Changing the encryption keys (master keys) in Replicate and QEM once they are functional makes them unusable.
For Replicate, a user has to go in and change every single credential in the Replicate instance
QEM documentation does not mention the process to ensure QEM is operational after changing the master key.
As per PCI DSS best practices we need to rotate the encryption keys frequently. Not able to do that automatically poses a security risk for Replicate and QEM use.
I would like to propose and enhancement to support rotation of encryption keys automatically in Replicate and QEM.