Manual KMS key rotation

Canton keys, except the root namespace keys, can still be manually rotated even if they are externally stored in a KMS. To do that you can use the standard rotate key commands or, if you already have a pre-generated KMS key to rotate to, run the following command:

val newSigningKey = participant1.keys.secret
  .rotate_kms_node_key(
    keyFingerprint,
    newKmsKeyId,
  )

No current KMS service offers automatic rotation of asymmetric keys so the node operator needs to be responsible for periodically rotating these keys.

If you need to rotate the namespace root key then you have to follow the same procedure as migrating from a non-KMS to a KMS participant including contract rewriting.