Hi,
If I took a backup of a single Vault cluster with Raft storage and AWS KMS to auto unseal, could I restore a totally new cluster with a new KMS key?
I am asking the question, because I want to know what will happen if the AWS KMS key is deleted?
Br,
Meraj
maxb
April 20, 2022, 8:23am
2
No, in this case the backup would be forever inaccessible, as the data inside the backup is encrypted using the deleted KMS key.
1 Like
aram
April 20, 2022, 3:45pm
3
Yes, I have done this multiple times to restore a single secret from a previous backup without having to do a full restore of the backup.
Now if you mangle/delete/update/rotate your KMS key then you’re sunk. There is no way to un-encrypt that backup.
maxb
April 20, 2022, 5:24pm
4
This is a confusing response - you start out by saying “Yes”, but then you go on to clarify that actually the answer is “no”. Please be careful not to give people the wrong idea, especially when it relates to whether their backups could be successfully recovered.
It makes a new question, then how did you restore a single secret?
aram
April 21, 2022, 9:41am
6
You can just use the vault
commands for a single secret but if you need to restore a whole engine medusa is the easier tool (3rd party).
vault command:
vault kv get -format=json -field=data kv/src_path/src_secret | VAULT_TOKEN=<dst_token> vault kv put -address=https://dest-vault:8200 kv/dest_path/secret -
2 Likes