Is vault auto unseal one way choice?

Good day, everyone

Is it one way choice to setup auto unseal ?
I was set up auto unseal and migrated to transit seal type.
After I tried to rotate transit unseal key and it is working except vault still use the first version of transit key.
So I decided to return to Shamir seal type and got an error invalid key if I used my old keys. I tried to export transit key and use it, but still invalid key

I tested every version since 1.1.0 up to 1.2.3

It is too risky for me to apply auto unseal on production environment without possibilities of rotating unseal keys and unsealing cluster with our keys when transit is not reachable.

UPD: I saw a similar issue on Google Groups. But seems there is no way to unseal cluster after migration from Shamir to transit

Hello Yura,
Certain seals interact differently, and as such you need to perform a seal migration.
As far as I’m aware the Seal migration workflow does work from auto-unseal to Shamir. It’s worth noting that when you do the migration you need to input every key with -migrate in order for the process to work. This is designed so the key holders are aware and acknowledge the fact that the seal will be migrated (and to avoid potential hijack of the seal key).

1 Like

Thank you, Nicolas.
We will set an auto unseal cluster

Bare in mind that if you are switching between different automatic seals (I.e. KMS to Azure Key Vault) I think you need to do an intermediate step through Shamir.

1 Like