Problems with auto unseal via Google KMS

ingvarch · December 11, 2022, 1:29am

Hello,

I have a problems with Auto unseal via Google KMS. My Vault version 1.10 was working fine. Google KMS changed version of key several time but vault didn’t get these changes. The old version of key was destroyed. Vault was restarted during the maintenance and now it can’t unseal because it wants to use the old version of Google KMS.

Google support said that it is not possible restore destroyed key because it was destroyed more then 24 hours ago. I don’t know what need to do. please help me.

maxb · December 11, 2022, 5:02am

I am not familiar with Google KMS, but based on what you have said, the key is gone, which means your Vault data is permanently unrecoverable.

You would need to start afresh, setting up Vault from scratch, creating new secrets.

This is the main reason I really don’t like auto-unseal… you’re completely at the mercy of your cloud key still being available.

Topic		Replies	Views
Update auto unseal kms key Vault	2	326	October 20, 2021
Unseal Vault with Recovery Key ( Lost AWS KMS used for Auto unseal ) Vault	0	343	March 31, 2021
Vault's auto unseal behaviour when we change the KMS ID (Auto Unseal with KMS) Vault k8s , vault	3	488	April 4, 2022
What to do if KMS is used for auto-unseal and it is down Vault	4	509	April 28, 2020
Vault auto-unseal suddenly stopped working Vault k8s	3	994	January 20, 2021

Problems with auto unseal via Google KMS

Related topics