diff --git a/content/operate/_index.md b/content/operate/_index.md
index 00e10da784..3ced42ea11 100644
--- a/content/operate/_index.md
+++ b/content/operate/_index.md
@@ -45,7 +45,7 @@ hideListLinks: true
| | {{}} Redis Cloud | {{}} Redis Software | {{}} Redis Open Source | Redis for Kubernetes |
|:-----------|:--------------|:-----------|:--------------|:--------------|
| Transport Layer Security (TLS) | [TLS]({{}}) | [TLS]({{}}) | [TLS]({{< relref "/operate/oss_and_stack/management/security/encryption" >}}) | [REDB tlsMode]({{}}) |
-| Role-based access control (RBAC) | [Role-based access control]({{}}) | [Access control]({{}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{}}) |
+| Role-based access control (RBAC) | [Role-based access control]({{}}) | [Access control]({{}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{}}) |
| Lightweight Directory Access Protocol (LDAP) | | [LDAP authentication]({{}}) | | [Enable LDAP]({{}}) |
| Single sign-on (SSO) | [SAML SSO]({{< relref "/operate/rc/security/access-control/saml-sso" >}}) | | | |
| Self-signed certificates | | [Certificates]({{}}) | [Certificate configuration]({{< relref "/operate/oss_and_stack/management/security/encryption#certificate-configuration" >}}) | [REC certificates]({{}}) |
diff --git a/content/operate/kubernetes/_index.md b/content/operate/kubernetes/_index.md
index d387bafb00..d65370434f 100644
--- a/content/operate/kubernetes/_index.md
+++ b/content/operate/kubernetes/_index.md
@@ -67,7 +67,7 @@ Set up globally distributed [Active-Active databases]({{< relref "/operate/kuber
Manage [secure connections]({{< relref "/operate/kubernetes/security" >}}) and access control for your Redis Enterprise deployment.
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}})
+- [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}})
- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}})
- [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}})
diff --git a/content/operate/kubernetes/active-active/create-aa-crdb-cli.md b/content/operate/kubernetes/active-active/create-aa-crdb-cli.md
index bf6c86d8d6..04008b8387 100644
--- a/content/operate/kubernetes/active-active/create-aa-crdb-cli.md
+++ b/content/operate/kubernetes/active-active/create-aa-crdb-cli.md
@@ -69,7 +69,7 @@ You'll need to create DNS aliases to resolve your API hostname ``,
- Description: Combined with database name to create the Active-Active database hostname
- Format: string
- Example value: `-cluster.ijk.example.com`
-- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) ` `:
+- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/manage-credentials" >}}) ` `:
- Description: Admin username and password for the REC stored in a secret
- Format: string
- Example value: username: `user@example.com`, password: `something`
diff --git a/content/operate/kubernetes/architecture/_index.md b/content/operate/kubernetes/architecture/_index.md
index d92a0d1040..ede076eae8 100644
--- a/content/operate/kubernetes/architecture/_index.md
+++ b/content/operate/kubernetes/architecture/_index.md
@@ -90,7 +90,7 @@ Redis Enterprise for Kubernetes uses [secrets](https://kubernetes.io/docs/concep
Redis Enterprise for Kubernetes uses the [RedisEnterpriseCluster (REC)]({{}}) [custom resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to create a Redis Enterprise cluster. During creation it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) [secret](https://kubernetes.io/docs/concepts/configuration/secret/). The secret name defaults to the name of the cluster.
-See [Manage REC credentials]({{}}) for more details.
+See [Manage credentials]({{}}) for more details.
### REC certificates
diff --git a/content/operate/kubernetes/networking/database-connectivity.md b/content/operate/kubernetes/networking/database-connectivity.md
index b1ff1dbf2e..73f15f807a 100644
--- a/content/operate/kubernetes/networking/database-connectivity.md
+++ b/content/operate/kubernetes/networking/database-connectivity.md
@@ -212,6 +212,10 @@ spec:
key: password
```
+### Rotate the database password
+
+To rotate a database password, update the `password` key in the database secret. See [Change the REDB password]({{< relref "/operate/kubernetes/security/manage-credentials#change-the-redb-password" >}}).
+
### Default user configuration
By default, databases create a default user with full access. You can disable this behavior:
diff --git a/content/operate/kubernetes/re-databases/_index.md b/content/operate/kubernetes/re-databases/_index.md
index e99571c2ec..431e69297f 100644
--- a/content/operate/kubernetes/re-databases/_index.md
+++ b/content/operate/kubernetes/re-databases/_index.md
@@ -38,6 +38,7 @@ Explore advanced database features and configurations:
Connect applications to your Redis Enterprise databases:
- [Database connectivity]({{< relref "/operate/kubernetes/networking/database-connectivity" >}}) - Comprehensive guide to in-cluster and external database access, service discovery, and credentials management.
+- [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}}) - Retrieve and rotate REC admin credentials and REDB database passwords.
- [Networking]({{< relref "/operate/kubernetes/networking" >}}) - Configure ingress, routes, and service exposure for database access
- [Security]({{< relref "/operate/kubernetes/security" >}}) - Set up TLS, authentication, and access control for secure database connections
diff --git a/content/operate/kubernetes/security/_index.md b/content/operate/kubernetes/security/_index.md
index a04831b1ed..b8abeb1077 100644
--- a/content/operate/kubernetes/security/_index.md
+++ b/content/operate/kubernetes/security/_index.md
@@ -17,7 +17,7 @@ Configure security settings for your Redis Enterprise deployment on Kubernetes.
Manage cluster credentials and authentication settings:
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) - Configure and manage Redis Enterprise cluster credentials
+- [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}}) - Retrieve and rotate REC admin credentials and REDB database passwords
- [Configuration secrets]({{< relref "/operate/kubernetes/security/configuration-secrets" >}}) - Store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management
- [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}}) - Integrate with LDAP for centralized authentication
- [SSO authentication]({{< relref "/operate/kubernetes/security/sso" >}}) - Enable SAML-based single sign-on for Cluster Manager UI access
diff --git a/content/operate/kubernetes/security/configuration-secrets.md b/content/operate/kubernetes/security/configuration-secrets.md
index aa432b10bb..eefa0bf04e 100644
--- a/content/operate/kubernetes/security/configuration-secrets.md
+++ b/content/operate/kubernetes/security/configuration-secrets.md
@@ -70,7 +70,7 @@ You can customize the credential secret name during cluster creation using the `
The `clusterCredentialSecretName` field cannot be changed after cluster creation.
{{}}
-For detailed instructions, see [Customize the credential secret name]({{< relref "/operate/kubernetes/security/manage-rec-credentials#customize-the-credential-secret-name" >}}).
+For detailed instructions, see [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}}).
## TLS certificate configuration
@@ -150,7 +150,7 @@ Field names vary by deployment.
## See also
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}})
+- [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}})
- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
- [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}})
- [Redis Enterprise Cluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}})
diff --git a/content/operate/kubernetes/security/manage-credentials.md b/content/operate/kubernetes/security/manage-credentials.md
new file mode 100644
index 0000000000..10530e78f4
--- /dev/null
+++ b/content/operate/kubernetes/security/manage-credentials.md
@@ -0,0 +1,205 @@
+---
+Title: Manage Redis Enterprise credentials
+aliases: [/operate/kubernetes/security/manage-rec-credentials/]
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Retrieve and rotate Redis Enterprise cluster (REC) admin credentials and Redis Enterprise database (REDB) passwords on Kubernetes.
+linkTitle: Manage credentials
+weight: 93
+---
+
+Redis Enterprise for Kubernetes stores both cluster admin credentials and database passwords in Kubernetes [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). The operator reconciles changes to these secrets and applies them to the cluster, so you rotate credentials by updating the secret rather than calling the cluster API directly.
+
+{{}}
+The procedures on this page are supported for operator versions 6.0.20-12 and later.
+{{}}
+
+## Redis Enterprise cluster (REC) credentials
+
+The [`RedisEnterpriseCluster`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) custom resource generates random admin credentials during cluster creation. The credentials are stored in a Kubernetes secret named by the `clusterCredentialSecretName` field (defaults to the cluster name).
+
+### Retrieve the REC username and password
+
+REC credentials authenticate to the Redis Enterprise admin console or REST API. You need cluster connectivity through a service or port forwarding.
+
+1. Read the secret created by the operator:
+
+ ```sh
+ kubectl get secret rec -o jsonpath='{.data}'
+ ```
+
+ The command outputs the base64-encoded password and username:
+
+ ```sh
+ map[password:MTIzNDU2NzgK username:ZGVtb0BleGFtcGxlLmNvbQo=]
+ ```
+
+1. Decode each value:
+
+ ```sh
+ echo MTIzNDU2NzgK | base64 --decode
+ ```
+
+ In this example, the plain text password is `12345678` and the username is `demo@example.com`.
+
+### Change the REC password for the current username
+
+1. Open a shell in a Redis Enterprise [pod](https://kubernetes.io/docs/concepts/workloads/pods/):
+
+ ```sh
+ kubectl exec -it -0 -c redis-enterprise-node -- /bin/bash
+ ```
+
+2. Add a new password for the existing user:
+
+ ```bash
+ REC_USER="`cat /opt/redislabs/credentials/username`" \
+ REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \
+ curl -k --request POST \
+ --url https://localhost:9443/v1/users/password \
+ -u "$REC_USER:$REC_PASSWORD" \
+ --header 'Content-Type: application/json' \
+ --data "{\"username\":\"$REC_USER\", \
+ \"old_password\":\"$REC_PASSWORD\", \
+ \"new_password\":\"\"}"
+ ```
+
+3. From outside the pod, update the REC credential secret:
+
+ ```sh
+ kubectl create secret generic \
+ --save-config \
+ --dry-run=client \
+ --from-literal=username= \
+ --from-literal=password= \
+ -o yaml | \
+ kubectl apply -f -
+ ```
+
+4. Wait five minutes for all components to read the new password. Proceeding too soon can lock the account.
+
+5. Open a shell in the pod again:
+
+ ```sh
+ kubectl exec -it -0 -c redis-enterprise-node -- /bin/bash
+ ```
+
+6. Remove the previous password so only the new one applies:
+
+ ```sh
+ REC_USER="`cat /opt/redislabs/credentials/username`"; \
+ REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \
+ curl -k --request DELETE \
+ --url https://localhost:9443/v1/users/password \
+ -u "$REC_USER:$REC_PASSWORD" \
+ --header 'Content-Type: application/json' \
+ --data "{\"username\":\"$REC_USER\", \
+ \"old_password\":\"}}
+The username in the K8s secret is the email displayed in the Redis Enterprise admin console.
+{{}}
+
+### Change both the REC username and password
+
+1. [Connect to the admin console]({{< relref "/operate/kubernetes/re-clusters/connect-to-admin-console.md" >}}).
+
+2. [Add another admin user]({{< relref "/operate/rs/security/access-control/create-users" >}}) and choose a new password.
+
+3. Set the new username in the `username` field of your REC custom resource spec.
+
+4. Update the REC credential secret:
+
+ ```sh
+ kubectl create secret generic \
+ --save-config \
+ --dry-run=client \
+ --from-literal=username= \
+ --from-literal=password= \
+ -o yaml | \
+ kubectl apply -f -
+ ```
+
+5. Wait five minutes for all components to read the new password. Proceeding too soon can lock the account.
+
+6. Delete the previous admin user from the cluster.
+
+{{}}
+The operator may log errors between updating the username in the REC spec and updating the secret.
+{{}}
+
+### Update the REC credentials secret in Vault
+
+If you store secrets in HashiCorp Vault, update the REC credential secret with these key-value pairs:
+
+```sh
+username:, password:
+```
+
+For more details, see [Integrate Redis Enterprise for Kubernetes with HashiCorp Vault](https://github.com/RedisLabs/redis-enterprise-k8s-docs/blob/master/vault/README.md).
+
+## Redis Enterprise database (REDB) password
+
+Each [`RedisEnterpriseDatabase`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}) resource has a password stored under the `password` key of the secret named by `spec.databaseSecretName`. If you don't set `databaseSecretName`, the operator creates a secret named `redb-` with a random password and updates the REDB spec to reference it.
+
+The operator reads the `password` key on every reconciliation and applies it to the database, so you rotate the password by updating the secret.
+
+### Retrieve the REDB password
+
+1. Find the secret name for the database:
+
+ ```sh
+ kubectl get redb -o jsonpath="{.spec.databaseSecretName}"
+ ```
+
+2. Decode the password:
+
+ ```sh
+ kubectl get secret -o jsonpath="{.data.password}" | base64 --decode
+ ```
+
+### Change the REDB password
+
+{{}}
+If the REDB spec sets `defaultUser: false`, the operator does not create or update the database secret. Rotating the secret has no effect in that mode — manage credentials through [Redis ACLs]({{< relref "/operate/rs/security/access-control/create-roles" >}}) instead.
+{{}}
+
+1. Base64-encode the new password. Use `echo -n` to avoid encoding a trailing newline:
+
+ ```sh
+ echo -n '' | base64
+ ```
+
+2. Patch the secret with the encoded value:
+
+ ```sh
+ kubectl patch secret -p='{"data":{"password":""}}'
+ ```
+
+ To edit the secret interactively, use `kubectl edit secret ` and replace the `password` value.
+
+3. Verify that the operator applied the change. The REDB status moves to `active-change-pending` while the update is in flight and returns to `active` when complete:
+
+ ```sh
+ kubectl get redb -o jsonpath='{.status.status}'
+ ```
+
+ Then test the new password with a Redis client:
+
+ ```sh
+ redis-cli -h -p -a '' PING
+ ```
+
+To disable authentication for the default user, set the `password` value to an empty string.
+
+#### Impact on existing client connections
+
+Existing client connections authenticated with the old password remain open — Redis Enterprise does not drop sessions when the password changes. New connections, and any `AUTH` commands issued on existing connections, must use the new password. Coordinate the secret update with your client configuration to avoid authentication errors.
+
+{{}}
+For Active-Active databases, the database secret is not created automatically. See [Create a global database secret]({{< relref "/operate/kubernetes/active-active/global-db-secret" >}}).
+{{}}
diff --git a/content/operate/kubernetes/security/manage-rec-credentials.md b/content/operate/kubernetes/security/manage-rec-credentials.md
deleted file mode 100644
index 6af331b9be..0000000000
--- a/content/operate/kubernetes/security/manage-rec-credentials.md
+++ /dev/null
@@ -1,136 +0,0 @@
----
-Title: Manage Redis Enterprise cluster (REC) credentials
-alwaysopen: false
-categories:
-- docs
-- operate
-- kubernetes
-linkTitle: Manage REC credentials
-weight: 93
----
-Redis Enterprise for Kubernetes uses a custom resource called [`RedisEnterpriseCluster`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) to create a Redis Enterprise cluster (REC). During creation, it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) [secret](https://kubernetes.io/docs/concepts/configuration/secret/). The secret name defaults to the cluster name and is specified by the `clusterCredentialSecretName` field in the REC specification.
-
-{{}}
-This procedure is only supported for operator versions 6.0.20-12 and above.
-{{}}
-
-## Retrieve the current username and password
-
-The credentials can be used to access the Redis Enterprise admin console or the API. Connectivity must be configured to the REC [pods](https://kubernetes.io/docs/concepts/workloads/pods/) using an appropriate service (or port forwarding).
-
-1. Inspect the random username and password created by the operator during creation with the `kubectl get secret` command.
-
- ```sh
- kubectl get secret rec -o jsonpath='{.data}'
- ```
-
- The command outputs the encoded password and username, similar to the example below.
-
- ```sh
- map[password:MTIzNDU2NzgK username:ZGVtb0BleGFtcGxlLmNvbQo=]
- ```
-
-1. Decode the password and username with the `echo` command and the password from the previous step.
-
- ```bash
- echo MTIzNDU2NzgK | base64 --decode
- ```
-
- This outputs the password and username in plain text. In this example, the plain text password is `12345678` and the username is `demo@example.com`.
-
-## Change the Redis Enterprise cluster (REC) credentials
-
-### Change the REC password for the current username
-
-1. Access a [pod](https://kubernetes.io/docs/concepts/workloads/pods/) running a Redis Enterprise cluster.
-
-```sh
-kubectl exec -it -0 -c redis-enterprise-node -- /bin/bash
-```
-
-2. Add a new password for the existing user.
-
-```bash
-REC_USER="`cat /opt/redislabs/credentials/username`" \
-REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \
-curl -k --request POST \
- --url https://localhost:9443/v1/users/password \
- -u "$REC_USER:$REC_PASSWORD" \
- --header 'Content-Type: application/json' \
- --data "{\"username\":\"$REC_USER\", \
- \"old_password\":\"$REC_PASSWORD\", \
- \"new_password\":\"\"}"
-```
-
-3. From outside the pod, update the REC credential secret.
-
-```sh
-kubectl create secret generic \
- --save-config \
- --dry-run=client \
- --from-literal=username= \
- --from-literal=password= \
- -o yaml | \
-kubectl apply -f -
-```
-
-4. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
-
-5. Access a pod running a Redis Enterprise cluster again.
-
-```sh
-kubectl exec -it -0 -c redis-enterprise-node -- /bin/bash
-```
-
-6. Remove the previous password to ensure only the new one applies.
-
-```sh
-REC_USER="`cat /opt/redislabs/credentials/username`"; \
-REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \
-curl -k --request DELETE \
- --url https://localhost:9443/v1/users/password \
- -u "$REC_USER:$REC_PASSWORD" \
- --header 'Content-Type: application/json' \
- --data "{\"username\":\"$REC_USER\", \
- \"old_password\":\"}} The username for the K8s secret is the email displayed on the Redis Enterprise admin console. {{}}
-
-### Change both the REC username and password
-
-1. [Connect to the admin console]({{< relref "/operate/kubernetes/re-clusters/connect-to-admin-console.md" >}})
-
-2. [Add another admin user]({{< relref "/operate/rs/security/access-control/create-users" >}}) and choose a new password.
-
-3. Specify the new username in the `username` field of your REC custom resource spec.
-
-4. Update the REC credential secret:
-
-```sh
-kubectl create secret generic \
- --save-config \
- --dry-run=client \
- --from-literal=username= \
- --from-literal=password= \
- -o yaml | \
-kubectl apply -f -
-```
-
-5. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
-
-6. Delete the previous admin user from the cluster.
-
-{{}}
-The operator may log errors in the time between updating the username in the REC spec and the secret update.
-{{}}
-
-### Update the credentials secret in Vault
-
-If you store your secrets with Hashicorp Vault, update the secret for the REC credentials with the following key-value pairs:
-
-```sh
-username:, password:
-```
-
-For more information about Vault integration with the Redis Enterprise Cluster see [Integrating Redis Enterprise for Kubernetes with Hashicorp Vault](https://github.com/RedisLabs/redis-enterprise-k8s-docs/blob/master/vault/README.md).