I know that encrypting password hashes is a contentious issue. However, I have seen it recommended in some quarters. I know for instance that DropBox did this at one time with AES256. In these cases, all password hashes would be encrypted with one shared key, allowing for easy storage in a key management system (such as AWS KMS, HashiCorps Vault, or a HSM) and straightforward rotation.
However, most modern symmetric ciphers that would be appropriate for this task require random nonces. Wouldn't this mean that the nonces need to be tracked and stored somewhere?