Vault migration seal fail

I’m migrating from enterprise to OSS version using Cloud KMS, however, I’m getting the following error when running vault operator unseal -migrate

Error unsealing: Error making API request.

Code: 500. Errors:

* failed to check for keyring: cannot decode sealwrapped storage entry "core/keyring"

AFAIU this error might be because I’m using sealwrap and this feature is an enterprise only. How can I get over this issue?

Should I disable the seal wrap on the enterprise cluster, take a new snapshot and then restore it on the OSS version?

What would be the consequences of disabling that?

I believe Enterprise → OSS migrations are explicitly totally unsupported.

I don’t have a a citation to hand for that, but Enterprise writes so much extra stuff that OSS is not prepared to handle to the storage backend, that I don’t see how it could work.

And of course, it’s not a migration pathway that HashiCorp are commercially motivated to support…

You could try disabling sealwrap, and if you are not using any Enterprise-only features at all, then maybe, possibly, it might work - but you’ll be firmly in “if it breaks you get to keep the pieces” territory.

The supported procedure would be to set up a brand new OSS Vault, manually copy and re-configure what is needed, and then discard the old Enterprise Vault.