vault-recovery-key

This tool will decrypt your Vault recovery keys when using KMS

Vault recovery key decrypter

This tool will decrypt your recovery keys. Commonly used when you lost them and want to recreate a root token.

Download the binary from releases


This is not an official HashiCorp tool

Use it at your own risk


Usage of ./vault-recover-key:
  -enc-key string
    	Path to the encrypted recovery keys from the storage, found at core/_recovery-key (default "key.enc")
  -env string
    	Environment that hosts the KMS: gcpckms,azurekeyvault,transit,awskms (default "gcpckms")
  -shamir-shares int
    	Number of shamir shares to divide the key into (default 1)
  -shamir-threshold int
    	Threshold number of keys needed for shamir creation (default 1)
  -storageType string
        Storage type: file or dynamodb


Currently only support GCP, Azure KMS and AWS KMS.

It needs access to the KMS service which your Vault was configured with.

Environmental variables for GCP

Example, if your KMS setup is: projects/rodrigo-support/locations/global/keyRings/name-of-keyring-goes-here/cryptoKeys/name-of-vault-unseal-key-from-keyring-goes-here/cryptoKeyVersions/1

$ export "GOOGLE_CREDENTIALS" = "service-account.json"
$ export "GOOGLE_PROJECT" = "project-id-goes-here"
$ export "GOOGLE_REGION" = "global"
$ export "GCPCKMS_WRAPPER_KEY_RING" = "name-of-keyring-goes-here"
$ export "GCPCKMS_WRAPPER_CRYPTO_KEY" = "name-of-vault-unseal-key-from-keyring-goes-here"

An important note: the relevant KMS environment variables are GCPCKMS_... not GCPKMS_.... This is a potential cause of the panic issue listed below.

Environmental variables for AZURE

If your Vault configuration is:

seal "azurekeyvault" {
  client_id      = "YOUR-APP-ID"
  client_secret  = "YOUR-APP-PASSWORD"
  tenant_id      = "YOUR-AZURE-TENANT-ID"
  vault_name     = "rodrigo-key-vault"
  key_name       = "generated-key"
$ export "VAULT_AZUREKEYVAULT_VAULT_NAME" = "rodrigo-key-vault"
$ export "VAULT_AZUREKEYVAULT_KEY_NAME" = "generated-key"

Environmental variables for AWS KMS

export AWS_SESSION_TOKEN = "YOUR_SESSION_TOKEN_HERE" (this one is optional, if STS creds are used)
export AWSKMS_WRAPPER_KEY_ID = "YOUR_KMS_KEY_ID_HERE" (the KMS used in the Vault HCL config)

Encrypted recovery keys dump

From a file storage:

$ cat core/_recovery-key  | jq -r .Value | base64 -d > key.enc

From Consul

$ consul kv get -base64 vault/core/recovery-key  | base64 -d >  consul.key


$ ./vault-recover-key -enc-key key.enc -env azurekeyvault -shamir-shares 5 -shamir-threshold 3
INFO[0000] Starting version 0.2
INFO[0000] Starting with environment azurekeyvault
INFO[0000] Setting up for azurekeyvault
DEBU[0000] blobInfo={
	"ciphertext": "sVi/u3CiFwcfiKajC0qK0+pS/St7/mReTN3mGHXN8l3TyDm/BEtGlL8ZapY+flS8",
	"iv": "09CjA+ImIFBw7yYd",
	"key_info": {
		"KeyID": "3d035268cfd34001b34d739c704ceb1f",
		"WrappedKey": "ZzRYVTNraXctLUx2ZzE2Ny1MbG9nanRvY3g5c3ZzcnBQTlNJeVdxdnFYYkJjVHR6UW14d1ZsaFBpdUVKbFliZW9qQk9UYmY5Q1hNQWpmVlAzVllsUDhtNThreW1qZl9IaFllZzAzNXdidmp3ZGZ2R1ZLV1YtSTZiOHJlVU9PdElsYTZTRmFRa3N2a0Y0cFBITGtwUVFoRG1tRVBHQ0huOXlXcUw0Q01XZWE1SDh6N2lRaGRham10cWgxRXZBS05zSWZwazVFaE9LemxWc1U1cXBQWHNhVmU5OVJiRVE1cV93aE11Y01HbzlQcU1ISGlPWmRzWGp3M25YWUc1RDNxUHRLQ3pmT2s5ZkFPUGhxNTktXzBuZm1LNVZqemtoQWpnMmNyT0F0VjVCemhNb3FNU2NhMXNXdXNpeDlId1FHVGNGTmw0SkdnRXRHb0VjMmhRUEp3MGpn"
DEBU[0000] HEX=0X53F336750B4D68C62BCB82CA3D9689D9C4F4261C21968BBCD6803979670C29CC
INFO[0000] Recovery keys

AWS KMS example:

 ./vault-recovery-key -enc-key ../key.enc -env awskms
INFO[0000] Starting version 0.2
INFO[0000] Starting with environment awskms
INFO[0000] Setting up for awskms
DEBU[0000] blobInfo={
	"ciphertext": "ESGKIwFd/uGtnCJJV86/gwE3oCz6Yx74DMVNRTjSE4U+kVL90jiNLYvPJqh7T8pK",
	"iv": "RcvcMe4xZvI15/Gb",
	"key_info": {
		"Mechanism": 1,
		"KeyID": "arn:aws:kms:us-east-1:ACCOUNT_ID_HERE:key/KMS_KEY_ID_HERE",
		"WrappedKey": "AQICAHjy4AAl3/<<<SNIP>>>GLVdp6dcF/ih+NDDnnJastg=="
DEBU[0000] HEX=0X4124F68E<<<SNIP>>>291DE7114A89B
Recovery key


This page lists solutions to problems you might encounter with vault-recovery-key


Application crash during runtime when using gcpckms:

./vault-recovery-key -enc-key enc.key -env gcpckms -shamir-shares 5 -shamir-threshold 3
INFO[0000] Starting version 0.2
INFO[0000] Starting with environment gcpckms
INFO[0000] Setting up for gcpckms
DEBU[0000] blobInfo={
  "ciphertext": "rWUAXlSnzRTYlA5MxQ8Cdoz32yRD9Bk6BF00oodgukmFjUmP0tR1EhZd6IvP4KkI",
  "iv": "e1YE0TZ0Z0Yfnwdj",
  "key_info": {
  	"Mechanism": 1,
  	"KeyID": "projects/hc-5d80c603dabb4a669f42e6354a1/locations/global/keyRings/vault-keyring/cryptoKeys/vault-key/cryptoKeyVersions/1",
  	"WrappedKey": "CiQA2AIm8C9WyKu9/uUiNUYyng5nK2fKfX0ZDfR2JPupygg3P50SSAB3Uh/JATR2KCPMmXS3e6gkE3UwBXnFr3Bky06Z83lKS/7QOp4bmJXhcckML17F5MdIFyZXmrFLoi1tN44mEROYiE9TQGcUvA=="
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x56f834]

goroutine 1 [running]:
  /home/ubuntu/vault-recovery-key/main.go:108 +0x6b4


Check the following variables and their values. Check that the service account has been granted access to the keyring and key. Ensure that you've set the proper environment variables, most notably the key ring and crypto key variables (these env variables start with GCPCKMS, not GCPKMS). Ensure that you've set the GCP project ID and not the name of the project.

$ export "GOOGLE_CREDENTIALS" = "service-account.json"
$ export "GOOGLE_PROJECT" = "project-id-goes-here"
$ export "GOOGLE_REGION" = "global"
$ export "GCPCKMS_WRAPPER_KEY_RING" = "name-of-keyring-goes-here"
$ export "GCPCKMS_WRAPPER_CRYPTO_KEY" = "name-of-vault-unseal-key-from-keyring-goes-here"

Additional information

Tested and verified to work against Vault 1.8.1 and 1.9.3 using gcpckms Auto-Unseal.


