Decryption the data directly from the backend DB? or Topics related disaster recovery


As I read the architecture doc, I read

When the Vault is initialized it generates an encryption key which is used to protect all the data. That key is protected by a master key.

  1. Per my understanding, I assume this encryption key will be used when vault writes the data to backend DB (such as postgres). Thus we can essentially decrypt the encrypted data in DB using this encryption key (if we have), it is true?

  2. This leads to another query, is there any way to get this encryption key in some extreme case? I am thinking if in any disaster case, thus we fully lost vault, but we can still have the master key and backend Data (a simple table with 4 columns, parent_path, path, key, value), is there anyway to decrypt these data? Any doc about this kind of situations?

  3. Or let me ask the question in another way, if we have the master key, and the data in the backend storage, does the vault has any tool to recover the data for us?

Thanks a lot.