How to Setup Vault HA DR

Is there a document which I can use to guide me through the process of setting up vault in a DR mode without Enterprise license? Or is Enterprise License mandatory?

DR requires Enterprise license.

thank you Aram. If I have a auto unseal feature enabled using a single region kms key, how can I use a multi region kms key to unseal the cluster? I would like to stop using the single region kms key so that I can get a disaster replication solution.

I honestly had no idea AWS had released multi-regional keys, but looking at the documentation the API endpoints are exactly the same, so Vault shouldn’t care if it’s a regional or multi-regional. Obviously I haven’t tested it out but I will in my home lab tonight.

I already have auto unseal setup with a kms key. How do I use another key to auto unseal. Is there a specific process to decrypt the master key with another kms key. For e.g. move to shamir by disabling the seal. Then moving back to seal but this time with the new kms key.

You can’t have multiple KMS keys defined. You can within AWS itself duplicate the key into multiple regions as backup but Vault can only point to one of them at a time.

I want to revert to another key. Get rid of the first one. I want to basically replace the current key with a new one. I created a multi region key which I would like to use.

I don’t believe the migrate command support cloud to cloud migration. You would have to migrate back from aws to shamir then migrate again from shamir to the new key in the new region.

ah ok. so disabled autounseal and migrate to shamir…then enable autounseal. shnorakalutyun aram.

got it done…Do you know why the vault listner is trying to connect to port 444? I dont see that port being used on the leader

Check your config and startup, 444 is not a normal port that Vault would listen or talk on.

 api_addr = ""
  storage "dynamodb" {

      max_parallel = "128"

      region = "us-west-2"

      table = "some_table_name"
        ha_enabled = true
  ui = "true"
  listener "tcp" {

      address = ""

      tls_cert_file = "/opt/vault/tls/vault.crt"

      tls_disable = "0"

      tls_key_file = "/opt/vault/tls/vault.key"
seal "awskms" {
  region = "us-west-2"
  kms_key_id = "mrk-multi-regional-key"

This is my vault config file. Not sure why I get these error

Oct 22 04:41:04 i-0fa34c92a2441f8a4 vault[13703]: 2021-10-22T04:41:04.037Z [DEBUG] core: forwarding: error sending echo request to active node: error="rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp i/o timeout""