I am currently documenting a migration from a Shamir-sealed OSS Vault cluster to Google KMS-based Auto-Unseal. I want to verify a specific “worst-case” disaster recovery scenario which seems like it shouldn’t work based on Vault documentation, but
The Scenario:
-
We migrate from Shamir to Google KMS auto-unseal.
-
Our original Shamir shards become the Recovery Keys.
-
We rotate these Recovery Keys (
-target=recovery) and store the new quorum safely. -
The KMS key undergoes several version rotations over time.
-
The Disaster: The Google KMS key (all versions) is accidentally deleted.
Our Proposed Recovery Procedure: Since a standard auto-unseal will now fail, our plan is:
-
Provision a brand-new KMS key in GCP.
-
Restore the latest Vault storage snapshot (Consul) to a new instance.
-
Update
vault.hclto point to the new KMS Key ID. -
Start the Vault server. It will initially be in a sealed state and fail to auto-unseal because the barrier is wrapped with the deleted key.
-
Run
vault operator unseal -migrateand provide the quorum of Recovery Keys (the ones generated in step 3).
My Questions:
-
Even though the KMS key is deleted, will the
unseal -migrateflag allow the Recovery Keys to reconstruct the Master Key in memory to authorize a re-wrap to the new KMS key? -
Does the fact that the KMS key rotated versions between the time the Recovery Keys were generated and the time of deletion affect the ability of those Recovery Keys to decrypt the barrier?
-
Is this an officially supported “Break-Glass” path for total loss of a Cloud KMS provider?
I’ve seen the general warnings in the documentation about deleted seal keys rendering a Vault cluster “unrecoverable” (which is why we’re also documenting methods for securing those keys), but I want to confirm if the -migrate workflow provides an exception for restoring into a new cluster with recovery keys.
Thanks in advance for the help!