Participant Node Migration to KMS¶
To migrate an existing participant node connected to a sync domain with a non-KMS-compatible provider and start using KMS external keys, you need to follow one of the next guides. The general idea is to replicate the old node into a new one that uses a KMS crypto provider and connects to a KMS-compatible sync domain (e.g. running JCE with KMS-supported encryption and signing keys).
Two different methods are available for performing this migration: (a) migrate to a new participant that uses the same namespace identity and (b) migrate to a new participant with an entire new identity and namespace. The first option does not require you to change the party ids for the active contracts in the old participant, and it can be done by a single operator, because it is a transparent process for the other operators and their shared contracts. However, the old domain must support the new protocol version and the original root namespace key must be kept safe to allow the future migration to a new protocol version. The second option re-writes the contracts with new party identifiers in line with the new participant namespace. Therefore, you do not need to preserve the original root namespace key for a future migration. This works even if the old domain node does not support the new protocol version. However, for it to work, a single operator must control all the contracts or all participant operators have to agree on this rewrite.