diff --git a/Makefile b/Makefile
index cab9f8079..154fb7a8e 100644
--- a/Makefile
+++ b/Makefile
@@ -14,6 +14,8 @@ hosts := $($(cluster)-cluster)
 ifeq ($(hosts),)
 $(error bad cluster: $(cluster))
 else
+.ONESHELL:
+
 .PHONY: deploy $(addprefix deploy-,$(hosts))
 deploy:
 	exec parallel \
@@ -23,4 +25,24 @@ deploy:
 		--tagstring '{u}' \
 		--line-buffer \
 		$(MAKE) deploy-{} ::: $(hosts)
+
+.PHONY: rotate-consul-encrypt
+rotate-consul-encrypt:
+	umask 0377
+	mkencrypt() { dd status=none if=/dev/random bs=1 count=16 | base64; }
+	json=$$(printf '{"encrypt":"%s"}\n' $$(mkencrypt))
+	cmd='
+		f=secrets/{}/rsync/etc/consul/encrypt.json
+		rm -f "$$f"
+		echo "$$json" > "$$f"
+	'
+	export json
+	exec parallel \
+		-j 0 \
+		--no-notice \
+		--rpl '{u} s/^.* deploy-(.*)/\1/' \
+		--tagstring '{u}' \
+		--line-buffer \
+		--quote \
+		sh -eufc "$$cmd" ::: $(hosts)
 endif