/sys/sealwrap/rewrap

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

Appropriate Vault Enterprise license required

Restricted endpoint

Clients must call the API path from the root namespace.

The /sys/sealwrap/rewrap endpoint is used to rewrap all seal wrapped entries. This is useful when you want to upgrade seal wrapped entries to use the latest key, for example, after a seal migration or after rotating the remote keyring.

Read rewrap status

This endpoint reports whether a seal rewrap process is currently running.

Method	Path
`GET`	`/sys/sealwrap/rewrap`

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/sealwrap/rewrap

Sample response

{
  "data": {
    "entries": {
      "failed": 0,
      "processed": 30,
      "succeeded": 30
    },
    "is_running": false
  }
}

Start a seal rewrap process

This endpoint starts a seal rewrap process if one is not currently running. The process will run in the background. Check the vault server logs for status and progress updates.

Method	Path
`POST`	`/sys/sealwrap/rewrap`

The default status codes are:

200 if a seal rewrap process is already running
204 if a seal rewrap process was started

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    http://127.0.0.1:8200/v1/sys/sealwrap/rewrap