How to get recovery keys when migrating to AWS KMS seal?

Quiark · February 28, 2020, 2:47am

Currently Vault is running with Shamir seal. I was able to migrate the seal to AWS KMS in a testing setup but have no idea how to create recovery keys and docs are not very helpful either.

Even upgrading to 1.3.2 which should use new-style Shamir secret after rekeying, still can’t generate recovery keys (it says not supported).

Thanks for help

rra · February 28, 2020, 3:57am

I believe your existing unseal keys will become recovery keys when you convert to auto-unseal using AWS KMS keys. They will then revert back to unseal keys if you ever turn off auto-unseal later.

I also didn’t find this clear in the documentation at first, but I can confirm this is how it works with GCP auto-unseal, and presumably AWS KMS auto-unseal should be the same.

There does not appear to be any separate mechanism to create recovery keys directly that I could find. They’re just the unseal keys from before the migration to auto-unseal.

Quiark · February 28, 2020, 7:12am

Thanks, it works. This is what I tested, for reference:

[I] user@machine ~/t/sawvlt [127]> vault status
Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    1
Threshold                1
Version                  1.3.2
Cluster Name             vault-cluster-58216cc6
Cluster ID               0ba495ab-b552-6932-ebca-612db577b519
HA Enabled               false
[I] user@machine ~/t/sawvlt [1]> vault operator generate-root -init
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce         0d5ea983-7243-6508-03d9-8c0a549825b1
Started       true
Progress      0/1
Complete      false
OTP           yMsehT8r7FMLV9IDUNF66HCvU9
OTP Length    26
[I] user@machine ~/t/sawvlt> set -x VAULT_NONCE '0d5ea983-7243-6508-03d9-8c0a549825b1'
[I] user@machine ~/t/sawvlt> set -x VAULT_OTP 'yMsehT8r7FMLV9IDUNF66HCvU9'
[I] user@machine ~/t/sawvlt [1]>
vault operator generate-root -nonce=$VAULT_NONCE $VAULT_UNSEAL1
Nonce            0d5ea983-7243-6508-03d9-8c0a549825b1
Started          true
Progress         1/1
Complete         true
Encoded Token    CmNGXQ0RcCVDAAV6IwElCB16IXJYeQ87ZV4
[I] user@machine ~/t/sawvlt> vault operator generate-root -decode=CmNGXQ0RcCVDAAV6IwElCB16IXJYeQ87ZV4 -otp=$VAULT_OTP
s.58eEHWtFH6u8lLH4gDn1LM0g
[I] user@machine ~/t/sawvlt> set -x VAULT_TOKEN 's.58eEHWtFH6u8lLH4gDn1LM0g'
[I] user@machine ~/t/sawvlt [1]> vault secrets enable kv
Success! Enabled the kv secrets engine at: kv/
[I] user@machine ~/t/sawvlt> vault token lookup
Key                 Value
---                 -----
accessor            Tv0UFTMCqririwXeYS8s8MJw
creation_time       1582869513
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.58eEHWtFH6u8lLH4gDn1LM0g
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service