Hi, we are using AWS KMS to use the auto-unseal mechanism.
However as KMS is region based, what would happen if KMS in the region that is being used by vault is down for whatever reasons?
Is there to recover from that, or bypass the issue, how would we unseal the node then?
What would you do ?
Hi there! There is no possible way to recover or bypass unseal if the underlying autoseal mechanism (KMS in this case) is not available. A possible way to mitigate this issue would be to have a replicated cluster that uses a different autoseal (e.g. KMS from a different region) which you can fallback to in case the primary cluster is unable to unseal.
Thanks Calvn for the reply, replication is enterprise version as I understand, right?
Would it be possible to use 2 auto-unseal mechanics maybe? one from AWS kms and second from gcp as a failover ?
Yes, replication is an enterprise feature. You can use different auto-unseal mechanisms for each cluster like you described (i.e. one using AWS and the other using GCP).
That seems dangerous. There is really no way of saving a cluster if you lose the auto-unseal ?What is the recovery key for then ? What are you supposed to do if you use HSM ? and even if you have replication, what if a software bug in both your HSMs make you lose them both ? is all your vault data lost ?