I’m migrating from enterprise to OSS version using Cloud KMS, however, I’m getting the following error when running vault operator unseal -migrate
Error unsealing: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/unseal
Code: 500. Errors:
* failed to check for keyring: cannot decode sealwrapped storage entry "core/keyring"
AFAIU this error might be because I’m using sealwrap and this feature is an enterprise only. How can I get over this issue?
Should I disable the seal wrap on the enterprise cluster, take a new snapshot and then restore it on the OSS version?
I believe Enterprise → OSS migrations are explicitly totally unsupported.
I don’t have a a citation to hand for that, but Enterprise writes so much extra stuff that OSS is not prepared to handle to the storage backend, that I don’t see how it could work.
And of course, it’s not a migration pathway that HashiCorp are commercially motivated to support…
You could try disabling sealwrap, and if you are not using any Enterprise-only features at all, then maybe, possibly, it might work - but you’ll be firmly in “if it breaks you get to keep the pieces” territory.
The supported procedure would be to set up a brand new OSS Vault, manually copy and re-configure what is needed, and then discard the old Enterprise Vault.