Question about auto unsealing and the master key

I’m working on a setup with a vault cluster and a master Vault for auto unsealing via the Transit Secret engine. According to the documentation the master key is stored in the backend storage. I have two questions:

  1. Which vault contains the master key (I guess this would be the master vault)?
  2. Can I somehow retrieve the master key from the vault?

Many thanks!

  1. It doesn’t really make sense to speak of “which vault contains”, because in a cluster all vault nodes share the same backend storage.

  2. Yes, if you have direct access to backend storage you can fetch the seal-encrypted master key:

$ cat filevault/data/core/hsm/_barrier-unseal-keys

A colleague pointed out that I may have missed the gist of what you were asking. Let me try again.

  1. If you’re asking “which of the two clusters involved stores the master key”, it’s the one configured to use transit auto-unseal. Any Vault cluster using auto-unseal writes the encrypted master key to its own configured storage backend. The transit secret engine only persists its own keys, not any data clients ask it to encrypt/decrypt, so that cluster won’t have a copy of the other cluster’s master key.

  2. Just to clarify: the value stored in barrier-unseal-keys is encrypted using the other cluster’s transit engine.

1 Like

Thanks for the explanation. That is good information. I didn’t know the master key was stored in the _barrier_unseal-keys file of the vault storage backend. I didn’t found any information about this in the documentation of vault, apart from how it is configured (which is off course useful). Did I missed it or is this just something you have to find out yourself in the code?

You didn’t miss anything. There are lots of implementation details that the documentation doesn’t cover.