Data volume seed rotation

This section describes how to use the Rolling of Seeds feature to periodically rotate cryptographic seeds. Rotating seeds strengthens security and reduces risk if a seed becomes compromised.

Before you begin

  • Back up the data volume. For instructions, see Backup of Data Volume.
  • Handle the data volume with extreme caution.

About this task

Warning: The data volume contains sensitive information related to digital wallets and financial transactions.
  • Irrecoverable loss: If the data volume is lost, it cannot be recovered.
  • Tampering risk: Unauthorized modification may result in loss of digital assets.
Important: Ensure that you have a complete backup before making any changes.

Procedure

  1. Shut down the existing HPVS HSM Signer instance:
    virsh shutdown <domain-name>
  2. Confirm that the domain is shut down:
    virsh list --all
    Sample output
    # virsh list --all 
    Id     Name             State 
    ------------------------------ 
    1      hsm_signer     shutoff
  3. Undefine the existing HPVS HSM Signer Instance running the following command
    virsh undefine <domain-name>
  4. Verify whether the domain is removed by running the following command:
    virsh list --all
    Sample output:
    # virsh list --all
      Id   Name           State
    ------------------------------
  5. Update the Terraform variables:
    • Set ENV_VOLUME_PREV_SEED and WORKLOAD_VOLUME_PREV_SEED to the old seed values used in ENV_VOLUME_SEED and WORKLOAD_VOLUME_SEED.
    • Set ENV_VOLUME_SEED and WORKLOAD_VOLUME_SEED to the new seed values.
  6. Start the HPVS HSM Signer. For instructions, see Bringing HSM Signer Online.
  7. Validate seed rotation. For instructions,Validate HSM Signer Logs .
  8. After seed rotation is complete, revert the values of ENV_VOLUME_PREV_SEED and WORKLOAD_VOLUME_PREV_SEED to "".