When attempting to either rekey or initialise Vault you may receive the following error:
invalid rekey seal configuration: error parsing given PGP key: openpgp: invalid data: tag byte does not have MSB set
This error is logged when Vault is unable to read one of the supplied PGP key files.
Overview of possible causes & solutions
Confirm that the permissions for each of the files on disk containing a PGP key are suitable for reading by the Vault process.
Confirm that the names of the files supplied as part of the command are correct and match the names of the files on disk.
Confirm that each of the files on disk contain a valid base64 encoded PGP key. An example command and output to successfully validate a file named "bob-pgp-key.asc" would look as follows:
$ base64 -d bob-pgp-key.asc | gpg --show-keys pub ed25519 2022-08-30 [SC] [expires: 2024-08-29] CD99113BE69096AF5106EDBA113F20410B08486B uid bob <firstname.lastname@example.org> sub cv25519 2022-08-30 [E] [expires: 2024-08-29]
- The above command first performs a base64 decode of the file named bob-pgp-key.asc and next utilises the gpg application to confirm if it can validate the PGP key.
If success is still not found create a test Vault instance of one node on your workstation or a suitable environment that is separate from your production environment and attempt to initialise Vault using one key share while supplying one PGP key. If using multiple PGP keys you may need to stop the Vault process after a successful initialisation, delete the backend storage files, and move on to the next PGP key. This process enables you to test each of the PGP keys to identify which key/file is the cause of the issue.
Once Vault has confirmed it is able to read all PGP key files successfully it will begin the requested operation, either rekey or initialisation.
Vault rekey documentation: https://developer.hashicorp.com/vault/docs/commands/operator/rekey#pgp-keys
- Vault initialisation documentation: https://developer.hashicorp.com/vault/docs/commands/operator/init#pgp-keys