- Overview
- Tutorials
- How Tos
- Download
- Install
- Configure
- Secure
- TLS API Configuration
- Configure API Authentication and Authorization with JWT
- Configure API Limits
- Set Resource Limits
- Crypto key management
- Restrict key usage
- Namespace Key Management
- Key management service (KMS) configuration
- Optimize
- Observe
- Operate
- Initializing node identity manually
- Canton Console
- Synchronizer connections
- High Availability Usage
- Manage Daml packages and archives
- Participant Node pruning
- Party Management
- Party Replication
- Decentralized party overview
- Setup an External Party
- Ledger API User Management
- Node Traffic Management
- Identity Management
- Upgrade
- Decommission
- Recover
- Troubleshoot
- Explanations
- Reference
Rotate the envelope wrapper key¶
Some KMS providers (e.g., AWS) offer automatic rotation of symmetric KMS keys (typically yearly). Canton extends this by allowing node administrators to manually rotate the KMS wrapper key.
Note
You can change the key specification (e.g., enabling multi-region in AWS) during rotation by updating the configuration before rotating the wrapper key.
Key rotation does not delete the previous key. While the old key becomes inactive, it is still persisted. To permanently delete the previous key, see Delete Canton node keys.
Rotate with an auto-generated key¶
Use the following command:
participant1.keys.secret.rotate_wrapper_key()
Canton will automatically create a new wrapper key using the configured KMS.
Rotate with a manually generated key¶
First, you must create a new wrapper key in your KMS that meets the requirements described here. Afterwards, you can rotate to that key using the following command:
participant1.keys.secret.rotate_wrapper_key(newWrapperKeyId)
newWrapperKeyId: the identifier of the wrapper key you want to rotate to.