Problems with auto unseal via Google KMS


I have a problems with Auto unseal via Google KMS. My Vault version 1.10 was working fine. Google KMS changed version of key several time but vault didn’t get these changes. The old version of key was destroyed. Vault was restarted during the maintenance and now it can’t unseal because it wants to use the old version of Google KMS.

Google support said that it is not possible restore destroyed key because it was destroyed more then 24 hours ago. I don’t know what need to do. please help me.

I am not familiar with Google KMS, but based on what you have said, the key is gone, which means your Vault data is permanently unrecoverable.

You would need to start afresh, setting up Vault from scratch, creating new secrets.

This is the main reason I really don’t like auto-unseal… you’re completely at the mercy of your cloud key still being available.