Vault rekey not enough team members to recover it


My team members left the company, and now, we don’t have enough keys to rekey our vault.

This is a staging instance.

Is there another way to reset all of this and start from clean slate in term of issuing rekey command?

Thank you,

@laurentiuspurba same thing happen to us. I don’t think you have a way to run the rekey command to generate new set of unseal keys. What we did was spin up a new Vault with new set of keys. Then restore from snapshots.

How is that even possible? You need the original keys to restore the snapshots.

Hi @soulmaker Could share on how to restore it from snapshots? Links, docs, a quick how-to, or anything that I can learn from it, that will be great. Thanks!

@laurentiuspurba now that I think and recall it. Sorry we didn’t do a snapshot restore to resolve this as once you perform the snapshot restore it will restore the unseal key as well.

What we did for us since during that time we need to migrate our storage backend from consul to raft. We use that oppurtunity to fix the issue with our missing unseal key. Since our Vault configuration are in code what we did after we did the storage migration. We created a new Vault cluster and we do run a script to copy all the secrets recursively. It won’t take all the version history of the secrets as it will only copy the latest version. You can only perform and run this script to copy the secrets if you have the root key or someone who can access all the secrets.

As far as I know, unless you use pgp key and take a backup when you run your initial unseal command. There is no other option to recover. Hence, it is really recommended to have extra person in the org to have the unseal key.

Hi @soulmaker Thanks for the info. Since mine is staging, I guess I can nuke them and start fresh and clean.

@laurentiuspurba no worries. I hope I can give you a more easy solution to retrieve it. But I guess this one feature makes the Vault more secure.

1 Like

One last follow-up question :grinning:
Is having a root token useful for rekey process? :crossed_fingers:

@laurentiuspurba unfortunately not, root token cannot perform unsealing or generate a new unseal keys.