Restore backup with a different auto-unseal provider


We have our main vault cluster (OSS) on gcp, using gcpkms autounseal, with integrated storage.

I’m trying to find a way (as part of our DRP procedure) to restore a snapshot to another cluster which uses awskms autounseal.

My first try was to export / restore on vault clusters which have been configured with cloud-based autounseal at first. This did not work (even with -force option of snapshot restore command) as unseal key is not known by operator (me), so the AWS version was still trying to unseal with its old auto-unseal key.

I’ve then done something different:

  • Create 2 clusters (one on gcp, one on aws), with disabled autounseal stanza (so , 2 clusters using shamir)
  • Init both
  • Create a snapshot from gcp, and import it on aws (using -force)

At that point, unseal keys are the same on both cluster. Then:

  • On both gcp and aws, migrate from shamir to cloud-based auto-unseal
  • Create a new dump on GCP and import it on AWS

The dump still requires -force (I would have not expected as shamir keys were identical after first import) and when I try to unseal I get :

* barrier seal type of "gcpckms" does not match loaded type of "awskms"

And if I try with -migrate I get * can't perform a seal migration, no migration seal found

I’m a bit stuck right now, any help would be appreciated

It simply isn’t possible. If you choose to use a cloud-based auto-unseal, you are tied to the availability of that same seal key for decrypting any backups.

This is of course incredibly limiting, and calls into question the usefulness of auto-unseal at all, but is how the product has been designed.

I, personally, can’t imagine running any real production Vault installation using auto-unseal, unless all data in the Vault was considered disposable and able to be reset or replaced in a severe DR scenario.

Hi !

Thanks for answer, that was my conclusion after many tests but wasn’t sure I did understood everything correctly.

Going to switch to shamir then, with some custom auto unseal feature maybe.

1 Like