Vault rekeying asking for new threshold number of unseal keys instead of using current threshold

Vault
1

Hi all,

The documentation for the rekeying process explains :

Before continuing, you should ensure enough unseal key holders are available to assist with the rekeying to match the threshold configured when the keys were issued.

In my case, here’s vault status (which shows a current threshold of 1):

➜  ~ vault status                                                                                                                                                 
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.18.0
Build Date              2024-10-08T09:12:52Z
Storage Type            raft
Cluster Name            xxxxxx
Cluster ID              b9700b60-b27c-c912-ace9-577356e4209e
HA Enabled              true
HA Cluster              https://xxxxxxx.xxxxxxx.com:8201
HA Mode                 active
Active Since            2024-10-15T07:16:07.823587805Z
Raft Committed Index    193688
Raft Applied Index      193688

However, when I run the rekey command it somehow asks for as many unseal keys as the new threshold (here 2):

➜  ~ vault operator rekey -init -key-shares=3 -key-threshold=2
Key                      Value
---                      -----
Nonce                    f592ff9b-6c26-5a6b-6f0d-a267200cef54
Started                  true
Rekey Progress           0/2
New Shares               3
New Threshold            2
Verification Required    false

I then provide the only existing unseal key :

➜  ~ vault operator rekey
Rekey operation nonce: f592ff9b-6c26-5a6b-6f0d-a267200cef54
Unseal Key (will be hidden):
Key                      Value
---                      -----
Nonce                    f592ff9b-6c26-5a6b-6f0d-a267200cef54
Started                  true
Rekey Progress           1/2
New Shares               3
New Threshold            2
Verification Required    false

Problem
The rekeying process seems to still be waiting for another unseal key to complete the process (which would match the new threshold of 2).
*providing the same unseal key twice results in a error.

Am I misunderstanding how the rekeying process is supposed to work ? I am expecting to provide only the number of existing unseal keys (in this case only 1).

Note

It seems the issue is the same even when specifying a new threshold of 1 (still showing 2 steps rekey process):

➜  ~ vault operator rekey -init -key-shares=1 -key-threshold=1                                                                                                      
Key                      Value
---                      -----
Nonce                    f72fcf92-82d6-c7b6-095c-1b0a1033241f
Started                  true
Rekey Progress           0/2
New Shares               1
New Threshold            1
Verification Required    false

Thank you for your help.

2

Hi @r003k
From the output:
Rekey Progress 0/2
it looks like Vault is expecting two existing unseal keys. It means that, when you initialized Vault, you have specified a threshold of two unseal keys. It is not the same key.
You can check out the official documentation where it explains in more details the unseal process: