Anyone know how to migrate back from Auto-Unseal to Shamir Secret Sharing?

4,192 views
Skip to first unread message

nathan....@digitalonus.com

unread,
Mar 27, 2019, 2:53:41 PM3/27/19
to Vault
Could one of you guys show how it is that we could migrate a Vault set up with Transit auto-unseal back to Shamir?

I migrated a single Vault to Transit auto-unseal successfully, using the following configuration:

cat config-autounseal.hcl
disable_mlock = true
ui=true

storage "file" {
  path = "/workstation/vault102/data"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

seal "transit" {
  address = "http://12.77.26.121:8200"
  token = "s.Spaq1vagPap856ffDuFuppWw"
# Manuel
#  address = "http://12.53.125.113:8200"
#  token = "s.gRozNyezkvyiY8KoPOo7j8AaSsx"
  disable_renewal = "false"
  key_name = "autounseal"
  mount_path = "transit/"
  tls_skip_verify = "true"
}


I then tried, and failed, to switch over to using the Manuel portion:

vi config-autounseal.hcl
cat config-autounseal.hcl
disable_mlock = true
ui=true

storage "file" {
  path = "/workstation/vault102/data"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

seal "transit" {
#  address = "http://12.77.26.121:8200"
#  token = "s.Spaq1vagPap856ffDuFuppWw"
 Manuel
  address = "http://12.53.125.113:8200"
  token = "s.gRozNyezkvyiY8KoPOo7j8AaSsx"
  disable_renewal = "false"
  key_name = "autounseal"
  mount_path = "transit/"
  tls_skip_verify = "true"
}


But it failed.

I then commented the entire seal stanza, and attempted to revert to Shamir Secret Sharing, using my recovery keys. I can neither succeed with operator unseal nor operator unseal migrate:

vault operator unseal -migrate
Unseal Key (will be hidden):
Error unsealing: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/unseal
Code: 400. Errors:

* 'migrate' parameter set true in JSON body when not in seal migration mode


vault operator unseal
Unseal Key (will be hidden):
Error unsealing: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/unseal
Code: 400. Errors:

* Unseal failed, invalid key

I've read the following:


How do I revert from Auto-Unseal to Shamir Secret Sharing, to enable me to use Manuel's Vault instead of the other one I had been using? 

Becca Petrin

unread,
Mar 28, 2019, 12:11:25 PM3/28/19
to Vault
Hi Nathan,

Could it simply be that you need to add `disabled = "true"` inside the `seal "transit"` stanza? And then when you restart Vault, unseal it with the `vault operator unseal -migrate` command?

If that doesn't work, you may be hitting this issue: https://github.com/hashicorp/vault/pull/6458. If that's the case, I'm not certain offhand what the Shamir block needs to look like to migrate back to it.

-Becca

Vasilev Vjacheslav

unread,
Mar 28, 2019, 4:08:15 PM3/28/19
to Vault
Another option to try is empty seal block

seal "transit" {
}

MS

unread,
Apr 11, 2019, 4:21:37 AM4/11/19
to Vault
Hi,

I'm facing the same issue. empty seal transit block didnt work, also empty seal shamir- vault is not entering migration mode again. Did you managed to solve it somehow? 

Vasilev Vjacheslav

unread,
Apr 11, 2019, 5:09:41 AM4/11/19
to Vault
Hi,

Would you please additionally provide version and error log output?

MS

unread,
Apr 11, 2019, 5:33:46 AM4/11/19
to Vault

I'm using Vault v1.1.0. There's no specific error: 
I'm using vault with json config file (3 servers in HA mode). At first, when I used manual seal, I didnt have seal stanza in the config at all.
Then I wanted to migrate to transit unseal with another vault cluster. So I stopped vault, edit the json config to include the seal transit stanza with the required parameters. Then I started vault, it did come up in seal migration mode. I did the 'operator unseal -migrate' part and it went well. 
Then I wanted to revert back to shamir manual unseal type.
I stopped vault, edited the config file and removed the seal stanza. Then I started vault, but it didn't come up in seal migration mode. when I tried to 'operator unseal -migrate' I got the following error: * 'migrate' parameter set true in JSON body when not in seal migration mode
when I tried to unseal without the migrate flag, I got '* Unseal failed, invalid key'
Tried the same with seal shamir stanza, with blank seal transit stanza and with "disabled: true" seal transit. none of them worked, vault simply doesn't enter into seal migration mode.
The status now is that I'm stuck with the auto transit unseal and cant go back to shamir

Becca Petrin

unread,
Apr 11, 2019, 12:08:24 PM4/11/19
to Vault
Hi! 

Thanks for posting this. There is a fix that will be included in the next release for this precise issue: https://github.com/hashicorp/vault/pull/6458. Meanwhile, I'm going to do a quick test and post what I find about how specifically to migrate back to Shamir.

-B

Becca Petrin

unread,
Apr 11, 2019, 12:21:47 PM4/11/19
to Vault
Here is an example set of configs where I migrate from Shamir to AWS and back to Shamir successfully on Vault 1.1.0. The third one should be a working example you can adapt and use. After you've completed the migration back to Shamir you'll need the original set of unseal keys to unseal Vault.

# first config
storage "file" {
  path = "/tmp/vault/data"
}
disable_mlock = true
ui = true
listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = 1
}

# config two 
storage "file" {
  path = "/tmp/vault/data"
}
disable_mlock = true
ui = true
listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = 1
}

seal "awskms" {
  region     = "us-east-1"
  access_key = "redacted"
  secret_key = "redacted"
  kms_key_id = "redacted"
}

# config three
storage "file" {
  path = "/tmp/vault/data"
}
disable_mlock = true
ui = true
listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = 1
}

seal "shamir" {}

seal "awskms" {
  region     = "us-east-1"
  access_key = "redacted"
  secret_key = "redacted"
  kms_key_id = "redacted"
  disabled   = "true"

MS

unread,
Apr 15, 2019, 4:42:26 AM4/15/19
to Vault
Hi,

Sorry for the late response. Actually I think the issue is specifically with the "transit" seal type.
I've tried the below with no success:

# first config:

{
  "api_addr": "https://x.x.x.x:8200",
  "backend": {
    "consul": {
      "address": "127.0.0.1:8500",
      "path": "vault/"
    }
  },
  "cluster_addr": "https://x.x.x.x:8201",
  "listener": {
    "tcp": {
      "address": "0.0.0.0:8200",
      "cluster_address": "x.x.x.x:8201",
      "tls_cert_file": "/etc/cert.pem",
      "tls_disable_client_certs": true,
      "tls_key_file": "/etc/cert.key"
    }
  },
  "telemetry": {
    "disable_hostname": true,
    "statsd_address": "127.0.0.1:9125"
  },
  "ui": true,
}

# Second config:

{
  "api_addr": "https://x.x.x.x:8200",
  "backend": {
    "consul": {
      "address": "127.0.0.1:8500",
      "path": "vault/"
    }
  },
  "cluster_addr": "https://x.x.x.x:8201",
  "listener": {
    "tcp": {
      "address": "0.0.0.0:8200",
      "cluster_address": "x.x.x.x:8201",
      "tls_cert_file":  "/etc/cert.pem",
      "tls_disable_client_certs": true,
      "tls_key_file": "/etc/cert.key"
    }
  },
  "telemetry": {
    "disable_hostname": true,
    "statsd_address": "127.0.0.1:9125"
  },
  "ui": true,
  "seal": {
    "transit": {
  "address": "https://xxx",
  "token": "xxx",
  "disable_renewal": "false",
  "key_name": "unseal",
  "mount_path": "transit/",
  "tls_client_cert": "/etc/cert.pem",
  "tls_client_key":  "/etc/cert.key",
  "tls_skip_verify": "false"
  }
 }
}

# Third Config

{
  "api_addr": "https://x.x.x.x:8200",
  "backend": {
    "consul": {
      "address": "127.0.0.1:8500",
      "path": "vault/"
    }
  },
  "cluster_addr": "https://x.x.x.x:8201",
  "listener": {
    "tcp": {
      "address": "0.0.0.0:8200",
      "cluster_address": "x.x.x.x:8201",
      "tls_cert_file":  "/etc/cert.pem",
      "tls_disable_client_certs": true,
      "tls_key_file": "/etc/cert.key"
    }
  },
  "telemetry": {
    "disable_hostname": true,
    "statsd_address": "127.0.0.1:9125"
  },
  "ui": true,
  "seal": {
    "shamir": {
  }
  }
  "seal": {
    "transit": {
   "address": "https://xxx",
   "token": "xxx",
   "disable_renewal": "false",
   "key_name": "unseal",
   "mount_path": "transit/",
   "tls_client_cert": "/etc/cert.pem",
   "tls_client_key":  "/etc/cert.key",
   "tls_skip_verify": "false",
                "disabled": "true",
  }
 }
}

Same as stated before, vault is not entering seal migration mode after switching to the third config...
Any help will be appreciated 

Becca Petrin

unread,
Apr 15, 2019, 12:46:28 PM4/15/19
to Vault
Hi MS,

Ah, gotcha, you're having trouble migrating back from transit specifically.

Can you post two things? Even if they appear rather uneventful, it would be helpful to see.
  • With the third configuration, what is the full output from running Vault? Can you post the full command and output, like from `$ vault server -config=the-third-one.hcl`?
  • With that running, can you post the full command and output you receive when you do "$ vault operator -migrate"?
Thanks! Just trying to sort out the exact steps to reproduce it, and whether we should be opening a Github issue for this being a bug.

-B

MS

unread,
Apr 16, 2019, 2:56:03 AM4/16/19
to Vault
Hi,

  • The full output from running vault with the third config file:

# vault server -config=/etc/vault/config.json
==> Vault server configuration:

             Api Address: https://x.x.x.x:8200
                     Cgo: disabled
         Cluster Address: https://x.x.x.x:8201
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "x.x.x.x:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
                 Storage: consul (HA available)
                 Version: Vault v1.1.0
             Version Sha: 36aa8c8dd1936e10ebd7a4c1d412ae0e6f7900bd

==> Vault server started! Log data will stream in below:

  • The unseal migrate command and output:
# vault operator unseal -migrate
Unseal Key (will be hidden):
Error unsealing: Error making API request.

Code: 400. Errors:

* 'migrate' parameter set true in JSON body when not in seal migration mode


Please let me know if additional info is needed, thanks for your help:)

Becca Petrin

unread,
Apr 16, 2019, 12:56:45 PM4/16/19
to Vault
Hi,

Thanks for posting that! One thing I wonder is, could the JSON be failing to parse in the third config you've posted? When I paste it into https://jsonlint.com/, there are a couple of issues with the placement of commas, and also it's upset about there being a second "seal" stanza because in JSON it's not legal to have duplicate keys. I wonder if there might be better results by switching it over to HCL. 

Alternatively, if you'd prefer to keep using JSON, the latest release of Vault has a fix that should make it fine to remove the Shamir seal stanza, and to simply leave the transit one marked as disabled.

-B

MS

unread,
Apr 17, 2019, 8:51:57 AM4/17/19
to Vault
Hi,

I upgraded to v 1.1.1 and this issue was fixed, I was able to revert back to shamir, Thanks:)
However, after the upgrade I faced the below issue:

Is this fix going to be available on 1.1.2? what is the ETA?

Becca Petrin

unread,
Apr 17, 2019, 1:13:49 PM4/17/19
to Vault
Hi MS,

Yes, that will be included in our next release. Good news, though, a workaround does exist, more here: https://www.vaultproject.io/docs/upgrading/upgrade-to-1.1.1.html

-Becca

MS

unread,
Apr 18, 2019, 3:30:07 AM4/18/19
to Vault
Got it, many thanks for your help:)
Reply all
Reply to author
Forward
0 new messages