I have not found comprehensive documentation on the protocol used to (auto-)unseal Hashicorps Vault using a Cloud KMS. To my understating Vault uses stored API Credentials to query the Cloud KMS and (somewhat unclear part) gets access to the master key that is used in the process to unseal the Vault.
I'm about to deploy a Vault server and require an automated method to auto-unseal the Vault after for example a power outage. Manual unsealing is not feasible.
I don't see a strong argument favoring a Cloud KMS auto unseal over a local bash script that is unsealing vault using the master key (shard) stored in a file with root only read access.
Ignoring physical threats the script and master key file solution still requires root access wheres the Cloud KMS Credentials, Vault config and Vault backend are also accessible with equal or inferior privileges and to my understanding also enable an attacker to gain access to the secrets managed.
I also see the ability to unseal vault without internet access as a benefit in my usage scenario.
I know about the general advantages of a KMS auto-unseal but for a small, single-server deployment where an automated unsealing is still required do you have any additional concerns? And are the KMS API credentials all that's required to unseal vault?! How is this supposed to be secure?
