Missing recovery token of Vault deployed auto-unseal with AWS KMS


We have a vault cluster with Raft storage. The cluster has been deployed with auto-unseal using AWS KMS.

When the cluster initialized, the recover key was not stored. According to the documentation, we need recovery key in some how! is there any way to recover recovery key?


As far as I’m aware the recovery key is not recoverable or rotatable without the original key.

1 Like

As @jeffsanicola said, no there is not. Further, I would highly suggest exporting all of your data as quickly as you can and re-initilize your Vault – having those keys available and backed up and backed up again is very important.

Thanks @jeffsanicola and @aram.
But as we don’t have recover key, how I can re-initialize vault?
Because after restoring from backup, again Vault uses the original Root Token and Recover Key!

Do you mean manually export all data from Vault and then re-initiate Vault again and finally import all data manually again?

You can’t do a restore from backup (as you said you would end up needed your keys again).

You have to “export” your secrets and re-import them after. Before you ask there is no “export/import” tool you would have to write something bash, python, etc… to save your secrets from various mounts/engine types and do the reverse after re-init.

1 Like