Move DEKs between KMS providers -- for example, migrating from AWS KMS to GCP Cloud KMS during a cloud provider switch, or from Vault Transit to Azure Key Vault.
Command
# Dry run first
php artisan sealcraft:migrate-provider --from=aws_kms --to=gcp_kms --dry-run
# Execute
php artisan sealcraft:migrate-provider --from=aws_kms --to=gcp_kms
For each DataKey wrapped under the source provider, Sealcraft:
- Unwraps the DEK using the source provider
- Rewraps it using the destination provider
- Updates the
providercolumn on theDataKeyrow
No row ciphertext changes. Reads continue to work before, during, and after migration.
Prerequisites
- Both providers are configured and credentialed on the running host
- The destination KEK already exists and has the right IAM / RBAC
- Enough runtime for both providers' SDKs / HTTP clients to operate concurrently
Two-phase migration
For a clean cutover:
- Configure both providers. Set the new one as
default_provider. - Run
sealcraft:migrate-provider --from=old --to=new. - Run
sealcraft:auditto confirm every DataKey is on the new provider. - Decommission the old provider's KEK access.
Partial / paused migration
If the command is interrupted, rerun it. It is idempotent -- already-migrated DEKs are skipped.
Event
DekRotated fires for each DataKey that changed providers. If your audit log needs to distinguish provider migration from KEK rotation, inspect the event's from and to fields.
Contributors
Thank you to everyone who has contributed to this package. Every pull request, bug report, and idea makes a difference.
