I’m running a OSS Vault server with Consul backend on a kubernetes cluster. We are using AWS KMS keys for auto-unseal. It’s possible that the “recovery keys” created when the Vault server was launched were never recorded. We have a root token, but not the recovery keys.
Is it possible to regenerate recovery keys while I have the Vault server unsealed with my KMS key? (I’m afraid the answer to this is probably “no.”)
Reason: I’m trying to do replicate a Vault server to another AWS region and account to anticipate failure of AWS region and specifically the KMS key that it’s married to. My approach is to do a backup/key migration to Shamir keys such that I can create my DR Vault server elsewhere and start it /without/ auto-unseal using those Shamir keys.
I’m very much struggling with a way to replicate or preserve Vault data if the KMS key is unavailable. All of the mechanisms I’ve found (rekeying with custom KMS key, converting to shamir keys, etc.) involve disabling KMS temporarily and using recovery keys, which I don’t currently have.