In auto-unseal configuration, is it possible to change (rotate) the Vault master key without doing a full re-key operation, which requires entering all the recovery keys?
Since the master key is secured by the trusted service (say AWS KMS), it should in theory be possible to generate a new master key and encrypt it with KMS without requiring the recovery keys.
Background of my question: I’m looking at automatically rotating the various keys used in auto-unseal mode. Master key is the only challenging one, since for the others we have:
-
AWS KMS Customer Master Key
Fine for automatic rotation: AWS does automatically rotate them every year. -
Vault Master Key
How to do automatic rotation? -
Vault Encryption Key
Fine for automatic rotation: Rotating the Encryption Key does not require a quorum of unseal keys, just the proper permissions. -
Transit Secret Engine keys
Fine for automatic rotation: Can be rotated with proper permissions.