Hi, where does vault store its encrypted master key when we use transit auto unseal option, in an integrated storage setup on vault 1.6.x ?
Is this encrypted master key manually accessible?
Hi, where does vault store its encrypted master key when we use transit auto unseal option, in an integrated storage setup on vault 1.6.x ?
Is this encrypted master key manually accessible?
Vault stores the encrypted master key (and all its data) within its own storage backend, that is to say it does not store anything on the transit vault cluster but just uses it to decrypt the key.
This might help:
and
Hi Mike, thank you for the reply. I was wondering if we can manually get/read the encrypted master key from the storage backend, if so how?. I think 1.6.x integrated storage uses boltdb.
There’s not a native/supported way to do that. You could look thru the source code and extract it from the boltdb.