kes migrate

The kes migrate command supports migrating master keys from one KMS instance to another KMS instance. For example, you can use the command to migrate a Hashicorp Vault instance to another Hashicorp Vault instance. Or, kes migrate can migrate a Hashicorp Vault instance to or from an AWS Secrets Manager KMS.

The KMS instances do not need to be of the same type or provider.

The migrate command must have direct access to both KMS instances at the same time.

kes migrate         \
    --from <path>   \
    --to <path>     \
    [--force, -f]   \
    [--merge]       \
    [--quiet, -q]   \
    [<pattern>]

Required

Specify the path to the KES config file for the old KMS (the source) you are moving keys from.

Required

Specify the path to the KES config file for the new KMS (the target) you are moving keys to.

Optional

Migrate keys to the new KMS even if a key with the same name exists. The migration process overwrites existing keys on the target server with the keys from the source server when you pass this flag.

Optional

Preserves keys that exist on the target server and only migrates keys from the old server with names that do not exist on the target server.

Optional

Disables the progress information from printing.

Optional

A text pattern with wildcards to use to find specific keys to migrate.

kes migrate --from vault-config.yml --to aws-config.yml

To migrate a subset of all master keys, specify a pattern. Only master keys that match the pattern migrate.

kes migrate --from <source.yml> --target <target.yml> <pattern>

For example:

kes migrate --from source.yml --target target.yml my-key*

To migrate a single master key, specify the key name.

kes migrate --from <source.yml> --target <target.yml> <key-name>

For example:

kes migrate --from source.yml --target target.yml my-master-key