Vault raft bbolt db - path to recovery_keys

Hello,

Could you help me to find the base64 encrypted recovery_keys inside raft vault.db (bbolt)?
The cluster uses Raft and auto-unseal key using AWS KMS.
For the file store solution, Path to the encrypted recovery keys from the storage, found at core/_recovery-key.

bbolt keys vault.db data | grep core
core/audit
core/auth
core/autoloaded-license
core/cluster/feature-flags
core/cluster/local/info
core/hsm/barrier-unseal-keys
core/index-header-hmac-key
core/keyring
core/leader/dceb963e-72a2-f1d4-ea8f-c903dbb57dd1
core/local-audit
core/local-auth
core/local-mounts
core/lock
core/master
core/mounts
core/raft/tls
core/seal-config
core/shamir-kek
core/wrapping/jwtkey
core/recovery-config
core/recovery-key

bbolt get vault.db data core/recovery-key 

the command says binary output and point to the KMS key!
I am trying to use same solution as here: GitHub - bruj0/vault-recovery-key: This tool will decrypt your Vault recovery keys when using KMS to decrypt recovery keys.

NB: I checked the Vault with file storage, and the file core/_recovery_key contains the hash value, but the Raft storage recovey_key value is binary!

Br,
Meraj

We can use some help with this matter as well. With raw_storage_endpoint = true, we got the following error message trying to read core/recovery_keys

vault read sys/raw/core/recovery-key
Error reading sys/raw/core/recovery-key: Error making API request.

URL: GET https://...:8200/v1/sys/raw/core/recovery-key
Code: 400. Errors:

* no decryption key available for term 170938832

(And just for others to not go down a wrong path, to enter the recovery mode, recovery keys are required. And the recovery keys are exactly the thing we are trying to recover.)

The sys/raw/ API only works for regular Vault storage entries, encrypted via the main keyring.

Certain special entries are stored in other ways.

For example, core/recovery-key is encrypted with the seal/KMS key.

I suggest you may want to refer to the GitHub link in the previous post, which is a third-party tool someone wrote to grab the encrypted recovery key from storage, and ask the auto-unseal KMS to decrypt it.

Thanks for the response. I have solved the problem.
I found the answer at Raft storage · Issue #10 · bruj0/vault-recovery-key · GitHub
I also added some details to pay back to the community.

If you want to fetch recovery keys from Raft (integrated storage),
you need to migrate the storage to Filesystem (Filesystem - Storage Backends - Configuration | Vault | HashiCorp Developer) so you can get the unseal-key-encrypted keys. Then, you can use the linked tool to decrypt the recovery keys provided you have access to the auto unseal key.