How to restore raft snapshot (from a vault with AWS KMS auto-unseal) on a fresh vault server

dops-at · August 11, 2022, 10:07am

Hello,
i’m facing some troubles while trying to restore a backup from an vault server (raft storage) which was initially created with AWS KMS auto-unseal on a new server to verify if my backup is working.
Because i’m using AWS KMS auto-unseal for my production server i only have recovery-keys available and no unseal-key.

I tried following steps:

run helm chart in my minikube

helm install vault hashicorp/vault --values config.yml

copy my backup from s3 to the new vault pod
do init
vault operator init
save root token and unseal keys
do unseal
vault operator unseal
try to restore my backup
vault operator raft snapshot restore -force dev_vault.snap
unseal the backup

Error unsealing: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/unseal
Code: 500. Errors:

* unable to retrieve stored keys: failed to decrypt keys from storage: cipher: message authentication failed

Any idea how to get my backup running?

ausmartway · August 11, 2022, 12:25pm

The snapshot contains Data Encryption Key, which is encrypted by the aws KMS. If your vault running on minikube doesn’t have access to that KMS, the newly restored vault will not unseal.

This is designed to protect the snapshot.

dops-at · August 11, 2022, 2:56pm

How should be the new server be created? Which config for vault server should i us? with

seal "awskms" {
region     = "us-east-1"
kms_key_id = "sssssssssss"
}

or not?

I tried it with the commands above but without success. Or should i do it in a different way?

maxb · August 11, 2022, 6:46pm

Yes, you must copy the awskms seal block from the configuration of the original Vault server from which the backup was taken, to the one where you want to restore.

ausmartway · August 11, 2022, 9:45pm

in addition to the kms seal config, you also need to provide aws credencial that allow the minikube pod to access that kms…