Move Vault installation between servers


I am migrating to new physical server and I need to migrate Vault (v1.3.2) along with it’s backend to the new machine (debian 10). I have already moved the backend (postresql database) and downloaded the vault binary there.

The problem is, if I try to unseal the vault on the new machine, I get core: post-unseal setup failed: error="failed to read request counters: decryption failed: cipher: message authentication failed"

Note that the same unseal keys work on the old server just fine

If I truncate the postgresql table and initilialize the vault on the new server, then the new unseal keys work like a charm, but now I have no data.

I assume that bluntly copying rows from the old database would be no good, as the values wouldn’t be decrypted

My question is: how do I migrate vault with the old data (and preferably old unseal keys) to the new server - are there some hidden or no-so-hidden files I need to copy over so that the unseal process will work?

Or is there any recommended guide that I missed?



Hi @minpet!

The error you’ve mentioned indicates that data was lost or has been moved to a different path within your database.

I recommend to have a look at the migration command from Vault:
This command allows you to migrate your existing data to a different storage backend.


Hi @michelvocks, thanks for the advice, using the operator migrate command I was able to migrate to new db and the vault can be unsealed on the new server now, I guess some data got corrupted during database migration