Rotating age.key

When: Encrypted secrets may have been exposed.

Impact: All encrypted secrets become undecryptable. You’ll need to re-enter them.

Steps

Stop Holden:
Terminal window
```
docker stop holden
```
Delete the old key:
Terminal window
```
rm /data/age.key
```
Restart Holden (generates new keypair):
Terminal window
```
docker start holden
```
Re-encrypt each secret (from the app’s directory):
Terminal window
```
holden vars set --secret API_KEY "new-value"
```
Commit updated holden.vars.yml files to your repos.