2QUIC

Search docs

Find a documentation page

Runbook: validator identity key rotation

How to rotate the Ed25519 identity key held in the Nitro Enclave without losing on-chain identity.

When to run this

  • Scheduled rotation (recommended quarterly).
  • Suspected compromise of the encrypted ciphertext blob in S3 / KMS.
  • After a TEE upgrade that changes the PCR measurements (the new enclave needs the key re-wrapped under the updated KMS policy).

Procedure

  1. Boot a fresh enclave instance alongside the running one (blue / green) so traffic can drain.
validator-cli rotate-identity --keypair-path ~/solana/new-validator-keypair.json --confirm

  1. The CLI re-wraps the keypair under the current PCR-bound KMS policy, uploads the new ciphertext, and prints the new key reference.

  2. Restart the host-proxy and enclave with the new ciphertext reference.

  3. Verify the sign-probe stays green for at least 5 minutes:

validator-cli stats --window 5m
  1. Shred the on-disk keypair file. The Marketplace process never reads it again. The only persistent copy is the KMS-wrapped ciphertext.

TODO: pending content

  • Rollback procedure if Step 4 fails (link to incident response).
  • Solana cluster-side reconciliation for cases where the on-chain identity must change as well.
  • Coordination guidance with downstream stake delegators.