- Overview
- Tutorials
- How Tos
- Download
- Install
- Configure
- Secure
- TLS API Configuration
- Configure API Authentication and Authorization with JWT
- Configure API Limits
- Set Resource Limits
- Crypto key management
- Restrict key usage
- Namespace Key Management
- Key management service (KMS) configuration
- Optimize
- Observe
- Operate
- Initializing node identity manually
- Canton Console
- Synchronizer connections
- High Availability Usage
- Manage Daml packages and archives
- Participant Node pruning
- Party Management
- Party Replication
- Decentralized party overview
- Setup an External Party
- Ledger API User Management
- Node Traffic Management
- Identity Management
- Upgrade
- Decommission
- Recover
- Troubleshoot
- Explanations
- Reference
Rotate external KMS keys¶
Canton keys can still be manually rotated even if they are externally stored in a KMS. To do that, you can use the standard rotate key commands, or if you already have a pre-generated KMS key to rotate to, run the following command:
val newSigningKeyParticipant = participant1.keys.secret
.rotate_kms_node_key(
keyFingerprint,
newKmsKeyId,
"kms_key_rotated",
)
fingerprint - the fingerprint of the key we want to rotate.
newKmsKeyId - the id of the new KMS key (e.g. Resource Name).
name - an optional name for the new key.
No current KMS service offers automatic rotation of asymmetric keys so the node operator needs to be responsible for periodically rotating these keys.