OCI KMS unseal working or not?

I have just installed vault in a k8s cluster and I’d like to use the OCI KMS unseal functionality. When logging into the pod I can see the following (before init):

~ $ vault status
Key Value

Recovery Seal Type ocikms
Initialized false
Sealed true
Total Recovery Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version 1.11.4
Build Date 2022-09-23T06:01:14Z
Storage Type oci
HA Enabled true

When running vault operator init I get the following:

~ $ vault operator init
Recovery Key 1: rLnKvNXPLFXyjBuErgDQtGysqHDfopXr+/J6IV1FHPjI
Recovery Key 2: bgSYxVQa/vFty+Pqh+0EJS4mXkwSj997YLcjyFxvk1go
Recovery Key 3: a9Z/44lgAEY10oImzp0ZisQvo19IlaiaWIlH8x16X7BM
Recovery Key 4: 4bRKTml5P5QDZXY2KLC9ZQ8nWUkDpZtZRfwnxaZ3Ul+Q
Recovery Key 5: WNBK+Yj7yP8Y1UnmyomHpdfvCP+IuToYQXpvgxIoAAdS

Initial Root Token: hvs.pHihCj6Vkn3Bo4KnZcGrstqx

Success! Vault is initialized
Recovery key initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above.

Which tells me that that the unseal process went well. However if I run vault status again I get this which seems wrong as the recovery seal type is Shamir and not ocikms.

~ $ vault status
Key Value

Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.11.4
Build Date 2022-09-23T06:01:14Z
Storage Type oci
Cluster Name vault-cluster-dfc25bbe
Cluster ID 1e5983a9-8128-2b4b-e3fb-6cfe42d174f8
HA Enabled true
HA Cluster https://vault-2.vault-internal:8201
HA Mode standby
Active Node Address

My config looks like this:

seal “ocikms” {
auth_type_api_key = “false”
key_id = “ocid1.key.oc1.iad…”
crypto_endpoint = “https://b5…crypto.kms.us-ashburn-1.oraclecloud.com”
management_endpoint = “https://b5…management.kms.us-ashburn-1.oraclecloud.com”

Why is vault displaying Shamir and not ocikms? And how can I debug that this actually works properly?


Vault is working correctly, but is displaying its status in a really confusing way.

When you use shamir seal as the primary seal, there is no recovery seal.

When you use any auto-unseal method as the primary seal, the recovery seal is always of shamir type.

At this point:

Vault is basically lying to you, or at least excessively abbreviating to the point of being seriously obscure. You could read this as saying “There is a recovery seal of shamir type (because recovery seals always are), and the primary seal type is ocikms”.

After initialising, Vault starts saying:

At which point it means “There is a recovery seal of type shamir”. (And necessarily, some other non-shamir primary seal, otherwise recovery wouldn’t be mentioned.)

Basically it’s just a case of bad UI.

The best way of testing auto-unseal is really working would be to just restart a Vault node, and confirm it manages to unseal by itself.

Thank you, that explains it.