Hello,
We have our main vault cluster (OSS) on gcp, using gcpkms autounseal, with integrated storage.
I’m trying to find a way (as part of our DRP procedure) to restore a snapshot to another cluster which uses awskms autounseal.
My first try was to export / restore on vault clusters which have been configured with cloud-based autounseal at first. This did not work (even with -force option of snapshot restore command) as unseal key is not known by operator (me), so the AWS version was still trying to unseal with its old auto-unseal key.
I’ve then done something different:
- Create 2 clusters (one on gcp, one on aws), with disabled autounseal stanza (so , 2 clusters using shamir)
- Init both
- Create a snapshot from gcp, and import it on aws (using -force)
At that point, unseal keys are the same on both cluster. Then:
- On both gcp and aws, migrate from shamir to cloud-based auto-unseal
- Create a new dump on GCP and import it on AWS
The dump still requires -force (I would have not expected as shamir keys were identical after first import) and when I try to unseal I get :
* barrier seal type of "gcpckms" does not match loaded type of "awskms"
And if I try with -migrate I get * can't perform a seal migration, no migration seal found
I’m a bit stuck right now, any help would be appreciated