OctopusDeploy · susanpann · Feb 2, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/src/pages/docs/administration/managing-infrastructure/rotate-master-key.md b/src/pages/docs/administration/managing-infrastructure/rotate-master-key.md
@@ -23,6 +23,7 @@ Octopus [encrypts important and sensitive data](/docs/security/data-encryption)
 - Sensitive variable values, wherever you have defined them.
 - Sensitive values in your deployment processes, like the password for a custom IIS App Pool user account.
 - Sensitive values in your deployment targets, like the password for creating [Offline Drops](/docs/infrastructure/deployment-targets/offline-package-drop).
+- Sensitive values in your process templates, like the default value for a sensitive/password box parameter.
 
 ## Rotating the Master Key
 
@@ -49,7 +50,7 @@ Once everything is backed up and the Octopus Server stopped, the steps are as fo
 
 Here's the beginning of an example report:
 
-```
+```text
 ================================================================================
 ROTATE MASTER KEY REPORT
 ================================================================================

diff --git a/src/pages/docs/platform-hub/process-templates/index.md b/src/pages/docs/platform-hub/process-templates/index.md
@@ -44,7 +44,6 @@ Some steps look different inside a process template. They ask for a parameter ra
 ![The run a script step asks for a worker pool parameter instead of a worker pool](/docs/img/platform-hub/process-template-step-example.png)
 :::
 
-
 :::div{.warning}
 Our initial release of Process Templates does not include support for a few built-in steps.
 :::
@@ -68,6 +67,7 @@ Process Templates can manage the following as parameters.
 - Generic OIDC Account
 - Google Cloud Account
 - Multi-line text box
+- Sensitive/password box
 - Single-line text box
 - Target Tags
 - Teams
@@ -90,6 +90,7 @@ You can set an optional default value for these parameters:
 - Multi-line text
 - Dropdown
 - Checkbox
+- Sensitive/password box
 - AWS Account
 - Azure Account
 - Generic OIDC Account
@@ -99,7 +100,6 @@ You can set an optional default value for these parameters:
 You cannot set a default value for these parameters, they must be set inside a project:
 
 - Certificate
-- Sensitive
 - Worker Pools
 - Package
 - Previous deployment step name
@@ -110,6 +110,30 @@ You cannot set a default value for these parameters, they must be set inside a p
 - Container Feed
 - Channels
 
+### Sensitive parameter defaults
+
+:::div{.hint}
+The ability to add default values for Sensitive/password box parameters is available from **Octopus 2026.1**.
+:::
+
+Unlike the other parameters, sensitive default values are stored securely in the database with a unique GUID identifier. This identifier is used in the process template to reference the default sensitive value in the database. Because of this approach, sensitive default values are supported in CaC workflows. Scoping for Sensitive/password box parameters is not currently supported.
+
+You can set a default value for your sensitive parameter by navigating to the parameters tab of your process template and committing your changes. When the template is saved, sensitive default values are stored encrypted in the database with a unique identifier. In the OCL, the parameter block will look something like this:
+
+```hcl
+parameter "Example Sensitive Parameter" {
+    display_settings = {
+        Octopus.ControlType = "Sensitive"
+    }
+    help_text = "An Example Sensitive Parameter"
+    label = "An Example Sensitive Parameter"
+
+    value "10d00c16-c905-43fa-90cd-088e22b31751" {}
+}
+```
+
+The GUID value in the OCL is a reference to the database-stored sensitive value. When the process template is used in a project or runbook, it will retrieve the sensitive value from the database.
+
 ### Parameter scoping
 
 Only Account parameters will allow you to scope them by environments. You can choose to scope them by any environment across your Octopus instance.
@@ -122,7 +146,6 @@ When a process template is used inside a project, the project supplied values wi
 ![The account parameter allowing scoping to environments present across Octopus instance](/docs/img/platform-hub/process-templates-account-scoping.png)
 :::
 
-
 ## Saving a Process Template
 
 Once you've finished making changes to your process template you can commit them to save the changes to your Git repository. You can either **Commit** with a description or quick commit without one.
@@ -185,9 +208,9 @@ To define a simple deployment process in Octopus that executes a hello world scr
 10. Add the Worker Pool parameter to the **Worker Pool** field.
 11. Paste the following PowerShell script into the **Inline Source Code** editor:
 
-```powershell
-Write-Host "Hello, World!" 
-```
+    ```powershell
+    Write-Host "Hello, World!" 
+    ```
 
 12. Commit your template.
 13. Publish and Share your template.
@@ -196,4 +219,4 @@ Write-Host "Hello, World!"
 16. Choose the Worker Pool in the parameters tab
 17. Add any steps before or after the process template
 
-You can now deploy this process to say "Hello, World!".
+You can now deploy this process to say "Hello, World!".