Restore Vault cluster with Raft storage and AWS KMS as auto unseal key


If I took a backup of a single Vault cluster with Raft storage and AWS KMS to auto unseal, could I restore a totally new cluster with a new KMS key?

I am asking the question, because I want to know what will happen if the AWS KMS key is deleted?


No, in this case the backup would be forever inaccessible, as the data inside the backup is encrypted using the deleted KMS key.

1 Like

Yes, I have done this multiple times to restore a single secret from a previous backup without having to do a full restore of the backup.

Now if you mangle/delete/update/rotate your KMS key then you’re sunk. There is no way to un-encrypt that backup.

This is a confusing response - you start out by saying “Yes”, but then you go on to clarify that actually the answer is “no”. Please be careful not to give people the wrong idea, especially when it relates to whether their backups could be successfully recovered.

It makes a new question, then how did you restore a single secret?

You can just use the vault commands for a single secret but if you need to restore a whole engine medusa is the easier tool (3rd party).

vault command:

vault kv get -format=json -field=data kv/src_path/src_secret | VAULT_TOKEN=<dst_token> vault kv put -address=https://dest-vault:8200  kv/dest_path/secret -