Could you help me to find the base64 encrypted recovery_keys inside raft vault.db (bbolt)?
The cluster uses Raft and auto-unseal key using AWS KMS.
For the file store solution, Path to the encrypted recovery keys from the storage, found at core/_recovery-key.
We can use some help with this matter as well. With raw_storage_endpoint = true, we got the following error message trying to read core/recovery_keys
vault read sys/raw/core/recovery-key
Error reading sys/raw/core/recovery-key: Error making API request.
URL: GET https://...:8200/v1/sys/raw/core/recovery-key
Code: 400. Errors:
* no decryption key available for term 170938832
(And just for others to not go down a wrong path, to enter the recovery mode, recovery keys are required. And the recovery keys are exactly the thing we are trying to recover.)
The sys/raw/ API only works for regular Vault storage entries, encrypted via the main keyring.
Certain special entries are stored in other ways.
For example, core/recovery-key is encrypted with the seal/KMS key.
I suggest you may want to refer to the GitHub link in the previous post, which is a third-party tool someone wrote to grab the encrypted recovery key from storage, and ask the auto-unseal KMS to decrypt it.
If you want to fetch recovery keys from Raft (integrated storage),
you need to migrate the storage to Filesystem (Filesystem - Storage Backends - Configuration | Vault | HashiCorp Developer) so you can get the unseal-key-encrypted keys. Then, you can use the linked tool to decrypt the recovery keys provided you have access to the auto unseal key.