Vault: Unable to migrate seal configuration away from AWS KMS

Created on 29 Nov 2019  路  5Comments  路  Source: hashicorp/vault

Describe the bug
I am unable to migrate away from awskms seal type if vault was initialized with the awskms seal configuration originally.

To Reproduce

  1. Initialize vault with awskms enabled
seal "awskms" {
  #disabled = "true"
  region = "eu-central-1"
  kms_key_id = "*redacted*"
}
  1. Modify config by adding disabled = "true" in the seal section.
  2. Restart vault
  3. vault operator unseal -migrate x3

Then I get the following error.

Error unsealing: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/unseal
Code: 500. Errors:

* error setting new barrier key information during migrate: stored keys are not supported

Expected behavior
I excpected the vault to be unsealed and converted to shamir Seal Type like described in the documentation: https://www.vaultproject.io/docs/concepts/seal.html#seal-migration

If the vault is first initialized without awskms the migration works as expected both ways. I believe this is a bug, or at least it is unclear in the documentation.

Is there a way to work around this for an existing cluster?

Environment:

  • Vault Server Version (retrieve with vault status): Version 1.3.0
  • Vault CLI Version (retrieve with vault version): Version 1.3.0
  • Server Operating System/Architecture: Ubuntu

Vault server configuration file(s):

seal "awskms" {
  region = "eu-central-1"
  kms_key_id = "*redacted*"
}
bug cormigration
Source
picture trondiz
👍4

Most helpful comment

This issue has been resolved in Vault 1.3.2 https://github.com/hashicorp/vault/pull/8172

Conversion from auto seal gcpckms to shamir is working as expected without the error.

picture dclark on 17 Feb 2020
👍2

All 5 comments

I'm hitting the same issue with the transit autounseal method.
My configuration is:

{
  "listener": {
    "tcp": {
      "address": "127.0.0.1:8200",
      "tls_disable": 1
    }
  },
  "storage": {
    "file": {
      "path": "/data"
    }
  },
  "disable_mlock": true,
  "seal": {
    "transit": {
      "disabled": "true",
      "address": "http://vaultInfra:8200",
      "disable_renewal": "false",
      "key_name": "autounseal",
      "mount_path": "transit/",
      "tls_skip_verify": "true"
    }
  }
}

And when I try to migrate, i get:

$ vault operator unseal -migrate
Unseal Key (will be hidden): 
Key                           Value
---                           -----
Seal Type                     shamir
Initialized                   true
Sealed                        true
Total Shares                  3
Threshold                     2
Unseal Progress               1/2
Unseal Nonce                  41531879-5565-bd37-5278-a6ca7dc242f3
Seal Migration in Progress    true
Version                       1.3.0
HA Enabled                    false

$ vault operator unseal -migrate
Unseal Key (will be hidden): 
Error unsealing: Error making API request.

URL: PUT http://localhost:8200/v1/sys/unseal
Code: 500. Errors:

* error setting new barrier key information during migrate: stored keys are not supported
nlewo picture nlewo on 2 Jan 2020

same issue for me too

Garath620 picture Garath620 on 8 Jan 2020

Same issue also for 1.3.1 using gcpckms keys when converting to shamir

dclark picture dclark on 12 Feb 2020

I also hit this issue when attempting to convert from awskms to shamir

wink picture wink on 16 Feb 2020

This issue has been resolved in Vault 1.3.2 https://github.com/hashicorp/vault/pull/8172

Conversion from auto seal gcpckms to shamir is working as expected without the error.

dclark picture dclark on 17 Feb 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gtmtech picture gtmtech  路  3Comments
maxsivanov picture maxsivanov  路  3Comments
trodemaster picture trodemaster  路  3Comments
tustvold picture tustvold  路  3Comments
lexsys27 picture lexsys27  路  3Comments