Skip to main content

How to Unseal an Isolated Site

Overview

When a site starts, its Strongbox state is encrypted. Normally, if a single host restarts, it can retrieve the state encryption key (the seal key) from other hosts in the same site. However, if the entire site restarts (e.g., due to a complete power outage), you'll need to provide the encryption key externally. This procedure is known as unsealing the site.

Automatic Unsealing with Control Tower Connectivity

If your site has network connectivity to the Control Tower, and the majority of its hosts are operational, the site can automatically request the seal key from the Control Tower. No manual intervention is needed.

Manual Unsealing without Connectivity

If the site does not have connectivity to the Control Tower, you'll need to manually unseal it. Follow these steps:

Step 1: Retrieve the Remote Seal Key

Execute the following command on a machine with access to the Control Tower:

supctl do system sites udc1 get-remote-sealkey

You'll receive output similar to this:

sealkey: R9A1KIOP83c1zoGijojFpROlRHfEG2+OHTmY6C0HWCcUM2ELuZrhD1amqdKjx+EpRQTGv60Xp4bb/0FCeZtKSiaw67jNM7MavMrq5TnEzlLNz+p1OJ1uCWczD+odLhDXTbCSXnY+4xC95NIoa1uUjA5YBA/H6ytCDy07SOol074O+HTQXZSZ/M4qleSHZQ/tV78ojOWHVgWnGRPk9TW6HIWEdAowzxEDVcJWFdxxe6rbVSDAIDYSgpqiyakZRI6I5q8sMcYn4y+yStcZDpto0Z9WUSXbw1faNMgbvUTIqGIoTk45peoxmoSPdKwuONkg3Kxc5RlyxkS29DLCzcqlL/zxjUX6wwjOFbo9aAILWeiFI96mqHkcRh3BkposbLFhA1f9a4QlFBag0Q32mBT+lUmNZ00yr+Q0DinSZCXY7ZNsYehMSDqk2JViij54AERl2J8CYF8oxpxoxy8QhMJUazq0YwySF4d3afSMQRGKEe4oJI3AFIHe1Ux0O+J7cV1E

Step 2: Apply the Remote Seal Key Locally

On the local site, execute the following command to unseal:

supctl do strongbox system unseal --remote-sealkey <your-sealkey>

Replace <your-sealkey> with the actual key retrieved in step 1.

Automatic Local Unseal without Connectivity

You may configure a site to automatically unseal itself locally, even when isolated from the Control Tower. Be aware:

  • The seal key will be stored locally in an encrypted, split form.
  • A majority of hosts must be online to reassemble the key and perform the unseal.
  • For single-host or two-host setups, the entire key is stored on each host, reducing security.

Automatic local unsealing might be suitable if:

  • Stored secrets are not highly sensitive.
  • Physical security of hosts is robust.

Enabling Automatic Local Unseal

To activate automatic local unsealing without internet access, set allow-local-unseal to true:

supctl merge system sites udc1 <<EOF
allow-local-unseal: true
EOF