The keys that will be stored are:
vault-root, which is the Vault's root tokenvault-unseal-N, whereNis a number, starting at 0 up to the maximum defined minus 1, e.g. 5 unseal keys will bevault-unseal-0up to includingvault-unseal-4
HashiCorp recommends to revoke root tokens after the initial set up of Vault has been completed.
To unseal Vault the vault-root token is not needed and can be removed from the storage if it was put there via the --init call to bank-vaults.
To use KMS-encrypted root token with vault CLI
- Download root token file to your local file system
- Decrypt the token and save it as an environment variable
export VAULT_TOKEN="$(aws kms decrypt --ciphertext-blob fileb://<encrypted token file> --encryption-context Tool=bank-vaults --query Plaintext --output text | base64 --decode)"