How do I migrate data from existing Vault to new Vault (raft to raft)

Existing setup is:
Vault running in EKS cluster (OSS version -1.8.4) with raft backend and manual unseal (5 unseal keys + root token).

New setup:
Vault in EKS Cluster (Enterprise version 1.10.0+ent) with raft backend and AWS KMS Auto-unseal.

How can I migrate data from existing vault to new vault in this scenario?

Vault 1.10.0 and 1.10.1 both have reported regression bugs. Strongly consider updating to 1.10.2 before migrating.

I’ve never had to do exactly this, but here are some thoughts on where I’d start:

As this is a Raft to Raft migration, I’d first try to do it by saving a snapshot from the old cluster, and loading it into the new cluster. This seems like it could potentially be easier and faster than the generic storage migration process between arbitrary backends. (Do test that, though!)

I’m pretty sure you need to split your migration into two separate migrations:

  • Migrating from one cluster to another
  • Migrating from one seal to another

So, for example, get the new cluster up and running using your old data but manual unseal, and only once that’s finished, look into migrating to AWS KMS auto-unseal.

Or the other way around if you prefer - migrate the old cluster to AWS KMS auto-unseal first - just don’t try to move the data and change the seal at the same time.

There are multiple options - I have tried all of them at various times with various versions – I’d recommend using the same version then upgrading to the latest version you’re going to go to production with.

Before you implement, talk to your HashiCorp’s TAM, they can possibly setup time with someone who can review your steps for you before you start and point out any pitfalls.

My choice is #1 but it involves down time, #2 can be made with very little down time but is a lot more complex and has “watch out for” pits.

Two options:

  1. migration from autounseal to shamir,
  2. backup on OSS
  3. restore on Enterprise
  4. rotate your keys,
  5. migrate from shamir to autounseal.

Option 2 (if you have direct connectivity over tcp/443)

  1. backup
  2. Use your vault enterprise binary on your OSS install – it’ll be upgraded to enterprise.
  3. Setup a DR connection between the two cluster.
  4. promote the new cluster to primary
  5. demote the old cluster, delete, and remove.
  6. Rotate your keys.

Good luck, update us with how you ended up doing it.

The source cluster is already using a shamir seal.

Why include this step here?