How to prevent hashicorp vault from sealing?

Question

Our hashicorp vault deployment on k8s (on premise) seem to seal itself after few days. I am unable to find a way to keep it always unsealed so that applications which are using it do not fail.

Answer 1

Activate auto-unsealing. Here's my GCP example, in Terraform (I am running Hashicorp Vault on Kubernetes).

resource "google_service_account" "hashicorp_vault" {
  project      = var.project
  account_id   = "hashicorp-vault"
  display_name = "Hashicorp Vault Service Account"
}

resource "google_service_account_iam_member" "hashicorp_vault_iam_workload_identity_user_member" {
  service_account_id = google_service_account.hashicorp_vault.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "serviceAccount:${var.project}.svc.id.goog[${helm_release.hashicorp_vault.namespace}/hashicorp-vault]"
}

resource "google_project_iam_custom_role" "hashicorp_vault_role" {
  project = var.project
  role_id = "hashicorp_vault"
  title   = "Hashicorp Vault"
  permissions = [
    "cloudkms.cryptoKeyVersions.useToEncrypt",
    "cloudkms.cryptoKeyVersions.useToDecrypt",
    "cloudkms.cryptoKeys.get",
  ]
}

resource "google_project_iam_member" "cicd_bot_role_member" {
  project = var.project
  role    = google_project_iam_custom_role.hashicorp_vault_role.name
  member  = "serviceAccount:${google_service_account.hashicorp_vault.email}"
}

resource "google_kms_key_ring" "hashicorp_vault" {
  project  = var.project
  location = var.region
  name     = "hashicorp-vault"
}

resource "google_kms_crypto_key" "hashicorp_vault_recovery_key" {
  name     = "hashicorp-vault-recovery-key"
  key_ring = google_kms_key_ring.hashicorp_vault.id
  lifecycle {
    prevent_destroy = true
  }
}

resource "helm_release" "hashicorp_vault" {
  name             = "hashicorp-vault"
  repository       = "https://helm.releases.hashicorp.com"
  chart            = "vault"
  version          = var.hashicorp_vault_version
  namespace        = "hashicorp-vault"
  create_namespace = true
  set {
    name = "server.extraEnvironmentVars.VAULT_SEAL_TYPE"
    value = "gcpckms"
  }
  set {
    name = "server.extraEnvironmentVars.GOOGLE_PROJECT"
    value = var.project
  }
  set {
    name = "server.extraEnvironmentVars.GOOGLE_REGION"
    value = var.region
  }
  set {
    name = "server.extraEnvironmentVars.VAULT_GCPCKMS_SEAL_KEY_RING"
    value = google_kms_key_ring.hashicorp_vault.name
  }
  set {
    name = "server.extraEnvironmentVars.VAULT_GCPCKMS_SEAL_CRYPTO_KEY"
    value = google_kms_crypto_key.hashicorp_vault_recovery_key.name
  }
  set {
    name = "server.serviceaccount.annotations.iam\\.gke\\.io/gcp-service-account"
    value = google_service_account.hashicorp_vault.email
  }
}

After doing this, I noticed that my Hashicorp Vault pod was in error state, so I deleted it so it could pick up the new environment variables. Then, it came online with a message indicating that it was ready for "migration" to the new unsealing strategy.

Then, use the operator to migrate to the new sealing strategy:

vault operator unseal -migrate