How to Setup Vault HA DR

usrsimpleang · October 19, 2021, 10:14pm

Is there a document which I can use to guide me through the process of setting up vault in a DR mode without Enterprise license? Or is Enterprise License mandatory?

aram · October 19, 2021, 11:54pm

DR requires Enterprise license.

usrsimpleang · October 20, 2021, 1:24am

thank you Aram. If I have a auto unseal feature enabled using a single region kms key, how can I use a multi region kms key to unseal the cluster? I would like to stop using the single region kms key so that I can get a disaster replication solution.

aram · October 20, 2021, 7:03am

I honestly had no idea AWS had released multi-regional keys, but looking at the documentation the API endpoints are exactly the same, so Vault shouldn’t care if it’s a regional or multi-regional. Obviously I haven’t tested it out but I will in my home lab tonight.

usrsimpleang · October 20, 2021, 10:52am

I already have auto unseal setup with a kms key. How do I use another key to auto unseal. Is there a specific process to decrypt the master key with another kms key. For e.g. move to shamir by disabling the seal. Then moving back to seal but this time with the new kms key.

aram · October 20, 2021, 3:17pm

You can’t have multiple KMS keys defined. You can within AWS itself duplicate the key into multiple regions as backup but Vault can only point to one of them at a time.

usrsimpleang · October 20, 2021, 8:27pm

I want to revert to another key. Get rid of the first one. I want to basically replace the current key with a new one. I created a multi region key which I would like to use.

aram · October 20, 2021, 8:40pm

I don’t believe the migrate command support cloud to cloud migration. You would have to migrate back from aws to shamir then migrate again from shamir to the new key in the new region.

usrsimpleang · October 21, 2021, 1:56pm

ah ok. so disabled autounseal and migrate to shamir…then enable autounseal. shnorakalutyun aram.

usrsimpleang · October 22, 2021, 4:58am

got it done…Do you know why the vault listner is trying to connect to port 444? I dont see that port being used on the leader

aram · October 22, 2021, 8:40am

Check your config and startup, 444 is not a normal port that Vault would listen or talk on.

usrsimpleang · October 22, 2021, 2:36pm

 api_addr = "https://vault01.some-domain.com"
  storage "dynamodb" {

      max_parallel = "128"

      region = "us-west-2"

      table = "some_table_name"
        ha_enabled = true
  }
  ui = "true"
  listener "tcp" {

      address = "0.0.0.0:8200"

      tls_cert_file = "/opt/vault/tls/vault.crt"

      tls_disable = "0"

      tls_key_file = "/opt/vault/tls/vault.key"
      }
seal "awskms" {
  region = "us-west-2"
  kms_key_id = "mrk-multi-regional-key"
}

This is my vault config file. Not sure why I get these error

Oct 22 04:41:04 i-0fa34c92a2441f8a4 vault[13703]: 2021-10-22T04:41:04.037Z [DEBUG] core: forwarding: error sending echo request to active node: error="rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp 10.20.6.27:444: i/o timeout""