Error unsealing: Error making API request * failed to decrypt encrypted stored keys

Hello team,

We are having issues unsealing the vault after upgrading the vault to 1.9.2 from 1.5.2 version

/ $ vault operator unseal
Unseal Key (will be hidden):
Error unsealing: Error making API request.
Code: 500. Errors:

  • failed to decrypt encrypted stored keys: cipher: message authentication failed

You did not mention it, but cross-referencing the specific wording of this error with the source code, indicates you are using an auto-unseal setup.

This means Vault should have auto-unsealed at startup - if it did not, the recovery keys alone cannot unseal it, so your first priority should be to fix the auto-unseal setup and restart the Vault process.

Secondly, I believe this error message is indicating incorrect recovery keys have been supplied.

Are you trying to unseal your cluster using Recovery Keys or Unseal keys? If you migrate your seal into an auto-unseal … your keys are no longer “unseal keys” they become “recovery keys” which are using Operational tokens and Root key generation. To unseal you need to point your Vault config to the wherever you stored your unseal key (transit or cloud).

Thanks for the responses. We were trying to unseal it post upgrade from 1.5.2 to 1.9.2 version. We found that the vault config values are changed - Storage Type to “file” instead of “raft” and HA Enabled to “false” instead of “true” causing this issue. Later when we updated the config file we were able to unseal the vault. Is this a common issue with vault config post upgrade and needs a reset to the original values? It looked like the vault went out of HA and the cluster is broken

No, that’s not something Vault does. Most likely scenario will have to do with how you installed Vault. If you used a package manager to install it and not maintain your own config it’s certainly possible. I normally just install the binary and manage the config and service files myself or roll my own package if I need to distribute it.

Raft is what you want as your backend. You can’t use “file” as a backend with HA.