Closed eghos closed 4 years ago
michelvocks
commented
4 years ago Hi @eghos!
Could you elaborate a bit more on your issue here? Are you sure that your unseal key is correct? I see that you use an old version of Vault. Have you tried to upgrade to the latest Vault version (1.3.0)?
Cheers, Michel
eghos
commented
4 years ago Thanks Michael for coming back very quickly. Our ci/cd pipeline is configured to grab some credentials from vault. However, two weeks ago , we had power issue and all servers were restarted. And the pipeline got broken. From the error message, pipeline is not able to access vault anymore. So I tried manually on the GUI, says unseal key is incorrect, and I logged into vault server and CLI says the same thing. The bad thing is the engineer who configured this does not work here anymore, so from his documentation, I was able to get hold of some key he calls unseal key. However, on reading the hashicorp vault documentation, my understanding is I am supposed to have 3-5 keys - generated when you initialize vault, but I can only find just one, which does not work. Any best advise will be appreciated. Never used vault before now
michelvocks
commented
4 years ago By default, Vault generates 5 unseal keys during initialization and you need at least 3 different keys to unseal Vault. Apparently, your colleague changed that to one unseal key (you can see that by the unseal progress information Unseal Progress 0/1).
Unfortunately, that is the only information I can provide. Without the correct unseal key you will not be able to unseal Vault. That is also one of the reasons why we highly recommend to generate multiple keys and store them at different places.
michelvocks
commented
4 years ago Closing this due to inactivity. Feel free to open a new issue if you are still experiencing this issue.
hardeepsingh3
commented
2 years ago Hi Micheal, I was hoping I can get your expertise on the above-mentioned issue. I have a similar issue where the vault server was restarted during kernel patching and I was not able to unseal it even though I have the 5 unseal keys that were generated during initialization. Any help would be greatly appreciated!
sankalp-amigo
commented
2 years ago Having the same problem. any update on this?
Corinari
commented
6 days ago we are currently facing the same issue, twice after updating to the latest vault Version. Unseal Keys are not working and vault provides following error message:
Error unsealing: Error making API request.
URL: PUT https://vault.example.com/v1/sys/unseal
Code: 400. Errors:
* unable to retrieve stored keys: invalid key: failed to decrypt keys from storage: error decrypting seal wrapped value
error decrypting using seal shamir: cipher: message authentication failedVAULT_ADDR was exported.
on a second try, it also showed that even after applying a unseal key with vault operator unseal, the unseal process still keep at 1 of 3 - even after trying a second unseal token.
Last time we experienced this, after some time (2-3 days, over weekend) i've tried to unseal it again and it worked without a problem. After the latest updates today it shows the errror messag again.
@heatherezell @michelvocks if you need any more information, please let me know
bash-4.4# vault operator unseal Unseal Key (will be hidden): Error unsealing: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/unseal Code: 400. Errors:
Key Value
Seal Type shamir Sealed true Total Shares 1 Threshold 1 Unseal Progress 0/1 Unseal Nonce n/a Version 0.10.3 HA Enabled true