Update auto unseal kms key

josedev-union · February 15, 2021, 6:23pm

I use AWS kms for auto-unseal. I unsealed using kms successfully and used vault for several days.
Then I removed the kms key and created a new key. The vault server was affected by this key recreation. But when I restarted the vault server, it didnt decrypt successfully.

Is this surely related to the kms key recreation? and if so, what can be the solution for this?

stuart-c · February 17, 2021, 9:43pm

The KMS key is used to encrypt the master key used by Vault. You mustn’t remove that key as you would then not be able to unseal Vault.

usrsimpleang · October 20, 2021, 3:17am

How do I rotate the KMS key used to encrypt the master key? Say I want to move from single region to multi region kms keys. Is there a way to change a kms key? I do have the original recovery codes.