I’m trying to simulate possibility of migrating vault instance using the AWS KMS (customer provided key material) to a different KMS key/aws account.
So far - I have created a KMS Key “aaaa-…”, set up vault and configured auto unseal. It works great so far.
Now I create a new KMS Key “bbbb-…” with the same key material and disabling “aaaa-…” (to simulate total unavailability of the key with the original id).
Now if I change the config to point to “bbbb-…” and start vault it still logs:
failed to unseal core: error="fetching stored unseal keys failed: failed to encrypt keys for storage: error decrypting data encryption key: DisabledException: arn:aws:kms:ap-southeast-2:xxx:key/aaaa-... is disabled."
Even though config only points to the new “bbbb-…” key vault somehow know about “aaaa-…”
The backend storage used is S3.
Is it technically possible to do what I’m trying to do?
I can see references to the original key id at
core/hsm/barrier-unseal-keys and from reading code it looks like it’s impossible to avoid decrypting it using the original key.