Vault save unseal if auto unseal failed

singitforthewourld · January 9, 2024, 10:51am

Good day
I have a question about autounseal.
I did use the AWS kms key to auto unseal. But if for some reason I’ve lost my AWS account, I can’t unseal Vault anymore.
I can’t find answer how I can mitigate this risks.
I have a thoughts about make backup each day. In backup change autounseal to shamir like this

But even in this case I can’t create shamir unseal key. After change from autounseal to shamir vault status
Key Value

Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Seal Migration in Progress true
Version 1.15.4
Build Date 2023-12-04T17:45:28Z
Storage Type raft
Cluster Name vault-ha-cluster
Cluster ID 2f79a853-64ed-603a-dc89-0c84168e56a7
HA Enabled true
HA Cluster vault-node3.xxx:8201
HA Mode standby
Active Node Address vault-node3:8200
Raft Committed Index 5707
Raft Applied Index 5707

vault operator rekey -init
WARNING! If you lose the keys after they are returned, there is no recovery.
Consider canceling this operation and re-initializing with the -pgp-keys flag
to protect the returned unseal keys along with -backup to allow recovery of
the encrypted keys in case of emergency. You can delete the stored keys later
using the -delete flag.

Key Value

Nonce xxx
Started true
Rekey Progress 0/3
New Shares 1
New Threshold 1
Verification Required false

So how can I get some schema which allow me to unseal Vault even if I loss my AWS account. I did try kms with my own material, but it doesn’t help because Vault use certain key-id

Regards

al1 · January 9, 2024, 12:21pm

As I see it you have two options:

Regularly backup your KMS keys. AWS allows you to export certain types of keys, depending on the key configuration and the region.
Configure Vault to use Auto-Unseal primarily but retain the capability to fall back to manual unseal using Shamir’s secret sharing method.

singitforthewourld · January 10, 2024, 10:00am

Hello. Thank you for the answer.

1 I have my own material key so I can create KMS key at any time. But key_id should be the same always. This is possible only if I have access to my AWS account. If I lose access to my AWS account ( or AWS down, or delete my account, etc ) I can’t recreate key with the same key_id

2 Yes this is what I need I believe. How can I retain capability to fall back to manual unseal with Shamir’s secrets ? Let’s imagine that AWS key was deleted and my Vault in status Sealed. How can I configure Vault to have option unseal it with Shamir’s Keys ?