Use Recovery Seal Type to unseal vault without auto seal method access


I’m using azurekeyvault as auto unseal option.
When I run vault status I see that Recovery Seal Type is set as Shamir

$ vault status  -tls-skip-verify
Key                      Value
---                      -----
Seal Type                azurekeyvault
Recovery Seal Type       shamir
Initialized              true
Sealed                   false

Question is if I loose AzureKeyVault secret how do I unseal using Recovery Seal Type (Shamir) ?

When Vault is initialized while using HSM or Cloud KMS Key, it returns several recovery keys. Recovery keys are not sufficient to unseal Vault if the Auto-Unseal mechanism isn’t working. They are still required for highly privileged actions, such as generating new root keys.

Referencing the Vault Auto-Unseal documentation.

If the seal mechanism (such as the Cloud KMS key) becomes unavailable, or deleted before the seal is migrated, then there is no ability to recover access to the Vault cluster until the mechanism is available again. If the seal mechanism or its keys are permanently deleted, then the Vault cluster cannot be recovered, even from backups. To mitigate this risk, we recommend careful controls around management of the seal mechanism, for example using AWS Service Control Policies or similar. With Vault Enterprise secondary clusters (disaster or performance) can have a seal configured independently of the primary, and when properly configured guards against some of this risk. Unreplicated items such as local mounts could still be lost.

Additionally, there is a new Beta Feature for Vault Enterprise called Seal High Availability (Seal HA). This allows the configuration of more than one auto seal mechanism such that Vault can tolerate the temporary loss of a seal service or device for a time.

1 Like