Vault Transit Key Migration

You may encounter cases when you'd like to migrate your platform from one infrastructure to another and get to a point where you also need to migrate Vault transit keys used for sensitive data encryption/decryption.

Export steps

  1. Connect to the old Vault deployment using vault login
  2. List all available Transit keys via vault list transit/keys
  3. Make target keys exportable: vault write transit/keys/*key_name*/config allow_plaintext_backup=true exportable=true
  4. Export each key: vault read transit/backup/*key_name*
  5. Make sure to save the output in a safe place!

Import steps

  1. Connect to the new Vault deployment using vault login
  2. Restore exported keys via vault write transit/restore/*key_name* backup=@*exported file*
  3. Check whether they were imported by running vault list transit/keys
  4. Enjoy!