From b19d2a7f54412a69b19698ba48db5734f0cc89cb Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Tue, 21 Nov 2023 11:42:53 -0500
Subject: [PATCH] backport of commit 913481fb1f438888fafc15f1131d6091ef8d7c9d
 (#24222)

Co-authored-by: Scott Miller <smiller@hashicorp.com>
---
 command/server.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/command/server.go b/command/server.go
index d1a356ffe9..61d5a30eba 100644
--- a/command/server.go
+++ b/command/server.go
@@ -2570,10 +2570,16 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 			Priority: 1,
 			Name:     "shamir",
 		})
-	case 1:
-		// If there's only one seal and it's disabled assume they want to
+	default:
+		allSealsDisabled := true
+		for _, c := range config.Seals {
+			if !c.Disabled {
+				allSealsDisabled = false
+			}
+		}
+		// If all seals are disabled assume they want to
 		// migrate to a shamir seal and simply didn't provide it
-		if config.Seals[0].Disabled {
+		if allSealsDisabled {
 			config.Seals = append(config.Seals, &configutil.KMS{
 				Type:     vault.SealConfigTypeShamir.String(),
 				Priority: 1,