From 15fca8246dfd632d703117f40f1ed6a35dda674b Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Wed, 11 Feb 2026 15:58:00 -0500
Subject: [PATCH] Copy fix(transit): prevent panic on restore with missing
 policy into main (#12206) (#12305)

* Copy https://github.com/hashicorp/vault/pull/31733 into main




* fix(transit): prevent panic on restore with missing policy

* test: add unit test for RestorePolicy nil policy validation

* changelog: add entry for transit restore panic fix

* Update changelog/31733.txt



---------

Co-authored-by: Abhishek Dadwal <dadwalabhishek10@gmail.com>
Co-authored-by: Abhishek Dadwal <73817744+Abhishek00810@users.noreply.github.com>
Co-authored-by: Steven Clark <steven@sclark.me>
---
 changelog/31733.txt                      |  3 +++
 sdk/helper/keysutil/lock_manager.go      |  5 +++++
 sdk/helper/keysutil/lock_manager_test.go | 16 ++++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 changelog/31733.txt

diff --git a/changelog/31733.txt b/changelog/31733.txt
new file mode 100644
index 0000000000..bdfd3aa0ad
--- /dev/null
+++ b/changelog/31733.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Fix nil pointer panic when restoring malformed backup data.
+```
diff --git a/sdk/helper/keysutil/lock_manager.go b/sdk/helper/keysutil/lock_manager.go
index 254fedeb64..f1efcbc76e 100644
--- a/sdk/helper/keysutil/lock_manager.go
+++ b/sdk/helper/keysutil/lock_manager.go
@@ -162,6 +162,11 @@ func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storag
 		return err
 	}
 
+	// Validate that the policy exists in the backup data
+	if keyData.Policy == nil {
+		return errors.New("backup data does not contain a valid policy")
+	}
+
 	// Set a different name if desired
 	if name != "" {
 		keyData.Policy.Name = name
diff --git a/sdk/helper/keysutil/lock_manager_test.go b/sdk/helper/keysutil/lock_manager_test.go
index 0857e6dc5f..b41a284bcf 100644
--- a/sdk/helper/keysutil/lock_manager_test.go
+++ b/sdk/helper/keysutil/lock_manager_test.go
@@ -6,6 +6,7 @@ package keysutil
 import (
 	"context"
 	"crypto/rand"
+	"encoding/base64"
 	"testing"
 
 	"github.com/hashicorp/vault/sdk/logical"
@@ -98,3 +99,18 @@ func TestImportPolicy(t *testing.T) {
 		})
 	}
 }
+
+func TestRestorePolicy_NilPolicy(t *testing.T) {
+	lm, err := NewLockManager(false, 0)
+	require.NoError(t, err)
+
+	ctx := context.Background()
+	storage := &logical.InmemStorage{}
+
+	// Create backup data without "policy" field (causes nil Policy)
+	invalidBackup := base64.StdEncoding.EncodeToString([]byte(`{"archived_keys": null}`))
+
+	err = lm.RestorePolicy(ctx, storage, "test-key", invalidBackup, false)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "backup data does not contain a valid policy")
+}