Is the possible to recover the recovery keys when using GCP KMS?
It was not saved during the initialization and I need that to regenerate a new root token.
AFAIU, the rekey process won’t help because it’s necessary to pass the recovery keys in order to generate new ones.
In case that’s not possible, would the cloud provider (Google) has access to it in order to retrieve that?
The recovery keys are only displayed when you initialise Vault. If you don’t keep them or lose them the only option is to init Vault again, losing all the stored information. Google don’t have any access at all.
Well… There’s no supported way to do it, but someone on GitHub has put together a tool to retrieve the recovery key:
I have not used it and cannot vouch for it, it’s just something I happened to see in some search results at one time.