Vault raft bbolt db - path to recovery_keys

meraj-kashi · February 22, 2022, 10:21am

Hello,

Could you help me to find the base64 encrypted recovery_keys inside raft vault.db (bbolt)?
The cluster uses Raft and auto-unseal key using AWS KMS.
For the file store solution, Path to the encrypted recovery keys from the storage, found at core/_recovery-key.

bbolt keys vault.db data | grep core
core/audit
core/auth
core/autoloaded-license
core/cluster/feature-flags
core/cluster/local/info
core/hsm/barrier-unseal-keys
core/index-header-hmac-key
core/keyring
core/leader/dceb963e-72a2-f1d4-ea8f-c903dbb57dd1
core/local-audit
core/local-auth
core/local-mounts
core/lock
core/master
core/mounts
core/raft/tls
core/seal-config
core/shamir-kek
core/wrapping/jwtkey
core/recovery-config
core/recovery-key

bbolt get vault.db data core/recovery-key

the command says binary output and point to the KMS key!
I am trying to use same solution as here: GitHub - bruj0/vault-recovery-key: This tool will decrypt your Vault recovery keys when using KMS to decrypt recovery keys.

NB: I checked the Vault with file storage, and the file core/_recovery_key contains the hash value, but the Raft storage recovey_key value is binary!

Br,
Meraj

mju · May 2, 2023, 3:45pm

We can use some help with this matter as well. With raw_storage_endpoint = true, we got the following error message trying to read core/recovery_keys

vault read sys/raw/core/recovery-key
Error reading sys/raw/core/recovery-key: Error making API request.

URL: GET https://...:8200/v1/sys/raw/core/recovery-key
Code: 400. Errors:

* no decryption key available for term 170938832

(And just for others to not go down a wrong path, to enter the recovery mode, recovery keys are required. And the recovery keys are exactly the thing we are trying to recover.)

maxb · May 2, 2023, 4:58pm

The sys/raw/ API only works for regular Vault storage entries, encrypted via the main keyring.

Certain special entries are stored in other ways.

For example, core/recovery-key is encrypted with the seal/KMS key.

I suggest you may want to refer to the GitHub link in the previous post, which is a third-party tool someone wrote to grab the encrypted recovery key from storage, and ask the auto-unseal KMS to decrypt it.

mju · May 2, 2023, 9:05pm

Thanks for the response. I have solved the problem.
I found the answer at Raft storage · Issue #10 · bruj0/vault-recovery-key · GitHub
I also added some details to pay back to the community.

If you want to fetch recovery keys from Raft (integrated storage),
you need to migrate the storage to Filesystem (Filesystem - Storage Backends - Configuration | Vault | HashiCorp Developer) so you can get the unseal-key-encrypted keys. Then, you can use the linked tool to decrypt the recovery keys provided you have access to the auto unseal key.

Topic		Replies	Views
Missing recovery token of Vault deployed auto-unseal with AWS KMS Vault vault	4	677	February 20, 2022
Restore Vault cluster with Raft storage and AWS KMS as auto unseal key Vault	5	823	April 21, 2022
How to restore raft snapshot (from a vault with AWS KMS auto-unseal) on a fresh vault server Vault	4	1223	August 11, 2022
Botched deployment damaged core folder, now prod is down Vault k8s , vault	2	350	April 2, 2023
How to get recovery keys when migrating to AWS KMS seal? Vault	2	829	February 28, 2020

Vault raft bbolt db - path to recovery_keys

Related topics