-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Transit to shamir recovery #9316
Comments
6 days and no reply - is that a mystery :) or did noone had this case before? Cluster A (Shamir) --> Cluster B (transit from A) How to unseal cluster B (or how to perform the recovery), when cluster A is down and cannot be started? |
Hi @sirkubax, There's no way to do anything with a Vault cluster if its seal is unusable, which is the case for a transit seal whose transit instance is not reachable. I think I saw elsewhere that you're trying to have two clusters mutually unseal one another, which is not a viable configuration. It may work for a little while, but sooner or later will break down and then you'll be stuck. |
Thanks for the reply @ncabatoff. I still learn how Vault works. My idea was - would it be possible to have a 'backup' unseal procedure - both shamir+transit for the same credentials set, so if transit is unavailable one could use shamir. A bit like gpg works :) As I get it now - currently one need to have 'working' unsealed cluster and performs >migration< to another seal and that is a problem. |
Yes, I understand what you want - it's not an uncommon feature request, e.g. #9421 just came in. Unfortunately it's not currently possible in Vault to have "insurance" if your seal mechanism breaks. If you use a cloud KMS as your auto-unseal mechanism it's not really an issue. If you want to run entirely on-prem, and thus want to use transit auto-unseal, I suggest you take regular snapshots of the transit Vault server and have a means to deploy a new instance and restore the snapshot in case something happens to the transit Vault server. Or just use shamir. |
@ncabatoff Do I understand correctly that there is ABSOLUTELY NO a method unseal of What if export and backup |
That is my understanding of the situation, yes. To unseal, you need to get access to the master decryption key. With Shamir sealing, the Shamir key is the master key, but also acts as the recovery key. Why? If you know the master key then you could decrypt the database yourself anyway; so Vault may as well issue you a root token. But with transit sealing, the master key (which encrypts the data) and the recovery key (which instructs Vault to generate a root token) are different. Taking this to the limit: when you are using a cloud KMS like AWS or GCP, Vault never learns the master key itself, since all the encryption and decryption is done by the KMS. The recovery key therefore must be different to the master key. I do agree that when you are using transit sealing, it would be extremely helpful to have an option for manual unsealing, as an insurance policy against the upstream Vault being destroyed. This is technically possible, but has not been implemented.
Yes, but I suggest you forget about "cross sealing". Instead, make a tree: have one "parent" vault which does unsealing for one or more "child" vaults. The "parent" vault is dedicated to the unsealing function, so requires very little in the way of resources. If you run it as a tiny instance in AWS or GCP, then it can unseal itself. |
Marking this as a duplicate of #6046. |
Hello
BUG:
Documentation is a bit thin when it comes to transit recovery in general.
How one suppose to perform migration back from transit to shamir, when the 'transit-source' (here 10.10.1.138:8200) is down?
Why the server does not start and wait so I could
vault operator unseal -migrate
, when the the seal "transit" is disabled?What is more, I though I could fake it with anything pretending to listen on that port (like nc -l 127.0.0.1 8200)
or fake it with an fresh instance of vault - just to let vault server boot (should not matter since it is disabled right? :D )
Depending on weather I pass token from original transit source (10.10.1.138:8200) or from new temporary service (10.10.1.9:8400) I get either permission denied, or 'proper disabled' message (in that case, manual unseal failed, I guess keys should match somehow with former transit??)
Example:
Original token from 10.10.1.138:8200, while (disabled) seal transit points already to 10.10.1.9:8400 - cannot even try to migrate
Proper token of vault 10.10.1.9:8400 - fails to
vault operator unseal -migrate
The text was updated successfully, but these errors were encountered: