Hi everyone, I have a small dilemma in terms of implementation of auto-unseal mechanism with transit secrets engine.
I am doing a POC in our organization with 2 Vault clusters (each cluster is running on 4 VM nodes on RHEL) where they are configured with Transit secrets engine that enables them to auto-unseal each other.
All good but there are cases when we have maintenance on weekends and servers can be rebooted after patching.
Now we can potentially end up in a scenario where all servers that are hosting 2 Vault clusters can reboot almost simultaneously which will end up with Vault being sealed in both of them with no means to unseal anymore. From what I understood from documentation, the Recovery Keys won’t be enough to unseal one of the Vault clusters or even 1 node from cluster ? So how to solve this kind of scenario ?
I know there are other ways to auto-unseal, like AWS KMS but in our organization we are restricted on using it so that’s not an option for us.
Any ideas ? Sorry if this is a dumb question I am just learning the Vault and I can’t seem to find the answer what is the best practice
Thanks !