Vault Unseal With Custom KMS Key (BYOK)

I’m creating a KMS key in AWS with my own key material and use that KMS key to configure Vault auto unseal. It works perfectly, but I am trying to simulate a scenario where I lose the KMS key and need to create a new one with the same key material.
My expectation was that the new key could still unseal Vault as the key material is the same, but Vault still seems to reference the old key ARN somehow (after updating the config to point to the new key ARN).

Using Vault 1.18.1 running in EKS

Is there a way to unseal Vault with the new KMS key that contains the same key material?

1 Like

When you create a new key (even with the same material), the key is still different than the original key you created. The key material protects the key, it is not the key itself, nor does it recreate an identical key.

The AWS auto-unseal mechanism does support AWS rotation, so you can configure the KMS to create new keys (though not your specific scenario):

In your scenario where you are planning for the key to be totally lost, I would look into seal HA where you can configure multiple unseal mechanisms so if one is lost, you can still access Vault:

1 Like

This was helpful - we were trying to figure out if the plan we had was possible. Thanks a ton for sharing your knowledge!

1 Like