Introduction
When running the Vault rekey command specifying values for key-shares and key-threshold, the output is always "New Shares 1" and "New Threshold 1" despite specifying values other than 1. Below is an example of the commands specifying key-shares as 3 and key-threshold as 2 and the output showing the value as 1:
$ vault operator rekey -init -key-shares=3 -key-threshold=2 -status=true
WARNING! If you lose the keys after they are returned, there is no recovery.
Consider canceling this operation and re-initializing with the -pgp-keys flag
to protect the returned unseal keys along with -backup to allow recovery of
the encrypted keys in case of emergency. You can delete the stored keys later
using the -delete flag.
Key Value
--- -----
Nonce xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Started true
Rekey Progress 0/3
New Shares 1
New Threshold 1
Verification Required false
Cause
When running the rekey operation, while Vault is using an HSM or Cloud KMS based auto-unseal, the target must be set to recovery.
Solution
When rekeying Vault, you will need to specify -target=recovery as per the NOTE section under the tutorial. Please follow this KB for the complete steps and guides on how to rekey when using the auto-unseal feature.