Switching to different aws kms key id (with the same key material)

zerkms · December 22, 2020, 8:50pm

I’m not an AWS KMS guru, but I’m sure it does not (have their own solution for that).

Nick-Triller · December 22, 2020, 9:02pm

The problem is also discussed here:

github.com/hashicorp/vault

Feature Request: Support multiple KMS Keys for Auto Unseal

opened 07:48PM - 15 Jan 19 UTC

justyns

enhancement core/seal community-sentiment

**Is your feature request related to a problem? Please describe.** We need to… plan for a scenario where someone accidentally deletes a KMS key, or KMS itself is inaccessible in a region. I've tried the following as a simple test: * Create consul and vault clusters in two regions, region1 and region2 * Enable Auto Unseal using `awskms` with a KMS key in region1 * Take snapshots of consul from region1 * Stop clusters in region1 and disable/delete KMS key in region1 * Restore consul snapshot from region1 in region2 * Attempt to start Vault This fails because the KMS key is disabled/deleted/inaccessible from the new cluster. Essentially I want the ability to take a consul snapshot and restore it on a server that does not have access to the KMS key used by the vault cluster with auto-unseal using awskms enabled. **Describe the solution you'd like** I think supporting multiple `seal` blocks or kms ids in the `awskms` seal block may be the simplest solution. This could look something like this: ``` seal "awskms" { region = "us-east-1" kms_key_ids = [ "region1/19ec80b0-dfdd-4d97-8164-c6examplekey", "region2/12e4e120-dfdd-4d97-8164-c6examplekey2" ] } ``` In my example, I would specify KMS keys from two (or more) regions. Vault would then encrypt the master key against every KMS key in the list. I would then be able to take a consul snapshot in region1, create a consul/vault cluster in region2, restore the snapshot, bring up the vault cluster and have it auto unseal as normal. If supporting multiple kms keys wouldn't work for some reason, then I think allowing the original unseal keys (recovery keys) to unseal a vault cluster would also be a reasonable solution. **Describe alternatives you've considered** - Enterprise DR would essentially solve the issue, but that is a long-term solution and not available when only using the OSS version of Vault. - Originally I was under the impression that the "recovery keys" could be used to unseal a vault cluster that had auto unseal enabled. This isn't the case, and makes their name seem misleading unless they serve a purpose other than generating root tokens or removing auto unseal (while auto unseal is still enabled and working.) - Another option considered was to import custom key material into a new KMS key. Because the old encrypted data references the original KMS key id, this doesn't work when that key no longer exists. **Explain any additional use-cases** Without this feature, it is impossible afaict to properly backup a Vault cluster with Auto Unseal enabled. Even with Enterprise DR and replication, you wouldn't have a true backup as you can't back up the KMS keys. Please let me know if I am misunderstanding something or if there is an alternative solution. Thanks!

We need to plan for a scenario where someone accidentally deletes a KMS key, or KMS itself is inaccessible in a region.

Another option considered was to import custom key material into a new KMS key. Because the old encrypted data references the original KMS key id, this doesn’t work when that key no longer exists.

As I understand, the key ID is randomly generated.

tmiroslav · December 23, 2020, 1:19am

If I understand your discussion above well, it’s not possible to use shamir unseal keys to unseal Vault which go to seal state after accidentally deleting AWS kms key (which is used for auto-unseal) - or facing any other issue with kms key that results Vault to go to seal state?

zerkms · December 23, 2020, 1:34am

@tmiroslav,

The discussion and original question was about recreating new aws kms cmk using the same key material.

tmiroslav · December 23, 2020, 1:45am

Yes, what I understood, Vault can not handle situation where you change KMS ID used for Vault auto-unseal. But, at least per Vault documentation, Vault can handle AWS key rotation. So, KMS ID is same, but AWS change the key content in the back.
Good to know would be if unsealed keys retrieved during Vault initializations are enough to get Vault back to unseal state after trouble with.

zerkms · December 23, 2020, 1:48am

Those are recovery keys and those cannot be used for unsealing.

akloss-cibo · January 3, 2023, 4:06pm

Don’t multi-region KMS keys address this? Multi-Region keys in AWS KMS - AWS Key Management Service

mschultz-aofl · January 3, 2023, 10:13pm

I’ve solved this in a backwards fashion. Note this requires a highly secured automation platform (GitlabCI, Jenkins, TeamCity, etc)

take a nightly backup of the vault
restore it to a new vault server that has access to the same KMS key
Perform a seal migration, converting it to a Shamir seal, and store those keys safely
Take a second backup of the Samir seal vault, and store that one away

So our DR is:
If the main instance goes down, but the key is still available, restore the backup from step 1. If it’s all burned down, grab the Shamir seal backup, unseal manually, and either (A) migrate data to a new vault server or (B) re-migrate it back to a new KMS key. We already had a secured enclave in our infra for this, so it worked for us. But yes, this is really, really not ideal.

Topic		Replies	Views
Vault Unseal With Custom KMS Key (BYOK) Vault k8s , vault	2	163	April 11, 2025
Restore backup with a different auto-unseal provider Vault vault	2	616	June 15, 2023
Unseal Vault with Recovery Key ( Lost AWS KMS used for Auto unseal ) Vault	0	379	March 31, 2021
Update auto unseal kms key Vault	2	393	October 20, 2021
AWS EKS Auto Unseal Vault	9	2239	November 18, 2021

Switching to different aws kms key id (with the same key material)

Related topics