search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.79k stars 4.17k forks source link

Create clear guidelines for recovering vault snapshots after loosing KMS key when using auto-unseal mode #20039

Open jrutkowski opened 1 year ago

jrutkowski commented 1 year ago

I'm working on a Vault setup that could be used in production. I would like to use AWS KMS auto-unseal mechanism as a convenient way of managing cluster state, but I also need to have reliant backups to be able to restore Vault's state when anything bad happens.

I was really terrified, when I realized, that when using auto-unseal, if for some reason KMS data are lost, I will not be able to recover anything from the snapshots.

The documentation very briefly mentions this fact ( https://developer.hashicorp.com/vault/docs/concepts/seal#auto-unseal ) and gives a very misleading name to the set of so called "Recovery keys" that are given to the user during Vault's initialization.

This is really critical issue and I'm surprised that Vault's developers ignore this fact, despite it being raised many times: https://github.com/hashicorp/vault/issues/16294 https://github.com/hashicorp/vault/issues/16391 https://github.com/hashicorp/vault/issues/11244 https://github.com/hashicorp/vault/issues/15490

There was some work done on this subject but with no clear information if or when it will be available in the OSS version: https://github.com/hashicorp/vault/pull/18683

For me, it seems like a very basic feature, to be able to create reliant backups, independent of the infrastructure.

I can imagine, that 2 things can be done at this point:

Either deploy the solution ( https://github.com/hashicorp/vault/pull/18683 ) in the OSS version.

Or declare KMS auto-unseal option as an experimental feature that shouldn't be used in production.

If someone started to use such setup, mislead by the, so called "Recovery keys" name, they can run into big trouble when figuring out, that despite of having regular snapshots and storing the "Recovery keys" in a safe place, they end up in a point that recovery of the data is no longer possible.

heatherezell commented 1 year ago

We are always evaluating features and enhancements to make our Vault user experience more streamlined and stable. While this is a very popular request, we strive to be thoughtful about these sorts of changes due to product complexity and the mission critical nature of our user’s install base. At this time, we have been working to ensure that our documentation reflects the current state of the product and provides adequate information for our end users. We thank you for your passion and enthusiasm for Vault, and we will continue making this the best product we can.

dtrts commented 6 months ago

+1

We're also trying to design a disaster recovery process which holds up against losing access to KMS but having no luck.

Any progress on this feature would be a great help to us.