Auto-unseal: Rotating the master key only, keeping the recovery key?

In auto-unseal configuration, is it possible to change (rotate) the Vault master key without doing a full re-key operation, which requires entering all the recovery keys?

Since the master key is secured by the trusted service (say AWS KMS), it should in theory be possible to generate a new master key and encrypt it with KMS without requiring the recovery keys.

Background of my question: I’m looking at automatically rotating the various keys used in auto-unseal mode. Master key is the only challenging one, since for the others we have:

  1. AWS KMS Customer Master Key
    Fine for automatic rotation: AWS does automatically rotate them every year.

  2. Vault Master Key
    How to do automatic rotation?

  3. Vault Encryption Key
    Fine for automatic rotation: Rotating the Encryption Key does not require a quorum of unseal keys, just the proper permissions.

  4. Transit Secret Engine keys
    Fine for automatic rotation: Can be rotated with proper permissions.

3 Likes