Even before a built-in rotate function ships, publishing an official list of database tables/columns encrypted with the CC Encryption key would help a lot. Many of us already use DecryptPassword / EncryptPassword via the Local API for automation. With a documented column list, we could safely build our own rotation scripts without guessing which fields to touch or risking a partial migration.