Failed to decrypt encrypted stored keys after consul snapshot restore


So basically, I have set up an architecture with Consul/Vault in a kubernetes cluster within AWS. My vault auto unseals with AWS KMS when the pods start.

Recently I’ve done some testing around backing up vault using consul snapshot.

The scenario I tested is:

  1. First taking snapshot of vault consul snapshot save
  2. Then removing vault doing consul kv delete -recurse vault/
  3. Removing vault statefulsets and pods
  4. consul snapshot restore
  5. Finally re-create vault statefulsets


I got an error 500 on the third key during the auto unseal that says:
body {“errors”:[“failed to decrypt encrypted stored keys: cipher: message authentication failed”]}

It turns out after a consul snapshot restore my unsealed keys are not valid anymore.

I tried that another test where I don’t clean the vault with command kv delete -recurse vault/
I basically just remove a couple of policies in the UI and the restore. That scenario seems to work correctly, it’s only when I restore from “scratch”, that my vault cannot unseal anymore.

could somebody give me some hint please ?

I’ve finally fixed the problem

After fixing the followings my vault was able to be unsealed again:

  1. Duplicate Node IDs :
  2. Consul server Has to be given ACL token with sufficient rights

For the first issue, I’ve reused a ruby script and added it to the consul docker image to generate a permanent node id for each consul.

Regarding the second issue, my ACL policy for the agent was not giving required permission for the agent to make necessary updates.