Introduction
Problem
When running Vault rekey command specifying values for key-shares and key-threshold, the output is always "New Shares 1" and "New Threshold 1" despite specifying values other than 1.
Below is an example of the commands specifying key-shares as 3 and key-threshold as 2:
$ vault operator rekey -init -key-shares=3 -key-threshold=2 -status=true
WARNING! If you lose the keys after they are returned, there is no recovery.
Consider canceling this operation and re-initializing with the -pgp-keys flag
to protect the returned unseal keys along with -backup to allow recovery of
the encrypted keys in case of emergency. You can delete the stored keys later
using the -delete flag.
Key Value
--- -----
Nonce xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Started true
Rekey Progress 0/3
New Shares 1
New Threshold 1
Verification Required false
Prerequisites
- You are running vault rekey operation.
Cause
- The reason of this is due to Vault uses an HSM or Cloud KMS based auto-unseal.
Solutions:
-
You will need to specify the -recovery option when rekeying Vault as per the NOTE section under the tutorial. Please follow this KB for the completed steps and guides to resolve this issue.