diff --git a/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh b/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
index f58471757abc0..f4d777b8b46ec 100644
--- a/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
+++ b/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
@@ -3,52 +3,62 @@ set -o nounset
 set -o errexit
 set -o pipefail
 
-echo "========================================="
-echo "Vault Configuration for KMS"
-echo "========================================="
-echo "Namespace: ${VAULT_NAMESPACE}"
-echo "Vault Enterprise NS: ${VAULT_ENTERPRISE_NS}"
-echo ""
-
 export KUBECONFIG="${SHARED_DIR}/kubeconfig"
 
 # In dev mode, Vault is already initialized and unsealed with root token "root"
 ROOT_TOKEN="root"
 
-echo "Configuring Vault for KMS..."
-echo ""
-
-# Create the Vault Enterprise namespace used by the KMS plugin
-echo "Creating Vault Enterprise namespace '${VAULT_ENTERPRISE_NS}'..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault namespace create "${VAULT_ENTERPRISE_NS}"
-
-# Enable transit secret engine
-echo "Enabling transit secret engine..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault secrets enable -namespace="${VAULT_ENTERPRISE_NS}" -path=transit transit
-
-# Create encryption key
-echo "Creating transit encryption key..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -f transit/keys/${VAULT_KMS_KEY_NAME}
-
-# Enable AppRole auth
-echo "Enabling AppRole authentication..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault auth enable -namespace="${VAULT_ENTERPRISE_NS}" approle
-
-# Create KMS policy
-echo "Creating KMS policy..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  sh -c "VAULT_TOKEN=${ROOT_TOKEN} vault policy write -namespace=${VAULT_ENTERPRISE_NS} kms-policy - <<POLICY
-path \"transit/encrypt/${VAULT_KMS_KEY_NAME}\" {
+# Configure a Vault instance for KMS encryption.
+# Args: $1 = namespace, $2 = KMS key name, $3 = pod name
+configure_vault() {
+  local namespace="$1"
+  local key_name="$2"
+  local pod_name="$3"
+  local service_name="${pod_name%-0}"
+
+  echo ""
+  echo "========================================="
+  echo "Vault Configuration for KMS"
+  echo "========================================="
+  echo "Namespace: ${namespace}"
+  echo "Vault Enterprise NS: ${VAULT_ENTERPRISE_NS}"
+  echo "KMS Key Name: ${key_name}"
+  echo ""
+
+  echo "Configuring Vault for KMS..."
+  echo ""
+
+  # Create the Vault Enterprise namespace used by the KMS plugin
+  echo "Creating Vault Enterprise namespace '${VAULT_ENTERPRISE_NS}'..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault namespace create "${VAULT_ENTERPRISE_NS}"
+
+  # Enable transit secret engine
+  echo "Enabling transit secret engine..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault secrets enable -namespace="${VAULT_ENTERPRISE_NS}" -path=transit transit
+
+  # Create encryption key
+  echo "Creating transit encryption key..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -f "transit/keys/${key_name}"
+
+  # Enable AppRole auth
+  echo "Enabling AppRole authentication..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault auth enable -namespace="${VAULT_ENTERPRISE_NS}" approle
+
+  # Create KMS policy
+  echo "Creating KMS policy..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    sh -c "VAULT_TOKEN=${ROOT_TOKEN} vault policy write -namespace=${VAULT_ENTERPRISE_NS} kms-policy - <<POLICY
+path \"transit/encrypt/${key_name}\" {
   capabilities = [\"update\"]
 }
-path \"transit/decrypt/${VAULT_KMS_KEY_NAME}\" {
+path \"transit/decrypt/${key_name}\" {
   capabilities = [\"update\"]
 }
-path \"transit/keys/${VAULT_KMS_KEY_NAME}\" {
+path \"transit/keys/${key_name}\" {
   capabilities = [\"read\"]
 }
 path \"sys/license/status\" {
@@ -56,40 +66,44 @@ path \"sys/license/status\" {
 }
 POLICY"
 
-# Create AppRole role
-echo "Creating AppRole role..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" auth/approle/role/kms-plugin \
-    token_policies=kms-policy \
-    token_ttl=1h \
-    token_max_ttl=4h
-
-# Get AppRole credentials
-echo "Retrieving AppRole credentials..."
-ROLE_ID=$(oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault read -namespace="${VAULT_ENTERPRISE_NS}" -field=role_id auth/approle/role/kms-plugin/role-id)
-SECRET_ID=$(oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -field=secret_id -f auth/approle/role/kms-plugin/secret-id)
-
-# Create vault-credentials secret
-echo "Creating vault-credentials secret..."
-oc create secret generic vault-credentials \
-  --from-literal=role-id="${ROLE_ID}" \
-  --from-literal=secret-id="${SECRET_ID}" \
-  --from-literal=root-token="${ROOT_TOKEN}" \
-  -n "${VAULT_NAMESPACE}"
-
-echo "Vault credentials saved to vault-credentials secret"
-
-echo ""
-echo "========================================="
-echo "Vault Configuration Complete"
-echo "========================================="
-echo ""
-echo "Summary:"
-echo "  - Vault Service: vault.${VAULT_NAMESPACE}.svc:8200"
-echo "  - Credentials Secret: vault-credentials (namespace: ${VAULT_NAMESPACE})"
-echo "  - Vault Enterprise Namespace: ${VAULT_ENTERPRISE_NS}"
-echo "  - Transit Key: ${VAULT_KMS_KEY_NAME}"
-echo "  - ROLE_ID: ${ROLE_ID}"
-echo ""
+  # Create AppRole role
+  echo "Creating AppRole role..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" auth/approle/role/kms-plugin \
+      token_policies=kms-policy \
+      token_ttl=1h \
+      token_max_ttl=4h
+
+  # Get AppRole credentials
+  echo "Retrieving AppRole credentials..."
+  ROLE_ID=$(oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault read -namespace="${VAULT_ENTERPRISE_NS}" -field=role_id auth/approle/role/kms-plugin/role-id)
+  SECRET_ID=$(oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -field=secret_id -f auth/approle/role/kms-plugin/secret-id)
+
+  # Create vault-credentials secret
+  echo "Creating vault-credentials secret..."
+  oc create secret generic vault-credentials \
+    --from-literal=role-id="${ROLE_ID}" \
+    --from-literal=secret-id="${SECRET_ID}" \
+    --from-literal=root-token="${ROOT_TOKEN}" \
+    -n "${namespace}"
+
+  echo "Vault credentials saved to vault-credentials secret"
+
+  echo ""
+  echo "========================================="
+  echo "Vault Configuration Complete"
+  echo "========================================="
+  echo ""
+  echo "Summary:"
+  echo "  - Vault Service: ${service_name}.${namespace}.svc:8200"
+  echo "  - Credentials Secret: vault-credentials (namespace: ${namespace})"
+  echo "  - Vault Enterprise Namespace: ${VAULT_ENTERPRISE_NS}"
+  echo "  - Transit Key: ${key_name}"
+  echo "  - ROLE_ID: ${ROLE_ID}"
+  echo ""
+}
+
+configure_vault "${VAULT_NAMESPACE}" "${VAULT_KMS_KEY_NAME}" "vault-0"
+configure_vault "${VAULT_SECONDARY_NAMESPACE}" "${VAULT_SECONDARY_KMS_KEY_NAME}" "vault-secondary-0"
diff --git a/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml b/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
index 077e5c4226fcc..8a99fd607ccce 100644
--- a/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
+++ b/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
@@ -22,28 +22,46 @@ ref:
       Vault Enterprise namespace where the transit engine, AppRole auth, and
       policies will be created. Must match the VaultNamespace configured in the
       KMS plugin (defaults to "admin" in library-go test helpers).
+  - name: VAULT_SECONDARY_NAMESPACE
+    default: "vault-kms-secondary"
+    documentation: |-
+      Namespace where the second Vault Enterprise instance is installed.
+  - name: VAULT_SECONDARY_KMS_KEY_NAME
+    default: "kms-key-secondary"
+    documentation: |-
+      Name of the transit encryption key for the second Vault instance.
+      Must differ from VAULT_KMS_KEY_NAME to ensure each instance uses a distinct KEK.
   documentation: |-
-    Configures an already-installed Vault instance for Kubernetes KMS encryption.
+    Configures already-installed Vault instances for Kubernetes KMS encryption.
 
     This step should run after etcd-encryption-vault-install.
 
-    Configuration steps:
+    Configuration steps (applied to both primary and secondary instances):
     - Creates Vault Enterprise namespace (${VAULT_ENTERPRISE_NS})
     - Enables transit secret engine in ${VAULT_ENTERPRISE_NS}
-    - Creates transit encryption key (name: ${VAULT_KMS_KEY_NAME}) in ${VAULT_ENTERPRISE_NS}
+    - Creates transit encryption key in ${VAULT_ENTERPRISE_NS}
     - Enables AppRole authentication in ${VAULT_ENTERPRISE_NS}
     - Creates KMS policy with encrypt/decrypt permissions in ${VAULT_ENTERPRISE_NS}
     - Creates AppRole role (kms-plugin) in ${VAULT_ENTERPRISE_NS}
     - Retrieves AppRole credentials from ${VAULT_ENTERPRISE_NS}
     - Stores credentials in vault-credentials secret
 
+    Each instance uses a distinct transit key (${VAULT_KMS_KEY_NAME} vs
+    ${VAULT_SECONDARY_KMS_KEY_NAME}) to ensure independent KEKs.
+
     Prerequisites:
     - Vault must be installed and pods Ready (run etcd-encryption-vault-install first)
-    - OpenShift cluster with vault-0 pod running in ${VAULT_NAMESPACE}
+    - OpenShift cluster with vault-0 running in ${VAULT_NAMESPACE}
+      and vault-secondary-0 running in ${VAULT_SECONDARY_NAMESPACE}
 
-    Outputs:
+    Outputs (primary):
     - Credentials stored in: vault-credentials secret (namespace: ${VAULT_NAMESPACE})
       * role-id: AppRole role ID
       * secret-id: AppRole secret ID
       * root-token: Vault root token
-      * unseal-key: Vault unseal key
+
+    Outputs (secondary):
+    - Credentials stored in: vault-credentials secret (namespace: ${VAULT_SECONDARY_NAMESPACE})
+      * role-id: AppRole role ID
+      * secret-id: AppRole secret ID
+      * root-token: Vault root token
diff --git a/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh b/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
index e0bcfbe1ddf1c..ce2330f21861c 100644
--- a/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
+++ b/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
@@ -1,13 +1,6 @@
 #!/bin/bash
 set -euo pipefail
 
-echo "========================================="
-echo "Vault Enterprise Installation via Helm"
-echo "========================================="
-echo "Version: ${VAULT_VERSION}"
-echo "Namespace: ${VAULT_NAMESPACE}"
-echo ""
-
 export KUBECONFIG="${SHARED_DIR}/kubeconfig"
 
 mirror_vault_image() {
@@ -54,6 +47,113 @@ setup_packet_cluster() {
   fi
 }
 
+# Prepare the namespace, SCC, and license secret for a Vault instance.
+# Must run before setup_packet_cluster() to avoid proxy interference.
+# Args: $1 = namespace, $2 = Helm release name
+setup_vault_namespace() {
+  local namespace="$1"
+  local release_name="$2"
+
+  # Create namespace
+  echo "Creating namespace ${namespace}..."
+  oc create namespace "${namespace}"
+
+  # Add restricted SCC for Vault service account
+  echo "Adding restricted SCC for Vault service account..."
+  oc adm policy add-scc-to-user restricted -z "${release_name}" -n "${namespace}"
+
+  # Create Vault license secret from mounted credential
+  echo "Creating Vault license secret from mounted credential..."
+  oc create secret generic "${VAULT_LICENSE_SECRET_NAME}" \
+    --from-file=license=/var/run/vault/tests-private-account/kms-vault-license \
+    -n "${namespace}"
+}
+
+# Install a Vault Enterprise instance in the given namespace.
+# Args: $1 = namespace, $2 = CA ConfigMap name, $3 = Helm release name
+install_vault() {
+  local namespace="$1"
+  local ca_configmap="$2"
+  local release_name="$3"
+  local pod_name="${release_name}-0"
+
+  echo ""
+  echo "========================================="
+  echo "Vault Enterprise Installation via Helm"
+  echo "========================================="
+  echo "Version: ${VAULT_VERSION}"
+  echo "Namespace: ${namespace}"
+  echo ""
+
+  local vault_api_addr="https://${release_name}.${namespace}.svc:8200"
+
+  # Install Vault via Helm with dev mode and TLS enabled
+  echo "Installing Vault Enterprise v${VAULT_VERSION} in dev mode with TLS..."
+  helm upgrade --install "${release_name}" "${VAULT_CHART_ARCHIVE}" \
+    --namespace "${namespace}" \
+    --version "${VAULT_CHART_VERSION}" \
+    --set global.enabled=true \
+    --set global.openshift=true \
+    --set global.tlsDisable=false \
+    --set server.dev.enabled=true \
+    --set server.image.repository="${VAULT_IMAGE_REPOSITORY}" \
+    --set server.image.tag="${VAULT_VERSION}" \
+    --set injector.enabled=false \
+    --set 'server.extraEnvironmentVars.VAULT_DISABLE_USER_LOCKOUT=true' \
+    --set 'server.extraEnvironmentVars.VAULT_CACERT=/var/run/tls/vault-ca.pem' \
+    --set "server.extraEnvironmentVars.VAULT_API_ADDR=${vault_api_addr}" \
+    --set "server.enterpriseLicense.secretName=${VAULT_LICENSE_SECRET_NAME}" \
+    --set "server.enterpriseLicense.secretKey=license" \
+    --set "server.extraArgs=-dev-tls -dev-tls-cert-dir=/var/run/tls -dev-tls-san=${release_name} -dev-tls-san=${release_name}.${namespace}.svc" \
+    --set 'server.volumes[0].name=tls' \
+    --set-json 'server.volumes[0].emptyDir={}' \
+    --set 'server.volumeMounts[0].name=tls' \
+    --set 'server.volumeMounts[0].mountPath=/var/run/tls' \
+    --wait \
+    --timeout 10m
+
+  # Helm wait passes even when vault pod is 0/1 Running, so wait for ready condition
+  echo "Waiting for Vault pod to be ready..."
+  oc wait --for=condition=ready "pod/${pod_name}" -n "${namespace}" --timeout=5m
+
+  # Extract CA certificate from Vault pod
+  echo ""
+  echo "Extracting CA certificate from Vault pod..."
+  CA_CERT_TMP="/tmp/vault-ca-${namespace}.pem"
+  oc exec "${pod_name}" -n "${namespace}" -- cat /var/run/tls/vault-ca.pem > "${CA_CERT_TMP}"
+  echo "  ✓ CA certificate extracted"
+
+  # Create or update ConfigMap with CA certificate in openshift-config
+  echo ""
+  echo "Creating ConfigMap ${ca_configmap} in openshift-config..."
+  oc create configmap "${ca_configmap}" \
+    --from-file=ca-bundle.crt="${CA_CERT_TMP}" \
+    -n openshift-config \
+    --dry-run=client -o yaml | oc apply -f -
+  echo "  ✓ ConfigMap ${ca_configmap} created/updated"
+
+  # Clean up temporary CA file
+  rm -f "${CA_CERT_TMP}"
+
+  echo ""
+  echo "========================================="
+  echo "Vault Enterprise Installation Complete"
+  echo "========================================="
+  echo ""
+  echo "Summary:"
+  echo "  - Namespace: ${namespace}"
+  echo "  - Version: ${VAULT_VERSION}"
+  echo "  - Service: https://${release_name}.${namespace}.svc:8200"
+  echo "  - Pod: ${pod_name} (Ready)"
+  echo "  - TLS: Enabled (dev mode with auto-generated certificates)"
+  echo "  - TLS CA: /var/run/tls/vault-ca.pem (inside pod)"
+  echo "  - Enterprise License: Configured"
+  echo "  - CA ConfigMap: ${ca_configmap} (openshift-config namespace)"
+  echo ""
+  echo "Next step: Run etcd-encryption-vault-configure to configure Vault for KMS"
+  echo ""
+}
+
 # Vault license secret name
 VAULT_LICENSE_SECRET_NAME="vault-license"
 
@@ -75,19 +175,8 @@ fi
 
 echo ""
 
-# Create namespace
-echo "Creating namespace ${VAULT_NAMESPACE}..."
-oc create namespace "${VAULT_NAMESPACE}"
-
-# Add restricted SCC for Vault service account
-echo "Adding restricted SCC for Vault service account..."
-oc adm policy add-scc-to-user restricted -z vault -n "${VAULT_NAMESPACE}"
-
-# Create Vault license secret from mounted credential
-echo "Creating Vault license secret from mounted credential..."
-oc create secret generic "${VAULT_LICENSE_SECRET_NAME}" \
-  --from-file=license=/var/run/vault/tests-private-account/kms-vault-license \
-  -n "${VAULT_NAMESPACE}"
+setup_vault_namespace "${VAULT_NAMESPACE}" "vault"
+setup_vault_namespace "${VAULT_SECONDARY_NAMESPACE}" "vault-secondary"
 
 # Fetch the Helm chart before baremetalds proxy env is applied; hashicorp chart
 # downloads fail with Forbidden once proxy-conf.sh is sourced on metal jobs.
@@ -102,70 +191,5 @@ echo ""
 
 setup_packet_cluster
 
-VAULT_API_ADDR="https://vault.${VAULT_NAMESPACE}.svc:8200"
-
-# Install Vault via Helm with dev mode and TLS enabled
-echo "Installing Vault Enterprise v${VAULT_VERSION} in dev mode with TLS..."
-helm upgrade --install vault "${VAULT_CHART_ARCHIVE}" \
-  --namespace "${VAULT_NAMESPACE}" \
-  --version "${VAULT_CHART_VERSION}" \
-  --set global.enabled=true \
-  --set global.openshift=true \
-  --set global.tlsDisable=false \
-  --set server.dev.enabled=true \
-  --set server.image.repository="${VAULT_IMAGE_REPOSITORY}" \
-  --set server.image.tag="${VAULT_VERSION}" \
-  --set injector.enabled=false \
-  --set 'server.extraEnvironmentVars.VAULT_DISABLE_USER_LOCKOUT=true' \
-  --set 'server.extraEnvironmentVars.VAULT_CACERT=/var/run/tls/vault-ca.pem' \
-  --set "server.extraEnvironmentVars.VAULT_API_ADDR=${VAULT_API_ADDR}" \
-  --set "server.enterpriseLicense.secretName=${VAULT_LICENSE_SECRET_NAME}" \
-  --set "server.enterpriseLicense.secretKey=license" \
-  --set "server.extraArgs=-dev-tls -dev-tls-cert-dir=/var/run/tls -dev-tls-san=vault -dev-tls-san=vault.${VAULT_NAMESPACE}.svc" \
-  --set 'server.volumes[0].name=tls' \
-  --set-json 'server.volumes[0].emptyDir={}' \
-  --set 'server.volumeMounts[0].name=tls' \
-  --set 'server.volumeMounts[0].mountPath=/var/run/tls' \
-  --wait \
-  --timeout 10m
-
-# Helm wait passes even when vault pod is 0/1 Running, so wait for ready condition
-echo "Waiting for Vault pod to be ready..."
-oc wait --for=condition=ready pod/vault-0 -n "${VAULT_NAMESPACE}" --timeout=5m
-
-# Extract CA certificate from Vault pod
-echo ""
-echo "Extracting CA certificate from Vault pod..."
-CA_CERT_TMP="/tmp/vault-ca-${VAULT_NAMESPACE}.pem"
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- cat /var/run/tls/vault-ca.pem > "${CA_CERT_TMP}"
-echo "  ✓ CA certificate extracted"
-
-# Create or update ConfigMap with CA certificate in openshift-config
-echo ""
-echo "Creating ConfigMap vault-ca-bundle in openshift-config..."
-oc create configmap vault-ca-bundle \
-  --from-file=ca-bundle.crt="${CA_CERT_TMP}" \
-  -n openshift-config \
-  --dry-run=client -o yaml | oc apply -f -
-echo "  ✓ ConfigMap vault-ca-bundle created/updated"
-
-# Clean up temporary CA file
-rm -f "${CA_CERT_TMP}"
-
-echo ""
-echo "========================================="
-echo "Vault Enterprise Installation Complete"
-echo "========================================="
-echo ""
-echo "Summary:"
-echo "  - Namespace: ${VAULT_NAMESPACE}"
-echo "  - Version: ${VAULT_VERSION}"
-echo "  - Service: https://vault.${VAULT_NAMESPACE}.svc:8200"
-echo "  - Pod: vault-0 (Ready)"
-echo "  - TLS: Enabled (dev mode with auto-generated certificates)"
-echo "  - TLS CA: /var/run/tls/vault-ca.pem (inside pod)"
-echo "  - Enterprise License: Configured"
-echo "  - CA ConfigMap: vault-ca-bundle (openshift-config namespace)"
-echo ""
-echo "Next step: Run etcd-encryption-vault-configure to configure Vault for KMS"
-echo ""
+install_vault "${VAULT_NAMESPACE}" "vault-ca-bundle" "vault"
+install_vault "${VAULT_SECONDARY_NAMESPACE}" "vault-ca-bundle-secondary" "vault-secondary"
diff --git a/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml b/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
index 96bd00c9764e2..7ddd0e9fe817f 100644
--- a/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
+++ b/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
@@ -33,6 +33,10 @@ ref:
       (docker.io is blocked in CI due to rate limiting and CI is not accessible in disconnected environments.)
       On baremetalds jobs the image is mirrored to the dev-scripts local registry
       before Helm install.
+  - name: VAULT_SECONDARY_NAMESPACE
+    default: "vault-kms-secondary"
+    documentation: |-
+      Namespace where the second Vault Enterprise instance will be installed.
   documentation: |-
     Installs HashiCorp Vault Enterprise via Helm.
 
@@ -44,6 +48,7 @@ ref:
     - Mirrors Vault image to dev-scripts local registry on baremetalds jobs
     - Installs Vault Enterprise using Helm chart
     - Waits for Vault pod to be ready
+    - Installs a second instance in VAULT_SECONDARY_NAMESPACE
 
     Prerequisites:
     - OpenShift cluster with adequate resources
@@ -53,6 +58,10 @@ ref:
     Outputs:
     - Vault service available at: vault.${VAULT_NAMESPACE}.svc:8200
     - Vault pod: vault-0 (Ready state)
+    - CA ConfigMap: vault-ca-bundle (openshift-config namespace)
+    - Second Vault service at: vault-secondary.${VAULT_SECONDARY_NAMESPACE}.svc:8200
+    - Second Vault pod: vault-secondary-0 (Ready state)
+    - CA ConfigMap: vault-ca-bundle-secondary (openshift-config namespace)
 
     Next step:
     - Run etcd-encryption-vault-configure to initialize and configure Vault for KMS
diff --git a/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml b/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml
index 30fa49fe4156a..b0e680827df89 100644
--- a/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml
+++ b/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml
@@ -10,38 +10,45 @@ chain:
     reusable component that can be used across different platform workflows.
 
     What this chain does:
-    1. Installs HashiCorp Vault Enterprise via Helm (vault-install step)
+    1. Installs two HashiCorp Vault Enterprise instances via Helm (vault-install step)
        - Mirrors Vault image to dev-scripts local registry on baremetalds jobs
-       - Deploys Vault in dev mode to vault-kms namespace
+       - Deploys Vault in dev mode to vault-kms and vault-kms-secondary namespaces
        - Creates vault-license secret from mounted credentials
-       - Waits for Vault pod to be ready
+       - Waits for Vault pods to be ready
+       - Creates CA ConfigMaps (vault-ca-bundle and vault-ca-bundle-secondary) in openshift-config
 
-    2. Configures Vault for KMS encryption (vault-configure step)
+    2. Configures both Vault instances for KMS encryption (vault-configure step)
        - Creates Vault Enterprise namespace (default: admin)
        - Enables transit secret engine in the Enterprise namespace
        - Creates KMS encryption key in the Enterprise namespace
        - Configures AppRole authentication in the Enterprise namespace
-       - Stores credentials in vault-credentials secret
+       - Stores credentials in vault-credentials secret in each namespace
 
     Prerequisites:
     - OpenShift cluster with adequate resources
     - Vault Enterprise license secret named 'tests-private-account' in test-credentials namespace
       containing the license file at key 'kms-vault-license'
 
-    Outputs:
+    Outputs (primary instance):
     - Vault service: vault.vault-kms.svc:8200
-    - Vault pod: vault-0 (Ready state)
+    - Vault pod: vault-0 (Ready state) in vault-kms namespace
+    - CA ConfigMap: vault-ca-bundle in openshift-config namespace
     - Credentials secret: vault-credentials in vault-kms namespace
-      * role-id: AppRole role ID for KMS plugin
-      * secret-id: AppRole secret ID for KMS plugin
-      * root-token: Vault root token (dev mode)
+
+    Outputs (secondary instance):
+    - Vault service: vault-secondary.vault-kms-secondary.svc:8200
+    - Vault pod: vault-secondary-0 (Ready state) in vault-kms-secondary namespace
+    - CA ConfigMap: vault-ca-bundle-secondary in openshift-config namespace
+    - Credentials secret: vault-credentials in vault-kms-secondary namespace
 
     Environment variables (inherited from vault-install step):
     - VAULT_VERSION: Vault Enterprise version (default: 2.0.0-ent)
     - VAULT_CHART_VERSION: Helm chart version (default: 0.28.1)
-    - VAULT_NAMESPACE: Vault namespace (default: vault-kms)
+    - VAULT_NAMESPACE: Primary Vault namespace (default: vault-kms)
+    - VAULT_SECONDARY_NAMESPACE: Secondary Vault namespace (default: vault-kms-secondary)
     - VAULT_IMAGE_REPOSITORY: Container image repo (default: quay.io/openshifttest/vault-enterprise)
 
     Environment variables (inherited from vault-configure step):
     - VAULT_KMS_KEY_NAME: Transit encryption key name (default: kms-key)
+    - VAULT_SECONDARY_KMS_KEY_NAME: Secondary transit encryption key name (default: kms-key-secondary)
     - VAULT_ENTERPRISE_NS: Vault Enterprise namespace (default: admin)