Daml

Rotate external KMS keys

Canton keys can still be manually rotated even if they are externally stored in a KMS. To do that, you can use the standard rotate key commands, or if you already have a pre-generated KMS key to rotate to, run the following command:

val newSigningKeyParticipant = participant1.keys.secret
  .rotate_kms_node_key(
    keyFingerprint,
    newKmsKeyId,
    "kms_key_rotated",
  )

fingerprint - the fingerprint of the key we want to rotate.
newKmsKeyId - the id of the new KMS key (e.g. Resource Name).
name - an optional name for the new key.

No current KMS service offers automatic rotation of asymmetric keys so the node operator needs to be responsible for periodically rotating these keys.

← Back to Documentation