hashicorp · stevendpclark · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
@@ -0,0 +1,12 @@
+### Full seal rewraps occur on DR/PR failover with multi-seal enabled ((#multi-seal-rewrap)) <EnterpriseAlert inline="true" />
+
+| Change      | Affected versions                              | Fixed version |
+|-------------|------------------------------------------------|---------------|
+| Known issue | 1.20.x+ent, 1.19.x+ent, 1.18.x+ent, 1.16.x+ent | None          |
+
+A full rewrap happens when Vault fails over to a DR or performance cluster with `enable_multiseal = true`.
+The rewrap can lead to performance degradation until the rewrap operation completes.
+
+#### Recommendation
+
+The only workaround is to disable multi-seal support.
@@ -50,3 +50,4 @@ Found   | Fixed   | Workaround | Edition    | Issue
 1.16.16 | 1.16.20 | Upgrade    | All        | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.16.x/updates/important-changes#ldap-static-role-rotations-on-upgrade)
 1.16.17 | 1.16.21 | **Yes**    | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.16.x/updates/important-changes#external-ent-plugins)
 1.16.18 | 1.16.21 | Upgrade    | All        | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.16.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances)
+1.16.0  | No      | No         | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.16.x/upgrading/upgrade-to-1.16.x#multi-seal-rewrap)
@@ -34,3 +34,4 @@ Found  | Fixed   | Workaround | Edition    | Issue
 1.18.5 | 1.18.9  | Upgrade    | All        | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.18.x/updates/important-changes#ldap-static-role-rotations-on-upgrade)
 1.18.6 | 1.18.10 | **Yes**    | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.18.x/updates/important-changes#external-ent-plugins)
 1.18.7 | 1.18.10 | **Yes**    | All        | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.18.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances)
+1.18.0  | No     | No         | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.18.x/upgrading/upgrade-to-1.18.x#multi-seal-rewrap)
@@ -43,3 +43,4 @@ Found  | Fixed  | Workaround | Edition    | Issue
 1.18.4 | No     | **Yes**    | All        | [Failing credential refresh for Snowflake DB secrets engine key pair authentication](/vault/docs/v1.19.x/updates/important-changes#snowflake-keypair-refresh)
 1.19.0 | No     | No         | All        | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.19.x/updates/important-changes#local-auth-known-issue)
 1.19.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.19.x/updates/important-changes#missed-events)
+1.19.0 | No     | No         | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.19.x/updates/important-changes#multi-seal-rewrap)
@@ -31,3 +31,4 @@ Found  | Fixed  | Workaround | Edition    | Issue
 1.20.0 | 1.20.1 | **Yes**    | All        | [Duplicate LDAP password rotations on standby node check-in](/vault/docs/v1.20.x/updates/important-changes#ldap-checkin)
 1.19.0 | No     | No         | All        | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.20.x/updates/important-changes#local-auth-known-issue)
 1.19.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.20.x/updates/important-changes#missed-events)
+1.20.0 | No     | No         | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.20.x/updates/important-changes#multi-seal-rewrap)
@@ -308,3 +308,5 @@ If you use `file` audit devices, you need to:
 @include 'known-issues/sync-activation-flags-cache-not-updated.mdx'
 
 @include 'known-issues/enterprise-plugins.mdx'
+
+@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
@@ -301,4 +301,6 @@ more details, and information about opt-out.
 
 @include 'known-issues/sync-activation-flags-cache-not-updated.mdx'
 
-@include 'known-issues/enterprise-plugins.mdx'
+@include 'known-issues/enterprise-plugins.mdx'
+
+@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
@@ -246,3 +246,5 @@ If you use `file` audit devices, you need to:
 @include 'known-issues/azure-auth-fails-uniform-vmss.mdx'
 
 @include 'known-issues/enterprise-plugins.mdx'
+
+@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
@@ -516,3 +516,5 @@ filters you have two options:
 
 1. Spread them out among the nodes of the Vault cluster.
 1. Only subscribe to events on the active node of the cluster.
+
+@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
@@ -400,3 +400,5 @@ filters you have two options:
 
 1. Spread them out among the nodes of the Vault cluster.
 1. Only subscribe to events on the active node of the cluster.
+
+@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
Original file line number	Diff line number	Diff line change
Expand Up		@@ -308,3 +308,5 @@ If you use `file` audit devices, you need to:
		@include 'known-issues/sync-activation-flags-cache-not-updated.mdx'

		@include 'known-issues/enterprise-plugins.mdx'

		@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
Original file line number	Diff line number	Diff line change
Expand Up		@@ -246,3 +246,5 @@ If you use `file` audit devices, you need to:
		@include 'known-issues/azure-auth-fails-uniform-vmss.mdx'

		@include 'known-issues/enterprise-plugins.mdx'

		@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
Original file line number	Diff line number	Diff line change
Expand Up		@@ -516,3 +516,5 @@ filters you have two options:

		1. Spread them out among the nodes of the Vault cluster.
		1. Only subscribe to events on the active node of the cluster.

		@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
Original file line number	Diff line number	Diff line change
Expand Up		@@ -400,3 +400,5 @@ filters you have two options:

		1. Spread them out among the nodes of the Vault cluster.
		1. Only subscribe to events on the active node of the cluster.

		@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'