Unseal vault container or decrypt stored secret with access to container and initial root token

[UchihaItachiSama]

trafficstars

Lost the unseal keys for a test vault container, I am able to exec into the container and have the initial root token. Is there a possibility to re-key or unseal the vault using the root token. Or decrypt the value under /vault/file/logical/xxx/ ?

[heatherezell]

Does this document help? https://developer.hashicorp.com/vault/docs/concepts/seal#rekeying Please let me know if you have more questions!

[UchihaItachiSama]

I looked at rekeying but it requires the vault to be unsealed.

Usage: vault operator rekey [options] [KEY]

  Generates a new set of unseal keys. This can optionally change the total
  number of key shares or the required threshold of those key shares to
  reconstruct the master key. This operation is zero downtime, but it requires
  the Vault is unsealed and a quorum of existing unseal keys are provided.

In my case the vault is sealed, as I lost the unseal keys and only have the initial root token and access to vault container volume, where I can see the encrypted data.

Thus wanted to check if there is a possibility to unseal or decrypt using initial root token or encrypted keys from volume data?

[maxb]

If you've lost the unseal keys, and you don't have an active running unsealed Vault process, everything has been lost.

There's nothing to do other than wipe it all and start from scratch.

[heatherezell]

Since it's been a while since we've heard from you on this issue, I'm going to go ahead and close it now. Please feel free to open a new issue if you need. Thanks! :)