Closed raoofm closed 6 years ago
Vault derives its key shares with Shamir's Secret Sharing algorithm. They aren't sets of random bytes, but instead can be used in parts to reconstruct a single master key. If you wanted to provide your own keys, they would have to be generated in this way.
To each their own, but I would recommend against using the same set of keys for multiple Vault instances, as it increases the operational burden of rekeying your vaults. If you absolutely must have the same set of keys, though, I think you could initialize a single empty storage backend, then copy the whole thing for use with other instances.
It's not possible -- as @rotorcowboy said, we derive unseal keys using Shamir's Secret Sharing against a mster key -- and it's pretty against the whole security model of Vault to specify your own master key, so we don't plan to support it.
Is your feature request related to a problem? Please describe. I was wondering why there is no option to provide your own keys to initialize vault. It helps in simplifying the task of distributing keys and auto unseal multiple clusters containing replicated data. Also to switch over if a data store is unavailable.
Describe the solution you'd like An option to provide set of keys, similar to a way we provide pgp for vault init.