Auto-Unseal to Shamir, as Vault destroyed

Hi All,

I have two vault instances, Vault-1 and Vault-2. Vault-1, which is main vault, get auto-unsealed by Vault-2 using transit secret engine. But, unfortunately, I have completed destroyed the Vault-2, which is unsealing the Vault-1. Now, the main vault is get stuck. I have setup a new vault instance and configure to use transit engine.

While, migrating from transit to shamir with new Vault, the migration part stuck at third recovery key.

Is it because the current recovery keys are related to the deleted vault instance? Anyway to recover my vault instance now?

If the unsealing vault gets destroyed or down for some reason, how should we migrate the unsealing process, if there’s no way to bring it up?

Unfortunately, your Vault is lost.

From Seal/Unseal | Vault by HashiCorp

Note: Recovery keys cannot decrypt the root key, and thus are not sufficient to unseal Vault if the AutoUnseal mechanism isn’t working. They are purely an authorization mechanism.

Personally I was very surprised to read that, and think “recovery keys” is an awful name for them, considering that. I’ve been contemplating filing a GitHub issue about that, but have not yet got around to doing so.

Ohh, then I messed up, as it seems. Thank you for the response, @maxb . Then, even if we have snapshot of main vault ,in my case Vault-1, we can’t migrate as I understood. Can you please clarify with this?

In my prod environment, the same setup is there. One is autosealing the other. SO, if something happens with unsealing Vault, snapshots aren’t going to help, right?

Indeed, data inside a snapshot, is still encrypted using the key that was lost with vault-2.

1 Like

Thank you for the response @maxb . :slightly_smiling_face: