Restore Vault from backup after rekeying & rotating Vault


I wonder if I can still restore my Vault cluster after rekeying and rotating using the backup stored before these procedures.
The backend storage is RAFT and the Vault uses a Cloud KMS-based auto unseal key.

Does anybody have any idea?


Rotating refers to adding a new key to the keyring used for bulk data encryption, and starting to use it for new encryption operations.

Since this keyring is maintained entirely within Vault’s own storage, rotation has no direct interaction with the external KMS at all, and there is nothing to worry about regarding backup restoration.

Rekeying refers to changing the root key used to encrypt the above-mentioned keyring - this key is stored in Vault’s own storage, encrypted by the external KMS.

Therefore, your question comes down to: Will the external KMS still be able to decrypt everything it previously encrypted?

It really should be able to - although I have encountered someone who accidentally had their KMS destroy old key versions, and broke their Vault in doing so.

So long as you don’t fall into that trap, and your external KMS can always decrypt everything it previously encrypted, all your old backups will be valid.

1 Like