About periodically updating the HMK and KPK
The HMK and KPK can be updated periodically using the modifyhmk and modifykpk options of the KMS CLI. These operations prompt you for a new pass phrase and ID and then update the KPK/HMK. You can choose either a random or a pass phrase-based KPK/HKM at each such invocation.
Note:
It is a best practice to use the -usepphrase option when modifying the HMK and KPK so that you are required to use a known pass phrase for future recovery. With the -nopphrase option, KMS generates a random pass phrase that is unknown and eliminates the possibility of future recovery if needed.