I have just installed vault in a k8s cluster and I’d like to use the OCI KMS unseal functionality. When logging into the pod I can see the following (before init):
~ $ vault status
Key Value
Recovery Seal Type ocikms
Initialized false
Sealed true
Total Recovery Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version 1.11.4
Build Date 2022-09-23T06:01:14Z
Storage Type oci
HA Enabled true
When running vault operator init I get the following:
~ $ vault operator init
Recovery Key 1: rLnKvNXPLFXyjBuErgDQtGysqHDfopXr+/J6IV1FHPjI
Recovery Key 2: bgSYxVQa/vFty+Pqh+0EJS4mXkwSj997YLcjyFxvk1go
Recovery Key 3: a9Z/44lgAEY10oImzp0ZisQvo19IlaiaWIlH8x16X7BM
Recovery Key 4: 4bRKTml5P5QDZXY2KLC9ZQ8nWUkDpZtZRfwnxaZ3Ul+Q
Recovery Key 5: WNBK+Yj7yP8Y1UnmyomHpdfvCP+IuToYQXpvgxIoAAdS
Initial Root Token: hvs.pHihCj6Vkn3Bo4KnZcGrstqx
Success! Vault is initialized
Recovery key initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above.
Which tells me that that the unseal process went well. However if I run vault status again I get this which seems wrong as the recovery seal type is Shamir and not ocikms.
~ $ vault status
Key Value
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.11.4
Build Date 2022-09-23T06:01:14Z
Storage Type oci
Cluster Name vault-cluster-dfc25bbe
Cluster ID 1e5983a9-8128-2b4b-e3fb-6cfe42d174f8
HA Enabled true
HA Cluster https://vault-2.vault-internal:8201
HA Mode standby
Active Node Address http://10.244.1.28:8200
My config looks like this:
seal “ocikms” {
auth_type_api_key = “false”
key_id = “ocid1.key.oc1.iad…”
crypto_endpoint = “https://b5…crypto.kms.us-ashburn-1.oraclecloud.com”
management_endpoint = “https://b5…management.kms.us-ashburn-1.oraclecloud.com”
}
Why is vault displaying Shamir and not ocikms? And how can I debug that this actually works properly?
Thanks
Andy