I have a Vault instance that was configured with autounseal: transit from a secondary vault instance. I lost the secondary vault instance and I am looking for a method to recover my access to the primary instance. I still have the root key and unseal keys, but I don’t know how to migrate back from transit to shamir considering that vault is sealed.
Any tips?
Hi I asked almost same question, curious to know how to recover cluster #1 when cluster #2 is not available for some reason. I think according to documentation you can’t restore it just with recovery keys, the cluster must be activate too, but curious to know if there is a solution to this…
Check this
Especially the following note:
Recovery keys cannot decrypt the root key
Recovery keys cannot decrypt the root key and thus are not sufficient to unseal Vault if the auto unseal mechanism isn’t working. They are purely an authorization mechanism. Using auto unseal creates a strict Vault lifecycle dependency on the underlying seal mechanism. This means that if the seal mechanism (such as the Cloud KMS key) becomes unavailable, or deleted before the seal is migrated, then there is no ability to recover access to the Vault cluster until the mechanism is available again. If the seal mechanism or its keys are permanently deleted, then the Vault cluster cannot be recovered, even from backups. To mitigate this risk, we recommend careful controls around management of the seal mechanism, for example using AWS Service Control Policies or similar. With Vault Enterprise secondary clusters (disaster or performance) can have a seal configured independently of the primary, and when properly configured guards against some of this risk. Unreplicated items such as local mounts could still be lost.