Migrate unseal keys between cloud providers
Note: If you change the unseal configuration after initializing Vault, you may have to move the unseal keys from the old location to the new one, or reinitialize vault.
If you need to move your Vault instance from one provider or an external managed Vault, you have to:
- Retrieve and decrypt the unseal keys (and optionally the root token) in the Bank-Vaults format. For details, see Decrypt the root token.
- Migrate the Vault storage data to the new provider. Use the official migration command provided by Vault.
All examples assume that you have created files holding the root-token and the 5 unseal keys in plaintext:
vault-root.txtvault-unseal-0.txtvault-unseal-1.txtvault-unseal-2.txtvault-unseal-3.txtvault-unseal-4.txt
AWS
Move the above mentioned files to an AWS bucket and encrypt them with KMS before:
REGION=eu-central-1
KMS_KEY_ID=02a2ba49-42ce-487f-b006-34c64f4b760e
BUCKET=bank-vaults-1
for key in "vault-root" "vault-unseal-0" "vault-unseal-1" "vault-unseal-2" "vault-unseal-3" "vault-unseal-4"
do
aws kms encrypt \
--region ${REGION} --key-id ${KMS_KEY_ID} \
--plaintext fileb://${key}.txt \
--encryption-context Tool=bank-vaults \
--output text \
--query CiphertextBlob | base64 -d > ${key}
aws s3 cp ./${key} s3://${BUCKET}/
rm ${key} ${key}.txt
done
Last modified April 26, 2024: chore(deps): Bump actions/checkout from 4.1.2 to 4.1.3 (#222) (931903d)