i’m facing some troubles while trying to restore a backup from an vault server (raft storage) which was initially created with AWS KMS auto-unseal on a new server to verify if my backup is working.
Because i’m using AWS KMS auto-unseal for my production server i only have recovery-keys available and no unseal-key.
I tried following steps:
- run helm chart in my minikube
helm install vault hashicorp/vault --values config.yml
- copy my backup from s3 to the new vault pod
- do init
vault operator init
- save root token and unseal keys
- do unseal
vault operator unseal
- try to restore my backup
vault operator raft snapshot restore -force dev_vault.snap
- unseal the backup
Error unsealing: Error making API request. URL: PUT http://127.0.0.1:8200/v1/sys/unseal Code: 500. Errors: * unable to retrieve stored keys: failed to decrypt keys from storage: cipher: message authentication failed
Any idea how to get my backup running?