Hi,
If I have a vault setup and have the recovery key and rebuild a new vault will it still decrypt data that was encrypted by the transit secrets engine. In another words, Is the encryption engine secret key generation Hierarchical Deterministic?
No, it is not.
When using auto-unseal, even after a restore from backup, the original auto-unseal method must still be online and accessible to unseal Vault.
The recovery key cannot recover the data.
(I think this makes it dangerously misnamed, personally.)
What this means is that to recovery I would need the backup?
Backup of what?
I don’t understand what you’re asking.
backup the Database of the vault. I know all the doc says use the consol but the more recent only say that flat file for storage is ok.
You just introduced a lot of new concepts, and I’m finding it hard to understand you still.
Vault can use various different storage backends, and in your last message, I think you mentioned 3 different ones.
Vault has no database of its own unless you are using the Integrated Storage (Raft) backend.
Consul is another option, the traditional one. When using Consul, all the data is stored in Consul and that is what you back up.
There is also a flat file backend https://www.vaultproject.io/docs/configuration/storage/filesystem. Do take care that until Vault 1.11.1 / 1.10.5 / 1.9.8, it contained a serious bug which could leave the Vault data unrecoverable - Fix keyring file missing after Vault restart by shujun10086 · Pull Request #15946 · hashicorp/vault · GitHub.
Whichever storage backend you end up using, if you’re using auto-unseal (e.g. via transit), a backup is NOT ENOUGH to recover. You also need the original auto-unseal method to still exist and be working, or you backup CANNOT be decrypted.