Not able to unseal the vault in transit mode

luoyan35714 · August 18, 2021, 5:56am

Hi Team,
I am not able to unseal the vault in transit mode if vault1 is down(vault1 has been removed due to some architecture design issue).
Is there any solution to recover all of the data back without vault 1?

Here’s the link I am following

Thanks,
Freud

mikegreen · August 18, 2021, 3:11pm

You’ll need to restore the transit unseal server (Vault1 it sounds like) to unseal a cluster that relies on it for unsealing. If you don’t have a backup of the vault1 cluster, anything relying on that cluster to unseal is going to be lost.

luoyan35714 · August 23, 2021, 1:18am

Thanks, Mike! This seems to be the only way we can choose.

rgevaert · August 23, 2021, 12:06pm

@luoyan35714 if you want to go down that route I would advise that you set up a vault cluster instead of one vault server to be used as unseal.

Think about the overhead it all causes. I was planning to implement it that way too, but in the end after discussing with the operations team we decided to do manual unseal.

Note that your vault1 still needs to be manually unsealed.

So your other choices are:

manual unseal
use a HSM for unsealing
auto unseal through AWS/Azure KMS

Topic		Replies	Views
Auto-Unseal to Shamir, as Vault destroyed Vault vault	4	441	May 6, 2022
How to unseal vault server after raft snapshot restore? Vault	7	1373	June 5, 2022
2 Vault Clusters with Auto-Unseal (Transit secrets engine) Vault vault	3	26	January 2, 2025
How to setup Vault Transit Engine in HA Vault	5	352	November 3, 2021
Loss of Transit Node/Key Vault	6	968	January 17, 2022

Not able to unseal the vault in transit mode

Related topics