You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
After migrating from Shamir seal type to Transit Autounseal, v1/sys/seal-status response fails to return "transit" as the seal type even though the seal has been migrated successfully according to logs within the vault instance.
To Reproduce
Steps to reproduce the behavior:
Start a vault cluster with regular shamir seal type.
Setup a transit engine in a different vault cluster to act as the transit auto unseal endpoint for this cluster.
Expected behavior
seal-status HTTP API should return the "type" as "transit" rather than "shamir".
Environment:
Vault Server Version (retrieve with vault status):
/ $ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.12.7
Build Date 2023-06-06T18:12:20Z
Storage Type raft
Cluster Name vault-cluster-26beabf9
Cluster ID 35853f86-7813-79b9-29f7-0e89f30d2a3c
HA Enabled true
HA Cluster https://vault-0.vault-internal:8201
HA Mode standby
Active Node Address https://10.190.2.93:8200
Raft Committed Index 2264623
Raft Applied Index 2264623
Vault CLI Version (retrieve with vault version):
/ $ vault version
Vault v1.12.7 (54c721017a52d7b94ec5bd4e570e7cdfc9e021a1), built 2023-06-06T18:12:20Z
Additional context
Restarting the vault instance post seal migration does not result in the issue getting fixed. seal-status API continues to report "shamir" instead of "transit".
The text was updated successfully, but these errors were encountered:
Thanks for taking the time to report the issue. I've tried a seal migration and I believe the issue you reported has been addressed on newer releases from the revision you are reporting the issue on (Vault 1.12.7). The following is what I see post migration from a Shamir to Transit seal on Vault 1.17.1.
$ vault operator unseal -migrate
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type transit
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 1
Threshold 1
Version 1.17.1
Build Date 2024-06-25T16:33:25Z
Storage Type file
Cluster Name vault-cluster-e8015a46
Cluster ID 6aa9768e-6f6f-8c7b-7041-36322e740708
HA Enabled false
$ vault read /sys/seal-status
Key Value
--- -----
build_date 2024-06-25T16:33:25Z
cluster_id 6aa9768e-6f6f-8c7b-7041-36322e740708
cluster_name vault-cluster-e8015a46
initialized true
migration false
n 1
nonce n/a
progress 0
recovery_seal true
recovery_seal_type shamir
sealed false
storage_type file
t 1
type transit
version 1.17.1
Based on the above output, I'm going to close this issue. Please feel free to re-open if I've incorrectly diagnosed anything.
Describe the bug
After migrating from Shamir seal type to Transit Autounseal, v1/sys/seal-status response fails to return "transit" as the seal type even though the seal has been migrated successfully according to logs within the vault instance.
To Reproduce
Steps to reproduce the behavior:
https://developer.hashicorp.com/vault/docs/concepts/seal#migration-post-vault-1-5-1
Expected behavior
seal-status HTTP API should return the "type" as "transit" rather than "shamir".
Environment:
vault status
):vault version
):Linux/AMD64
Vault server configuration file(s):
seal-transit-config.hcl
Additional context
Restarting the vault instance post seal migration does not result in the issue getting fixed. seal-status API continues to report "shamir" instead of "transit".
The text was updated successfully, but these errors were encountered: