Performing Vault Replication specific operations triggers full seal wrap when Seal High Availability is enabled.

Avatar
Gerard Mansvelder
  • Updated

Introduction

Problem

Performing Vault Replication specific operations triggers a full seal wrap when Seal High Availability is enabled.

The Vault Operational Logs at Server log level TRACE show:

[TRACE] UNWRAP exact key ID match decrypt success: sealWrapper.Name=awskms sealWrapper.Wrapper.KeyId=arn:aws:kms:us-east-*:9636******06:key/df2e****-****-****-****-********5984
[TRACE] decrypted value using seal: seal_name=awskms
[DEBUG] sealwrap: upgrading key entry: key=wal/logs/00000000/0ea3
[TRACE] sealwrap: wrapping entry: key=wal/logs/00000000/0ea3
[TRACE] encrypted value using seal: seal=awskms KeyId=arn:aws:kms:us-east-*:9636******06:key/df2e****-****-****-****-********5984
[TRACE] successfully encrypted value: encryption seal wrappers=1 total enabled seal wrappers=1
[DEBUG] replication.index.perf: flushed dirty pages: pages_flushed=1 pages_outstanding=1
[DEBUG] sealwrap: unwrapping entry: key=wal/logs/00000000/0ea6
[TRACE] UNWRAP exact key ID match decrypt success: sealWrapper.Name=awskms sealWrapper.Wrapper.KeyId=arn:aws:kms:us-east-*:9636******06:key/df2e****-****-****-****-********5984
[TRACE] decrypted value using seal: seal_name=awskms

Prerequisites (if applicable)

  • Vault Enterprise Edition
  • Seal High Availability
  • Vault versions up to Vault Enterprise Edition 1.20.x

Cause

The behavior is observed when enable_multiseal = true is specified in the Vault configuration file and either one or multiple seals are configured, which might have impact the performance of Vault clusters and could add delays to for example a Vault Disaster Recovery failover procedure.

The following currently known Vault Replication operations do initiate a full seal rewrap process in the background when enable_multiseal = true is specified in the Vault configuration file: 

  • A  full seal rewrap occurs when enabling / disabling DR or PR replication on a Vault DR / PR Primary.
  • A  full seal rewrap occurs when promoting a DR or PR Secondary to Vault DR /PR Primary
  • A  full seal rewrap occurs when demoting a (former) DR or PR Primary to Vault DR / PR Secondary

 

Overview of possible solutions (if applicable)

Solutions:

  • The issue has been resolved in Vault Enterprise versions 1.16.27, 1.19.11, 1.20.5, 1.21.0 and newer.

  • The only currently known workaround for older Vault Versions, besides waiting for the rewrapping to complete, is to disable Seal High Availability prior to performing the above replication operations.
     

Additional Information

Articles in this section

See more