I’m running a OSS Vault server with Consul backend on a kubernetes cluster. We are using AWS KMS keys for auto-unseal. It’s possible that the “recovery keys” created when the Vault server was launched were never recorded. We have a root token, but not the recovery keys.
Is it possible to regenerate recovery keys while I have the Vault server unsealed with my KMS key? (I’m afraid the answer to this is probably “no.”)
Reason: I’m trying to do replicate a Vault server to another AWS region and account to anticipate failure of AWS region and specifically the KMS key that it’s married to. My approach is to do a backup/key migration to Shamir keys such that I can create my DR Vault server elsewhere and start it /without/ auto-unseal using those Shamir keys.
I’m very much struggling with a way to replicate or preserve Vault data if the KMS key is unavailable. All of the mechanisms I’ve found (rekeying with custom KMS key, converting to shamir keys, etc.) involve disabling KMS temporarily and using recovery keys, which I don’t currently have.
Indeed you are not able to generate new recovery keys from Vault in your situation because the rekey process requires the recovery keys for security reasons. Since you don’t have them, rekeying vault isn’t an option for you, unfortunately. The way to solve this situation is to extract your secrets from Vault and then manually move them to a new Vault cluster. That’s not an easy process, Vault doesn’t have an option to mass export secrets, so that process can be tedious unless you write a script for this.