Rekey a specific unseal Key


Assuming we use 3 key shares and 2 key threshold, if someone lost his key, how can i rekey only the lost key ? I see on the doc that the rekey process change the total number of key.

Thank you :slight_smile:

I don’t think shamir can work that way. Ie, if you need 2 keys to gen the master key, and you change one, 1 can always be a new/unrelated key.
You need to rekey all, possibly creating a higher # of key shares and storing one away as a failsafe if have a requirement to allow someone to lose their key and give them a new one without rekeying the vault.

1 Like