Is it possible to have 2 Vault instances auto-unseal each other?
Current Setup
I currently have two HashiCorp Vault instances deployed in separate locations, both being used in production. I’d like to configure them to auto-unseal each other, so that if one goes down, the other will still be available to unseal it when it comes back online.
Questions
-
Mutual Auto-Unsealing: Is it possible/advisable to have two Vault instances auto-unseal each other? Is this considered good practice from a security and reliability standpoint?
-
Migration Path: Most documentation (like the Transit Auto-Unseal tutorial) describes setting up auto-unseal on a clean Vault. My Vault instances are already in production with existing data. What’s the migration path to implement auto-unseal without losing data? I can accept some downtime, but need to preserve all secrets.
-
Manual Unsealing Option: If auto-unseal is enabled, can I still manually unseal the vault if necessary? Is there a fallback mechanism?
-
Helm Configuration: When using Helm to deploy Vault, how do I configure the auto-unseal feature? Is it just a matter of creating a ConfigMap somewhere, or do I need to include specific configurations in my values for the chart?
Additional Context
I understand this is a multi-part question, but I’d really appreciate insights from anyone with experience implementing a similar setup. Thanks in advance for any guidance!