Hi,
So basically, I have set up an architecture with Consul/Vault in a kubernetes cluster within AWS. My vault auto unseals with AWS KMS when the pods start.
Recently I’ve done some testing around backing up vault using consul snapshot.
The scenario I tested is:
- First taking snapshot of vault consul snapshot save vault.prod.snap
- Then removing vault doing consul kv delete -recurse vault/
- Removing vault statefulsets and pods
- consul snapshot restore vault.prod.snap
- Finally re-create vault statefulsets
Result:
I got an error 500 on the third key during the auto unseal that says:
body {“errors”:[“failed to decrypt encrypted stored keys: cipher: message authentication failed”]}
It turns out after a consul snapshot restore my unsealed keys are not valid anymore.
I tried that another test where I don’t clean the vault with command kv delete -recurse vault/
I basically just remove a couple of policies in the UI and the restore. That scenario seems to work correctly, it’s only when I restore from “scratch”, that my vault cannot unseal anymore.
could somebody give me some hint please ?