diff --git a/content/en/docs/refguide/runtime/custom-settings/_index.md b/content/en/docs/refguide/runtime/custom-settings/_index.md
index cb453222dfa..16782f2d087 100644
--- a/content/en/docs/refguide/runtime/custom-settings/_index.md
+++ b/content/en/docs/refguide/runtime/custom-settings/_index.md
@@ -197,10 +197,10 @@ For deployments to Mendix Cloud, SAP BTP, and Mendix on Kubernetes, these settin
| com.mendix.storage.s3.BucketName | Name of the bucket where the files are stored on S3. | |
| com.mendix.storage.s3.ResourceNamePrefix | Prefix for the keys under which objects are stored. Separators are not added automatically to keys. For keys like `prefix/key1`, `com.mendix.storage.s3.ResourceNamePrefix` should have value `prefix/`. | |
| com.mendix.storage.s3.ResourceNameSuffix | Suffix for the keys under which objects are stored. This can be used when S3 buckets are divided into different segments for different users with different credentials (for example, store objects as `[key].customer1` for customer1 and as `[key].customer2` for customer2). Separators are not added automatically to keys. For keys like `key1.customer1`, `com.mendix.storage.s3.ResourceNameSuffix` should have value `.customer1`. | |
-| com.mendix.storage.s3.Region | Sets the region in which the S3 bucket is located. This will be used to determine the service endpoint, unless overridden in **com.mendix.storage.s3.EndPoint**. This setting will also be used as the signing region for requests. ||
+| com.mendix.storage.s3.Region | Sets the region in which the S3 bucket is located. This will be used to determine the service endpoint, unless overridden in **com.mendix.storage.s3.EndPoint**. This setting will also be used as the signing region for requests.
In Mendix version 11.6.0 and above, this setting is mandatory. The runtime will not start if this setting is not configured. {{% alert color="warning" %}}Using an incorrect region can lead to the following errors:
`Unable to load region from any of the providers in the chain.`
`The bucket you are attempting to access must be addressed using the specified endpoint.`
`The authorization header is malformed; the region 'us-east-1' is wrong.`{{% /alert %}} | |
| com.mendix.storage.s3.EndPoint | Overrides the default endpoint. This setting is required when the storage is on a non-AWS location (for example, IBM Cloud Object Storage). Both the endpoint (for example, `s3.example.com`) or the full URL (including the protocol) are supported (for example, `https://s3.example.com`). Note that when setting a custom endpoint, path style access will be enabled. For more information, see [Class S3ClientOptions](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/S3ClientOptions.html#withPathStyleAccess(boolean)). | |
-| com.mendix.storage.s3.UseV2Auth | Lets the authentication policy use `Signature Version 2` instead of the default `Signature Version 4`. Set this setting to `true` when the endpoint does not support `Signature Version 4`. | false |
-| com.mendix.storage.s3.EncryptionKeys | List of keys which can be used to encrypt and decrypt data at rest in S3. The right key to decrypt the data with is automatically selected depending on with which key it was encrypted. Each encryption key consists of a key id, the encryption algorithm and the actual key (Base64 encoded). Example: {{< figure src="/attachments/refguide/runtime/custom-settings/code_snippet_2.png" class="no-border" >}} | |
+| com.mendix.storage.s3.UseV2Auth | Lets the authentication policy use `Signature Version 2` instead of the default `Signature Version 4`. Set this setting to `true` when the endpoint does not support `Signature Version 4`.
This setting is not supported in Mendix version 11.6.0 and above. | false |
+| com.mendix.storage.s3.EncryptionKeys | List of keys which can be used to encrypt and decrypt data at rest in S3. The right key to decrypt the data with is automatically selected depending on with which key it was encrypted. Each encryption key consists of a key id, the encryption algorithm and the actual key (Base64 encoded).
In Mendix version 11.6.0 and above, only AES encryption algorithm is supported. See [S3 Encryption Key Update](/refguide/s3-encryption-key-update/) for migration information and how to configure the setting. | |
| com.mendix.storage.s3.ForceGlobalBucketAccessEnabled | The value `true` allows the server to route requests to a different region than specified in these settings (`false` disallows it). | true |
| com.mendix.storage.s3.MaxConnections | Overrides the default maximum connections limit in the S3 service. The default value is enough for most applications, so we do not recommend explicitly setting this to a custom value unless a larger maximum connections limit is absolutely necessary. | [DEFAULT_MAX_CONNECTIONS](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html#DEFAULT_MAX_CONNECTIONS) field of the ClientConfiguration interface in the AWS SDK for Java. |
| com.mendix.storage.s3.ClientExecutionTimeout | Sets the amount of time (in milliseconds) to allow a call to the storage service to complete. A value of `0` means no timeout. For more information, see the [AWS Java SDK](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html#setClientExecutionTimeout-int-). | 0 (no timeout) |
diff --git a/content/en/docs/refguide/runtime/custom-settings/s3-encryption-key-update.md b/content/en/docs/refguide/runtime/custom-settings/s3-encryption-key-update.md
new file mode 100644
index 00000000000..751309d18dd
--- /dev/null
+++ b/content/en/docs/refguide/runtime/custom-settings/s3-encryption-key-update.md
@@ -0,0 +1,69 @@
+---
+title: "Updating Encryption Keys for S3 File Storage"
+url: /refguide/s3-encryption-key-update/
+description: "Describes how to add a new encryption key and re-encrypt all existing files on S3 storage."
+---
+
+## Introduction
+
+Client side encryption for S3 can be enabled by specifying encryption keys with the `com.mendix.storage.s3.EncryptionKeys` setting. This setting allows you to specify multiple keys.
+The last encryption key will be used for encrypting new files. When retrieving a file the correct encryption key will be used from the list of encryption keys.
+
+A sample value for the setting would be:
+
+```json
+[
+ {
+ "keyID": "first",
+ "algorithm": "AES",
+ "key": "IauTCIvTCZ4iy4jm4rzjmYXBLlFgP3hCVKxjXIcBX0Q="
+ },
+ {
+ "keyID": "first",
+ "algorithm": "AES",
+ "key": "Eu9O519OaDgtiSSpNoXM51eDjc0UIHHxBfXukR5Cyqw="
+ }
+]
+```
+
+{{% alert color="warning" %}}
+For deployments to Mendix Cloud, SAP BTP, and Mendix on Kubernetes, these encryption keys are managed for you and cannot be changed.
+{{% /alert %}}
+
+## Implementing Key Rotation
+
+When a new key is added, that key will be used for newly encrypted files but existing files will *not* be automatically re-encrypted. For this you need to implement re-encryption inside your application.
+This can be done by adding a new encryption key and then re-uploading all existing files.
+
+The following is a Java action that demonstrates re-uploading a list of files:
+
+```java
+public class JA_RefreshFileContents extends UserAction
+{
+ …
+ private final java.util.List __files;
+
+ …
+ public java.lang.Void executeAction() throws Exception
+ {
+ // BEGIN USER CODE
+ IContext sc = Core.createSystemContext();
+ sc.startTransaction();
+ __files.stream().forEach(f -> { f.setValue(sc, "Contents", (java.io.InputStream) f.getValue(sc, "Contents")); });
+ sc.endTransaction();
+ Core.commit(sc, __files);
+ return null;
+ // END USER CODE
+ }
+
+ …
+}
+```
+
+This Java action can be repeatedly called from a microflow that reads objects of type `System.FileDocument`' in batches. For example, see the following microflow:
+
+{{< figure src="/attachments/refguide9/runtime/custom-settings/batch-file-update-microflow.png" class="no-border" alt="Microflow which contains a loop which retrieves a list of FileDocument objects and rewrites them to rotate the encryption key." >}}
+
+Here, a list of FileDocument objects is retrieved, for example 100, ordered by the `FileID` attribute, and passed to the `JA_RefreshFileContents` Java action. This is repeated until all the batches of files are processed. The microflow logs and stores the `FileID` attribute of the last processed file in each batch in case the process gets interrupted.
+
+This microflow can be executed in a task queue.
\ No newline at end of file
diff --git a/content/en/docs/refguide10/runtime/custom-settings/_index.md b/content/en/docs/refguide10/runtime/custom-settings/_index.md
index 5074bc878f4..549cfc21a09 100644
--- a/content/en/docs/refguide10/runtime/custom-settings/_index.md
+++ b/content/en/docs/refguide10/runtime/custom-settings/_index.md
@@ -189,10 +189,10 @@ For deployments to Mendix Cloud, SAP BTP, and Mendix on Kubernetes, these settin
| com.mendix.storage.s3.BucketName | Name of the bucket where the files are stored on S3. | |
| com.mendix.storage.s3.ResourceNamePrefix | Prefix for the keys under which objects are stored. Separators are not added automatically to keys. For keys like `prefix/key1`, `com.mendix.storage.s3.ResourceNamePrefix` should have value `prefix/`. This setting is available in Mendix version 10.6 in patch versions 10.6.4 and above, and in Mendix version 10.8.0 and above. | |
| com.mendix.storage.s3.ResourceNameSuffix | Suffix for the keys under which objects are stored. This can be used when S3 buckets are divided into different segments for different users with different credentials (for example, store objects as `[key].customer1` for customer1 and as `[key].customer2` for customer2). Separators are not added automatically to keys. For keys like `key1.customer1`, `com.mendix.storage.s3.ResourceNameSuffix` should have value `.customer1`. | |
-| com.mendix.storage.s3.Region | Sets the region in which the S3 bucket is located. This will be used to determine the service endpoint, unless overridden in **com.mendix.storage.s3.EndPoint**. This setting will also be used as the signing region for requests. ||
+| com.mendix.storage.s3.Region | Sets the region in which the S3 bucket is located. This will be used to determine the service endpoint, unless overridden in **com.mendix.storage.s3.EndPoint**. TThis setting will also be used as the signing region for requests.
In Mendix version 10.24.14 and above, this setting is mandatory. The runtime will not start if this setting is not configured. {{% alert color="warning" %}}Using an incorrect region can lead to the following errors:
`Unable to load region from any of the providers in the chain.`
`The bucket you are attempting to access must be addressed using the specified endpoint.`
`The authorization header is malformed; the region 'us-east-1' is wrong.`{{% /alert %}} | |
| com.mendix.storage.s3.EndPoint | Overrides the default endpoint. This setting is required when the storage is on a non-AWS location (for example, IBM Cloud Object Storage). Both the endpoint (for example, `s3.example.com`) or the full URL (including the protocol) are supported (for example, `https://s3.example.com`). Note that when setting a custom endpoint, path style access will be enabled. For more information, see [Class S3ClientOptions](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/S3ClientOptions.html#withPathStyleAccess(boolean)). | |
-| com.mendix.storage.s3.UseV2Auth | Lets the authentication policy use `Signature Version 2` instead of the default `Signature Version 4`. Set this setting to `true` when the endpoint does not support `Signature Version 4`. | false |
-| com.mendix.storage.s3.EncryptionKeys | List of keys which can be used to encrypt and decrypt data at rest in S3. The right key to decrypt the data with is automatically selected depending on with which key it was encrypted. Each encryption key consists of a key id, the encryption algorithm and the actual key (Base64 encoded). Example: {{< figure src="/attachments/refguide10/runtime/custom-settings/code_snippet_2.png" class="no-border" >}} | |
+| com.mendix.storage.s3.UseV2Auth | Lets the authentication policy use `Signature Version 2` instead of the default `Signature Version 4`. Set this setting to `true` when the endpoint does not support `Signature Version 4`.
This setting is not supported in Mendix version 10.24.14 and above. | false |
+| com.mendix.storage.s3.EncryptionKeys | List of keys which can be used to encrypt and decrypt data at rest in S3. The right key to decrypt the data with is automatically selected depending on with which key it was encrypted. Each encryption key consists of a key id, the encryption algorithm and the actual key (Base64 encoded).
In Mendix version 10.24.14 and above, only AES encryption algorithm is supported. See [S3 Encryption Key Update](/refguide10/s3-encryption-key-update/) for migration information and how to configure the setting. | |
| com.mendix.storage.s3.ForceGlobalBucketAccessEnabled | The value `true` allows the server to route requests to a different region than specified in these settings (`false` disallows it). | true |
| com.mendix.storage.s3.MaxConnections | Overrides the default maximum connections limit in the S3 service. The default value is enough for most applications, so we do not recommend explicitly setting this to a custom value unless a larger maximum connections limit is absolutely necessary. | [DEFAULT_MAX_CONNECTIONS](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html#DEFAULT_MAX_CONNECTIONS) field of the ClientConfiguration interface in the AWS SDK for Java. |
| com.mendix.storage.s3.ClientExecutionTimeout | Sets the amount of time (in milliseconds) to allow a call to the storage service to complete. A value of `0` means no timeout. For more information, see the [AWS Java SDK](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html#setClientExecutionTimeout-int-). | 0 (no timeout) |
diff --git a/content/en/docs/refguide10/runtime/custom-settings/s3-encryption-key-update.md b/content/en/docs/refguide10/runtime/custom-settings/s3-encryption-key-update.md
new file mode 100644
index 00000000000..45a698d4e3e
--- /dev/null
+++ b/content/en/docs/refguide10/runtime/custom-settings/s3-encryption-key-update.md
@@ -0,0 +1,69 @@
+---
+title: "Updating Encryption Keys for S3 File Storage"
+url: /refguide10/s3-encryption-key-update/
+description: "Describes how to add a new encryption key and re-encrypt all existing files on S3 storage."
+---
+
+## Introduction
+
+Client side encryption for S3 can be enabled by specifying encryption keys with the `com.mendix.storage.s3.EncryptionKeys` setting. This setting allows you to specify multiple keys.
+The last encryption key will be used for encrypting new files. When retrieving a file the correct encryption key will be used from the list of encryption keys.
+
+A sample value for the setting would be:
+
+```json
+[
+ {
+ "keyID": "first",
+ "algorithm": "AES",
+ "key": "IauTCIvTCZ4iy4jm4rzjmYXBLlFgP3hCVKxjXIcBX0Q="
+ },
+ {
+ "keyID": "first",
+ "algorithm": "AES",
+ "key": "Eu9O519OaDgtiSSpNoXM51eDjc0UIHHxBfXukR5Cyqw="
+ }
+]
+```
+
+{{% alert color="warning" %}}
+For deployments to Mendix Cloud, SAP BTP, and Mendix on Kubernetes, these encryption keys are managed for you and cannot be changed.
+{{% /alert %}}
+
+## Implementing Key Rotation
+
+When a new key is added, that key will be used for newly encrypted files but existing files will *not* be automatically re-encrypted. For this you need to implement re-encryption inside your application.
+This can be done by adding a new encryption key and then re-uploading all existing files.
+
+The following is a Java action that demonstrates re-uploading a list of files:
+
+```java
+public class JA_RefreshFileContents extends UserAction
+{
+ …
+ private final java.util.List __files;
+
+ …
+ public java.lang.Void executeAction() throws Exception
+ {
+ // BEGIN USER CODE
+ IContext sc = Core.createSystemContext();
+ sc.startTransaction();
+ __files.stream().forEach(f -> { f.setValue(sc, "Contents", (java.io.InputStream) f.getValue(sc, "Contents")); });
+ sc.endTransaction();
+ Core.commit(sc, __files);
+ return null;
+ // END USER CODE
+ }
+
+ …
+}
+```
+
+This Java action can be repeatedly called from a microflow that reads objects of type `System.FileDocument`' in batches. For example, see the following microflow:
+
+{{< figure src="/attachments/refguide9/runtime/custom-settings/batch-file-update-microflow.png" class="no-border" alt="Microflow which contains a loop which retrieves a list of FileDocument objects and rewrites them to rotate the encryption key." >}}
+
+Here, a list of FileDocument objects is retrieved, for example 100, ordered by the `FileID` attribute, and passed to the `JA_RefreshFileContents` Java action. This is repeated until all the batches of files are processed. The microflow logs and stores the `FileID` attribute of the last processed file in each batch in case the process gets interrupted.
+
+This microflow can be executed in a task queue.
\ No newline at end of file
diff --git a/content/en/docs/refguide9/runtime/custom-settings/_index.md b/content/en/docs/refguide9/runtime/custom-settings/_index.md
index eb9d46d3751..9d05f16e678 100644
--- a/content/en/docs/refguide9/runtime/custom-settings/_index.md
+++ b/content/en/docs/refguide9/runtime/custom-settings/_index.md
@@ -154,7 +154,7 @@ Before the data copying process starts, the main database structure will be gene
The settings described below influence the behavior of the Amazon S3 Storage Service module. This module can be used for both Amazon S3 Storage and IBM Cloud Object Storage.
{{% alert color="warning" %}}
-For deployments to Mendix Cloud, SAP BTP, and Mendix on Kubernetes these settings are managed for you and cannot be overwritten.
+For deployments to Mendix Cloud, SAP BTP, and Mendix on Kubernetes, these settings are managed for you and cannot be overwritten.
{{% /alert %}}
| Name | Description | Default Value |
@@ -164,10 +164,10 @@ For deployments to Mendix Cloud, SAP BTP, and Mendix on Kubernetes these setting
| com.mendix.storage.s3.BucketName | Name of the bucket where the files are stored on S3. | |
| com.mendix.storage.s3.ResourceNamePrefix | Prefix for the keys under which objects are stored. Separators are not added automatically to keys. For keys like `prefix/key1`, `com.mendix.storage.s3.ResourceNamePrefix` should have value `prefix/`. This setting is available in Mendix version 9.24.16 and above. | |
| com.mendix.storage.s3.ResourceNameSuffix | Suffix for the keys under which objects are stored. This can be used when S3 buckets are divided into different segments for different users with different credentials (for example, store objects as `[key].customer1` for customer1 and as `[key].customer2` for customer2). Separators are not added automatically to keys. For keys like `key1.customer1`, `com.mendix.storage.s3.ResourceNameSuffix` should have value `.customer1`. | |
-| com.mendix.storage.s3.Region | Sets the region in which the S3 bucket is located. This will be used to determine the service endpoint, unless overridden in **com.mendix.storage.s3.EndPoint**. This setting will also be used as the signing region for requests. ||
+| com.mendix.storage.s3.Region | Sets the region in which the S3 bucket is located. This will be used to determine the service endpoint, unless overridden in **com.mendix.storage.s3.EndPoint**. This setting will also be used as the signing region for requests.
In Mendix version 9.24.41 and above, this setting is mandatory. The runtime will not start if this setting is not configured. {{% alert color="warning" %}}Using an incorrect region can lead to the following errors:
`Unable to load region from any of the providers in the chain.`
`The bucket you are attempting to access must be addressed using the specified endpoint.`
`The authorization header is malformed; the region 'us-east-1' is wrong.`{{% /alert %}} | |
| com.mendix.storage.s3.EndPoint | Overrides the default endpoint. This setting is required when the storage is on a non-AWS location (for example, IBM Cloud Object Storage). Both the endpoint (for example, `s3.example.com`) or the full URL (including the protocol) are supported (for example, `https://s3.example.com`). Note that when setting a custom endpoint, path style access will be enabled. For more information, see [Class S3ClientOptions](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/S3ClientOptions.html#withPathStyleAccess(boolean)). | |
-| com.mendix.storage.s3.UseV2Auth | Lets the authentication policy use `Signature Version 2` instead of the default `Signature Version 4`. Set this setting to `true` when the endpoint does not support `Signature Version 4`. | false |
-| com.mendix.storage.s3.EncryptionKeys | List of keys which can be used to encrypt and decrypt data at rest in S3. The right key to decrypt the data with is automatically selected depending on with which key it was encrypted. Each encryption key consists of a key id, the encryption algorithm and the actual key (Base64 encoded). Example: {{< figure src="/attachments/refguide9/runtime/custom-settings/code_snippet_2.png" class="no-border" >}} | |
+| com.mendix.storage.s3.UseV2Auth | Lets the authentication policy use `Signature Version 2` instead of the default `Signature Version 4`. Set this setting to `true` when the endpoint does not support `Signature Version 4`.
This setting is not supported in Mendix version 9.24.41 and above. | false |
+| com.mendix.storage.s3.EncryptionKeys | List of keys which can be used to encrypt and decrypt data at rest in S3. The right key to decrypt the data with is automatically selected depending on with which key it was encrypted. Each encryption key consists of a key id, the encryption algorithm and the actual key (Base64 encoded).
In Mendix version 9.24.41 and above, only AES encryption algorithm is supported. See [S3 Encryption Key Update](/refguide9/s3-encryption-key-update/) for migration information and how to configure the setting. | |
| com.mendix.storage.s3.ForceGlobalBucketAccessEnabled | The value `true` allows the server to route requests to a different region than specified in these settings (`false` disallows it). | true |
| com.mendix.storage.s3.MaxConnections | Overrides the default maximum connections limit in the S3 service. The default value is enough for most applications, so we do not recommend explicitly setting this to a custom value unless a larger maximum connections limit is absolutely necessary. | [DEFAULT_MAX_CONNECTIONS](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html#DEFAULT_MAX_CONNECTIONS) field of the ClientConfiguration interface in the AWS SDK for Java. |
| com.mendix.storage.s3.ClientExecutionTimeout | Sets the amount of time (in milliseconds) to allow a call to the storage service to complete. A value of `0` means no timeout. For more information, see the [AWS Java SDK](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html#setClientExecutionTimeout-int-). | 0 (no timeout) |
diff --git a/content/en/docs/refguide9/runtime/custom-settings/s3-encryption-key-update.md b/content/en/docs/refguide9/runtime/custom-settings/s3-encryption-key-update.md
new file mode 100644
index 00000000000..c9d78c69aba
--- /dev/null
+++ b/content/en/docs/refguide9/runtime/custom-settings/s3-encryption-key-update.md
@@ -0,0 +1,69 @@
+---
+title: "Updating Encryption Keys for S3 File Storage"
+url: /refguide9/s3-encryption-key-update/
+description: "Describes how to add a new encryption key and re-encrypt all existing files on S3 storage."
+---
+
+## Introduction
+
+Client side encryption for S3 can be enabled by specifying encryption keys with the `com.mendix.storage.s3.EncryptionKeys` setting. This setting allows you to specify multiple keys.
+The last encryption key will be used for encrypting new files. When retrieving a file the correct encryption key will be used from the list of encryption keys.
+
+A sample value for the setting would be:
+
+```json
+[
+ {
+ "keyID": "first",
+ "algorithm": "AES",
+ "key": "IauTCIvTCZ4iy4jm4rzjmYXBLlFgP3hCVKxjXIcBX0Q="
+ },
+ {
+ "keyID": "first",
+ "algorithm": "AES",
+ "key": "Eu9O519OaDgtiSSpNoXM51eDjc0UIHHxBfXukR5Cyqw="
+ }
+]
+```
+
+{{% alert color="warning" %}}
+For deployments to Mendix Cloud, SAP BTP, and Mendix on Kubernetes, these encryption keys are managed for you and cannot be changed.
+{{% /alert %}}
+
+## Implementing Key Rotation
+
+When a new key is added, that key will be used for newly encrypted files but existing files will *not* be automatically re-encrypted. For this you need to implement re-encryption inside your application.
+This can be done by adding a new encryption key and then re-uploading all existing files.
+
+The following is a Java action that demonstrates re-uploading a list of files:
+
+```java
+public class JA_RefreshFileContents extends UserAction
+{
+ …
+ private final java.util.List __files;
+
+ …
+ public java.lang.Void executeAction() throws Exception
+ {
+ // BEGIN USER CODE
+ IContext sc = Core.createSystemContext();
+ sc.startTransaction();
+ __files.stream().forEach(f -> { f.setValue(sc, "Contents", (java.io.InputStream) f.getValue(sc, "Contents")); });
+ sc.endTransaction();
+ Core.commit(sc, __files);
+ return null;
+ // END USER CODE
+ }
+
+ …
+}
+```
+
+This Java action can be repeatedly called from a microflow that reads objects of type `System.FileDocument`' in batches. For example, see the following microflow:
+
+{{< figure src="/attachments/refguide9/runtime/custom-settings/batch-file-update-microflow.png" class="no-border" alt="Microflow which contains a loop which retrieves a list of FileDocument objects and rewrites them to rotate the encryption key." >}}
+
+Here, a list of FileDocument objects is retrieved, for example 100, ordered by the `FileID` attribute, and passed to the `JA_RefreshFileContents` Java action. This is repeated until all the batches of files are processed. The microflow logs and stores the `FileID` attribute of the last processed file in each batch in case the process gets interrupted.
+
+This microflow can be executed in a task queue.
\ No newline at end of file
diff --git a/static/attachments/refguide/runtime/custom-settings/batch-file-update-microflow.png b/static/attachments/refguide/runtime/custom-settings/batch-file-update-microflow.png
new file mode 100644
index 00000000000..6ae6eed9599
Binary files /dev/null and b/static/attachments/refguide/runtime/custom-settings/batch-file-update-microflow.png differ
diff --git a/static/attachments/refguide/runtime/custom-settings/code_snippet_2.png b/static/attachments/refguide/runtime/custom-settings/code_snippet_2.png
deleted file mode 100644
index bf18e4dcf13..00000000000
Binary files a/static/attachments/refguide/runtime/custom-settings/code_snippet_2.png and /dev/null differ
diff --git a/static/attachments/refguide10/runtime/custom-settings/batch-file-update-microflow.png b/static/attachments/refguide10/runtime/custom-settings/batch-file-update-microflow.png
new file mode 100644
index 00000000000..6ae6eed9599
Binary files /dev/null and b/static/attachments/refguide10/runtime/custom-settings/batch-file-update-microflow.png differ
diff --git a/static/attachments/refguide10/runtime/custom-settings/code_snippet_2.png b/static/attachments/refguide10/runtime/custom-settings/code_snippet_2.png
deleted file mode 100644
index bf18e4dcf13..00000000000
Binary files a/static/attachments/refguide10/runtime/custom-settings/code_snippet_2.png and /dev/null differ
diff --git a/static/attachments/refguide9/runtime/custom-settings/batch-file-update-microflow.png b/static/attachments/refguide9/runtime/custom-settings/batch-file-update-microflow.png
new file mode 100644
index 00000000000..6ae6eed9599
Binary files /dev/null and b/static/attachments/refguide9/runtime/custom-settings/batch-file-update-microflow.png differ
diff --git a/static/attachments/refguide9/runtime/custom-settings/code_snippet_2.png b/static/attachments/refguide9/runtime/custom-settings/code_snippet_2.png
deleted file mode 100644
index bf18e4dcf13..00000000000
Binary files a/static/attachments/refguide9/runtime/custom-settings/code_snippet_2.png and /dev/null differ