Hello team, we installed HC Vault OSS version on our EKS cluster to be used for secret management. It uses S3 backend with autoseal KMS.
I am working on DR planning with backup and restore strategy. The problem that I am facing is that while I am backing up the whole “vault” namespace using velero and can also restore it successfully, the vault is not running post restore and complains about the unseal method. This is understandable since the KMS key used to encrypt the master key exist in the primary region and the DR region will have the new KMS key. The auto-unseal will not work with this new KMS key created in the DR region and hence giving us the error.
I am reaching out here to understand if someone has done something like this, or if I can have any advice to go about this approach, or which approach should be used.
Thanks in advance.