Unable to migrate seal configuration away from AWS KMS

[trondiz]

Describe the bug
I am unable to migrate away from awskms seal type if vault was initialized with the awskms seal configuration originally.

To Reproduce

1. Initialize vault with awskms enabled

seal "awskms" {
  #disabled = "true"
  region = "eu-central-1"
  kms_key_id = "*redacted*"
}

2. Modify config by adding disabled = "true" in the seal section.
3. Restart vault
4. vault operator unseal -migrate x3

Then I get the following error.

Error unsealing: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/unseal
Code: 500. Errors:

* error setting new barrier key information during migrate: stored keys are not supported

Expected behavior
I excpected the vault to be unsealed and converted to shamir Seal Type like described in the documentation: https://www.vaultproject.io/docs/concepts/seal.html#seal-migration

If the vault is first initialized without awskms the migration works as expected both ways. I believe this is a bug, or at least it is unclear in the documentation.

Is there a way to work around this for an existing cluster?

Environment:

• Vault Server Version (retrieve with vault status): Version 1.3.0
• Vault CLI Version (retrieve with vault version): Version 1.3.0
• Server Operating System/Architecture: Ubuntu

Vault server configuration file(s):

seal "awskms" {
  region = "eu-central-1"
  kms_key_id = "*redacted*"
}

[nlewo]

I'm hitting the same issue with the transit autounseal method.
My configuration is:

{
  "listener": {
    "tcp": {
      "address": "127.0.0.1:8200",
      "tls_disable": 1
    }
  },
  "storage": {
    "file": {
      "path": "/data"
    }
  },
  "disable_mlock": true,
  "seal": {
    "transit": {
      "disabled": "true",
      "address": "http://vaultInfra:8200",
      "disable_renewal": "false",
      "key_name": "autounseal",
      "mount_path": "transit/",
      "tls_skip_verify": "true"
    }
  }
}

And when I try to migrate, i get:

$ vault operator unseal -migrate
Unseal Key (will be hidden): 
Key                           Value
---                           -----
Seal Type                     shamir
Initialized                   true
Sealed                        true
Total Shares                  3
Threshold                     2
Unseal Progress               1/2
Unseal Nonce                  41531879-5565-bd37-5278-a6ca7dc242f3
Seal Migration in Progress    true
Version                       1.3.0
HA Enabled                    false

$ vault operator unseal -migrate
Unseal Key (will be hidden): 
Error unsealing: Error making API request.

URL: PUT http://localhost:8200/v1/sys/unseal
Code: 500. Errors:

* error setting new barrier key information during migrate: stored keys are not supported

[Garath620]

same issue for me too

[dclark]

Same issue also for 1.3.1 using gcpckms keys when converting to shamir

[wink]

I also hit this issue when attempting to convert from awskms to shamir

[dclark]

This issue has been resolved in Vault 1.3.2 #8172

Conversion from auto seal gcpckms to shamir is working as expected without the error.

[NagenderPulluri]

you need to add seal shamir block in configuration and add disable=true in seal awskms block

seal "shamir" {}

seal "awskms" {
region = "us-east-1"
kms_key_id = "your-kms-key-id"
disabled = "true"
}

refer below for more info

https://support.hashicorp.com/hc/en-us/articles/10375276754707-AWS-KMS-to-AWS-KMS-Seal-Migration

[hsejr]

@NagenderPulluri
I followed it, but if the KEY in KMS is deleted, the pod cannot start to perform the migration unseal.