Vault unseal issue

1,367 views
Skip to first unread message

jagad...@grovo.com

unread,
May 30, 2018, 5:47:47 AM5/30/18
to Vault
Dear Team , 

In my environment currently we are using the vault Version: 0.6.3 .  Recently when in one of the server we have tried to unseal the vault by using the command "vault unseal "

But when we trying to unseal the vault its showing the below message . Can someone please advise how to resolve the issue 

root@ip-xxx-xx-xx-xxx:~# vault unseal
Key (will be hidden):
Error: Error making API request.

URL: PUT https://xxx.xx.xx.xxx:8200/v1/sys/unseal
Code: 400. Errors:

* invalid key: key is longer than maximum 33 bytes

Note : I have removed the IP address in the above output .

Anshu Prateek

unread,
May 30, 2018, 5:58:44 AM5/30/18
to vault...@googlegroups.com
Looks like a copy paste error in key based on the error message.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/5399ab1b-c909-4f57-b9ee-8e0472c65f60%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
regards
Anshu Prateek
+91.991.610.2967
Message has been deleted
Message has been deleted

Anshu Prateek

unread,
May 30, 2018, 6:18:21 AM5/30/18
to vault...@googlegroups.com
1) You should never share any of your secrets like the key above. You should rotate whatever was the above key.
2) Its definitely not the right key. Where from did you obtained the above key.
The key required for unsealing is obtained during vault init or vault key rotate.


So your key would look like

Key 1: EDj4NZK6z5Y9rpr+TtihTulfdHvFzXtBYQk36dmBczuQ
Key 2: sCkM1i5BGGNDFk5GsqtVolWRPyd5mWn2eZG0gUySiCF7
Key 3: e5DUvDIH0cPU8Q+hh1KNVkkMc9lliliPVe9u3Fzbzv38


(above shared from doc above).

On Wed, 30 May 2018 at 15:41 jagadeeshb via Vault <vault...@googlegroups.com> wrote:
Hello Prateek , 

I am entering the below unseal key while entering this key its showing the error message ."invalid key: key is longer than maximum 33 bytes" .Please advise is we need to decrypt the key ? If yes can you please advise how to decrypt it ?

Key :
wcBMA8qLxHBwLnw4AQgAMkwS5sbFbOQF7tqOMIdOswpqww8Z+FPl2ydwW0dZ1U5gw7K7nxzpZUcs0myTOLkV23QuaU6AmmILjSXwMvLXMq2Dvhlny2G9givh2D52xX99Q2OLER3oXKhQ02YJZUIEkU2WMY3Xo7IXWelrw7kNEw22I1Jt/rNQfmw5K55Oju1/HiWm7Fm66FmQv+Fzd1dL/TUODF1dgYc+JGU6f6eqgwjCtoo04K7NW0i9pZpCWDG1uxkxR+CLxfRDJcbY4VVJOmLKjmFAILE6PhsHDXF45zBsgfNhQF2ZIrg14W3zcIBmx30Bd9c7w0VeMb2Y+4wiEnQq0H2G6gmBeja1xeU8StLgAeQpBP+elV2xDqTXRyb+16jl4e6B4GDggeHKa+DL4owJcEzgaea1L4HcydQnX41Kn3PJUOYGavthuocq+

Thanks 
Jagadeesh 
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/bc4f9f03-4a56-4b53-bd31-6acf4e762eeb%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

jagad...@grovo.com

unread,
May 30, 2018, 6:29:44 AM5/30/18
to Vault
Hello Prateek , 

Thanks for the information . In my environment the vault has been configured almost a year back . It seems we don't have the correct unseal keys . Currently we are facing vault unseal issue in one of the server we are unable to unseal the vault .. Please advise   how to proceed and unseal the vault . Can you please suggest ?

Thanks 


On Wednesday, May 30, 2018 at 3:48:21 PM UTC+5:30, Anshu Prateek wrote:
1) You should never share any of your secrets like the key above. You should rotate whatever was the above key.
2) Its definitely not the right key. Where from did you obtained the above key.
The key required for unsealing is obtained during vault init or vault key rotate.


So your key would look like

Key 1: EDj4NZK6z5Y9rpr+TtihTulfdHvFzXtBYQk36dmBczuQ
Key 2: sCkM1i5BGGNDFk5GsqtVolWRPyd5mWn2eZG0gUySiCF7
Key 3: e5DUvDIH0cPU8Q+hh1KNVkkMc9lliliPVe9u3Fzbzv38


(above shared from doc above).

On Wed, 30 May 2018 at 15:41 jagadeeshb via Vault <vault...@googlegroups.com> wrote:
Hello Prateek , 

I am entering the  unseal key while entering this key its showing the error message ."invalid key: key is longer than maximum 33 bytes" .Please advise is we need to decrypt the key ? If yes can you please advise how to decrypt it ?

jagad...@grovo.com

unread,
May 30, 2018, 6:55:25 AM5/30/18
to Vault
Hello Prateek , 

The key i have mentioned in my previous mail it's not correct/complete one so i have mentioned as the example key. I was about to mention the key was that much long size .  As per your reply the key should not be that much size correct ?  Can you please advise how to get the unseal keys as i have tried vault init command also its showing vault is already initialized . 

root@ip-xxx-xx-xx-xxx:~# vault init
Error initializing Vault: Error making API request.

Code: 400. Errors:

* Vault is already initialized
root@ip-xxx-xx-xx-xxx:~#

Thanks

Anshu Prateek

unread,
May 30, 2018, 7:10:42 AM5/30/18
to vault...@googlegroups.com
You cannot re-init the vault if its already running. Its only doable the first time vault is initialized.
Also, if you do not have the existing unseal keys, recovery or regenerating/rotating the keys is unlikely.

I will let someone from Hashicorp comment on the same.

One possibility is that the key has been shared with you in some encrypted format. Find out from the original owners how it was encrypted and how you can decrypt the same.

To avoid such issues in the future, you may look at using PGP keys from various people.


Or you can store the keys in some password manager.



To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ad0fd8be-de70-4447-9279-bc1e5e0e296c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Chris Hoffman

unread,
May 30, 2018, 8:59:28 AM5/30/18
to vault...@googlegroups.com
It looks like they keys may be pgp encrypted.  This is an option on the CLI when creating unseal keys and you can use either provide the public key or a keybase username to encrypt.  


Chris
On May 30, 2018, 6:11 AM -0400, jagadeeshb via Vault <vault...@googlegroups.com>, wrote:
Hello Prateek , 

I am entering the below unseal key while entering this key its showing the error message ."invalid key: key is longer than maximum 33 bytes" .Please advise is we need to decrypt the key ? If yes can you please advise how to decrypt it ?

Key :
wcBMA8qLxHBwLnw4AQgAMkwS5sbFbOQF7tqOMIdOswpqww8Z+FPl2ydwW0dZ1U5gw7K7nxzpZUcs0myTOLkV23QuaU6AmmILjSXwMvLXMq2Dvhlny2G9givh2D52xX99Q2OLER3oXKhQ02YJZUIEkU2WMY3Xo7IXWelrw7kNEw22I1Jt/rNQfmw5K55Oju1/HiWm7Fm66FmQv+Fzd1dL/TUODF1dgYc+JGU6f6eqgwjCtoo04K7NW0i9pZpCWDG1uxkxR+CLxfRDJcbY4VVJOmLKjmFAILE6PhsHDXF45zBsgfNhQF2ZIrg14W3zcIBmx30Bd9c7w0VeMb2Y+4wiEnQq0H2G6gmBeja1xeU8StLgAeQpBP+elV2xDqTXRyb+16jl4e6B4GDggeHKa+DL4owJcEzgaea1L4HcydQnX41Kn3PJUOYGavthuocq+

Thanks 
Jagadeesh 

On Wednesday, May 30, 2018 at 3:28:44 PM UTC+5:30, Anshu Prateek wrote:

jagad...@grovo.com

unread,
May 30, 2018, 10:08:30 AM5/30/18
to Vault

Hello Chris ,

Who ever is created those vault unseal keys right now they are not in the organization . Is it possible to decrypt the those unseal keys now and use for unsealing the vault . If  yes can you please let us know the steps .

Thanks 

On Wednesday, May 30, 2018 at 6:29:28 PM UTC+5:30, Chris Hoffman wrote:
It looks like they keys may be pgp encrypted.  This is an option on the CLI when creating unseal keys and you can use either provide the public key or a keybase username to encrypt.  


Chris
On May 30, 2018, 6:11 AM -0400, jagadeeshb via Vault <vault...@googlegroups.com>, wrote:
Hello Prateek , 

I am entering the below unseal key while entering this key its showing the error message ."invalid key: key is longer than maximum 33 bytes" .Please advise is we need to decrypt the key ? If yes can you please advise how to decrypt it ?


Chris Hoffman

unread,
May 30, 2018, 10:12:05 AM5/30/18
to vault...@googlegroups.com
Unfortunately if you don’t have the private key to decrypt the unseal keys and don’t have a backup, there isn’t much you can do.  Usually unseal keys are created in sets where only a certain number of them are required to unseal.  

Chris

jagad...@grovo.com

unread,
May 31, 2018, 7:32:57 AM5/31/18
to Vault
Hi Chris/Prateek ,

We see some PGP keys are available in the environment . Can you please advise how to decrypt the unseal keys with the pgp keys . The pgp keys we have in the text format . Kindly suggest how to proceed . 

Thanks

Choffman

unread,
May 31, 2018, 7:35:35 AM5/31/18
to Vault-Tool

jagad...@grovo.com

unread,
May 31, 2018, 7:57:22 AM5/31/18
to Vault
Hi Chris , 

When we do dercrypt the unseal key we are seeing the error "decrypt error: unable to find a PGP decryption key for this message"

echo "wcBMAximJ1EI0+K2AQgAp/DxtOujz6F+q//YchigYhB1excy6V3gR8A7QhXb/yAa7Fiv/V4+ez0xO1WpUH6V/5Q5RdY1mrLBtvixMwXl6RDbc3qQza3o0FDOL3iINq1bdsL+xms1pktTI9JX+GrGvoJKLtUEbcqmDVl849eayocszLH2ig4M3XN/hs1jzdHewweApmcVvyGjvbiEda2DvLuDGoZHq5vagGD0gHmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxA" | base64 -d | keybase pgp decrypt

▶ ERROR decrypt error: unable to find a PGP decryption key for this message

Thanks 

jagad...@grovo.com

unread,
May 31, 2018, 11:51:00 AM5/31/18
to Vault
Hi ,

Can someone please suggest on this . 

Thanks & Regards
Jagadeesh Babu

Jeff Mitchell

unread,
May 31, 2018, 12:24:47 PM5/31/18
to Vault
Hi Jagadeesh,

At this point you are probably best off looking for PGP/GPG resources/guides to help you with decryption -- people on this list use it, but are likely not experts. Depending on the software you're trying to use, your key configuration, and so on, it may not be a simple ask.

Best,
Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7abee7da-f7a0-463e-9c5f-56b2dea89b69%40googlegroups.com.

Chris Hoffman

unread,
May 31, 2018, 12:38:10 PM5/31/18
to vault...@googlegroups.com
I’m not sure if there is much more to suggest.  Unfortunately, if you don’t have the correct pgp key to decrypt your unseal keys, there is no way to recover them.  You could still try gpg directly and remove the keybase pgp from the mix, but there is still a requirement to have the correct keys.

Chris
Reply all
Reply to author
Forward
0 new messages