Vault auto unseal for on prem vault using AWS KMS?

I have a on prem vault on our servers with a consul backend.
we want a way to auto unseal the vault after reboot. how can this be done?
we have AWS account too. but it seems AWS KMS can be used for AWS EC2 vault instances only and not on prem vault servers? is that so? how should I go about enabling auto unseal for my use case? can I use AWS KMS auto unseal for on prem vault servers?



It is possible, here is an example. You need to provide the AWS access keys and your on-prem Vault needs to have access to the KMS endpoint.



Why not on-prem on-prem using transit secret engine? Do you really need AWS?

Hi Wolf,
thanks. if I use transit, vault2 problem will be solved but what about vault1. if that is rebooted, the vault remains sealed.
is there a solution to unseal both the servers on reboot?

Sure. They can unseal each other. I think this is covered in this tutorial:

1 Like

great man. it worked! thank you so much Wolf.

1 Like

Hmm, I don’t think this is a good idea, and it’s not what the linked tutorial suggests unless I missed something. If you have two servers that are reliant on one another for auto-unseal, what happens if both of them get restarted at the same time? Then neither can ever be unsealed.

1 Like