From the docs:
Keys are defined in pairs to allow key rotation, but the common case is to set a single authentication key and optionally an encryption key.
The first pair is used for authentication, encryption and decryption, all other pairs are only used for authentication and decryption (but not encryption).
This is a very common strategy for key rotation. A new key pair is generated regularly and becomes the new key for encryption. Some or all other keys are kept around so that existing data can still be decrypted for some time. The oldest key can be discarded eventually. This limits the impact of a disclosed key because it becomes useless after some time.
Other software that uses this method:
- Google's KMS: https://cloud.google.com/kms/docs/key-rotation
- Amazon's KMS: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
- HashiCorp's Vault: https://www.vaultproject.io/api/secret/transit/index.html#rotate-key