In some embodiments, a method may include: enforcing a key rotation policy associated with a current encryption key being used to encrypt and decrypt data stored in an IHS; monitoring a cryptoperiod associated with the current encryption key; in response to a determination that the current encryption key has reached the end of the cryptoperiod, automatically transmitting a request to a key provider for a new encryption key; and in response to the request, automatically: receiving the new encryption key, marking the current encryption key as old, un-encrypting the data using the old encryption key, re-encrypting the data using the new encryption key, and, in response to a determination that all of the data has been re-encrypted with the new encryption key, transmitting a request to the key provider that the old encryption key be discarded, and deleting a local copy of the old encryption key.