Vault unseal failed with 'Invalid Keys' after operator migrate

[Sharul Agrawal]

Hi,

I used operator-migrate command to migrate old vault data which was there in AWS Aurora MySQL RDS instance to DynamoDB.

The 'vault status' before the migration was:

 # vault status

Key                Value

---                -----

Seal Type          shamir

Initialized        true

Sealed             true

Total Shares       5

Threshold          3

Unseal Progress    0/3

Unseal Nonce       n/a

Version            1.1.0

HA Enabled         false

After successful completion of migration (which i could see from logs) when I try to access vault, I am unable to unseal it with the set of keys I have.

Error "Error

Unseal failed, invalid key"

I am sure that the keys are correct.The vault status is same { initialized =true, sealed=true }.

Kindly let me know how should i proceed with unsealing it. Has this something to do with after effects of migration?

[Sharul Agrawal]

Can somebody please help me on this?

[Michel Vocks]

Hi there,

the Vault migration command only copies the data from one storage format to another. Existing data _should_ never be changed since this also works when the Vault instance is sealed (encrypted data is only available).

Therefore, I can't think of a possible way that the shamir keys were modified during the migration.

Are you sure that the used shamir keys are correct? e.g. do they still work on the source Vault instance?

What configurations do you use for both instances?

Cheers,

Michel