DOCSP-26098 QE key rotation (#2304)

Author: jmd-mongo

source/core/queryable-encryption/fundamentals/manage-keys.txt

@@ -50,6 +50,44 @@ To learn more about the relationship between keys, see
 
 .. include:: /includes/queryable-encryption/qe-warning-remote-kms.rst
 
+.. _qe-fundamentals-rotate-keys:
+
+Rotate Encryption Keys Using ``mongosh``
+----------------------------------------
+
+You can rotate encryption keys using the 
+:method:`KeyVault.rewrapManyDataKey()` method. The ``rewrapManyDataKey`` 
+method automatically decrypts multiple data keys and re-encrypts them 
+using a specified {+cmk-long+} (CMK). It then updates the rotated keys 
+in the key vault collection. This method allows you to rotate encryption 
+keys based on two optional arguments:
+
+- A :ref:`query filter document <document-query-filter>` used to specify 
+  which keys to rotate. If no data key matches the given filter, no keys 
+  will be rotated. Omit the filter to rotate all keys in your key vault 
+  collection.
+
+- An object that represents a new CMK. Omit this object to rotate
+  the data keys using their current CMKs.
+
+The ``rewrapManyDataKey`` method has the following syntax:
+
+.. code-block:: json
+
+   let keyVault = db.getMongo().getKeyVault()
+
+   keyVault.rewrapManyDataKey(
+      { 
+         "<Your custom filter>" 
+      },
+      {
+         provider: "<KMS provider>",
+         masterKey: {
+            "<dataKeyOpts Key>" : "<dataKeyOpts Value>"
+         }
+      }
+   )
+
 Supported Key Management Services
 ---------------------------------