-tenant DEKs; until then this chapter remains the canonical SSN rotation path.

Cross-references

PHI encryption at rest + per-tenant DEKs for the per-tenant model.
Audit log viewer for post-rotation access audit.

8.2 — RBAC matrix editor

Outcome​

Prerequisites​

Rotation procedure​

Validation​

Troubleshooting​

Note on roadmap​

Cross-references​

Next​