Auto-unseal with KMS -recovery-shares=1 or more?

I noticed that in the auto-unseal tutorial for AWS and GCP, recovery-shares was set to 1, but in Azure it was at default (5). Was this just arbitrary, or is 1 really required for AWS and GCP?

What is the recommendation? Would be helpful to mention reason for recovery-share=1 in the tutorial. My guess is it’s gonna be auto-unsealed anyway, no point having too many recovery keys unless explicit company policy.


I think it was just arbitrary, as recovery keys are separate from unseal keys. This distinction was clearer (to me) in the seal migration documentation: