How to restore raft snapshot (from a vault with AWS KMS auto-unseal) on a fresh vault server

i’m facing some troubles while trying to restore a backup from an vault server (raft storage) which was initially created with AWS KMS auto-unseal on a new server to verify if my backup is working.
Because i’m using AWS KMS auto-unseal for my production server i only have recovery-keys available and no unseal-key.

I tried following steps:

  • run helm chart in my minikube
helm install vault hashicorp/vault --values config.yml
  • copy my backup from s3 to the new vault pod
  • do init
    vault operator init
  • save root token and unseal keys
  • do unseal
    vault operator unseal
  • try to restore my backup
    vault operator raft snapshot restore -force dev_vault.snap
  • unseal the backup
Error unsealing: Error making API request.

Code: 500. Errors:

* unable to retrieve stored keys: failed to decrypt keys from storage: cipher: message authentication failed

Any idea how to get my backup running?

The snapshot contains Data Encryption Key, which is encrypted by the aws KMS. If your vault running on minikube doesn’t have access to that KMS, the newly restored vault will not unseal.

This is designed to protect the snapshot.

1 Like

How should be the new server be created? Which config for vault server should i us? with

seal "awskms" {
region     = "us-east-1"
kms_key_id = "sssssssssss"

or not?

I tried it with the commands above but without success. Or should i do it in a different way?

Yes, you must copy the awskms seal block from the configuration of the original Vault server from which the backup was taken, to the one where you want to restore.

in addition to the kms seal config, you also need to provide aws credencial that allow the minikube pod to access that kms…