Dear Colleagues,
Didnt find answer on my question, so decide to start topic.
I have Vault cluster in HA mode with 5 nodes. As well I have configured AWS KMS Auto-unseal on them.
The question:
What option to restore vault cluster in case of Auto-unseal failure (lack of access to AWS from VM, someone delete KMS configuration, etc).
On documentation I can see to migrate back to Shamir I need to have Available unseal both methods.
So what option do we have in case of auto-unseal failure to back proper functionality of Vault.
Thanks
Hello!
Referencing the Vault Auto-Unseal documentation.
If the seal mechanism (such as the Cloud KMS key) becomes unavailable, or deleted before the seal is migrated, then there is no ability to recover access to the Vault cluster until the mechanism is available again. If the seal mechanism or its keys are permanently deleted, then the Vault cluster cannot be recovered, even from backups. To mitigate this risk, we recommend careful controls around management of the seal mechanism, for example using AWS Service Control Policies or similar. With Vault Enterprise secondary clusters (disaster or performance) can have a seal configured independently of the primary, and when properly configured guards against some of this risk. Unreplicated items such as local mounts could still be lost.
Additionally, there is a new Beta Feature for Vault Enterprise called Seal High Availability (Seal HA). This allows the configuration of more than one auto seal mechanism such that Vault can tolerate the temporary loss of a seal service or device for a time.