Retrieve kms recovery key

i use kms (using vault transit as backend). Is it possible to retrieve kms recovery key to be used in last resort ?


Check out information about exporting keys at Transit - Secrets Engines | Vault by HashiCorp


Thanks @jeff for the reply, but in my case i don’t want to retrieve the transit key but the kms recovery key create by boundary at start: something like this:

kms "aead" {
  purpose = "recovery"
  key_id = "global_recovery"
  aead_type = "aes-gcm"
  key = "Ivj8Si8UQBp+Zm2lLbUDTxOGikE8rSo6QihCjWSTXqY="

I think i must have the ciphertext (store in database ?) and decrypt it with transit to get the kms recovery key ?

If you’re using Vault Transit as the KMS, then the Transit key is the recovery key. I’m not sure if you can use an exported Transit key (as opposed to using the key through Vault) on the command line as the recovery key though.

Bear in mind that the recovery key is not used to encrypt Boundary data in the database; that’s the purpose of the root key. (The recovery key is an ultimate-fallback authentication method, not used for data encryption.) I think that at least in theory, if you used a Vault Transit key as the root key, you can use an export of that key to decrypt the database data offline; there’s a description of the relationships between keys in the Data Security in Boundary document.

In the example you have, the KMS is actually aead which is just Boundary using an explicitly-configured key. There’s no relationship with Transit or any other KMS there.