Skip to main content

HashiCorp Vault Cluster Unseal

These steps are for a vault cluster that has been configured and started up, but is in an unsealed state.

Go to the first node, and do these:

NOTE: The ca.crt file is privileged, You will need to run these commands as the root user.
Run the following to switch to the root user:

sudo -i
# From an admin shell that can reach the VLAN:
export VAULT_ADDR="https://vault0204.ogsofttech.lan:8200"
export VAULT_CACERT="/opt/vault/tls/ca.crt"   # path on your admin box

# Initialize the cluster (choose your own shares/threshold)
vault operator init -key-shares=5 -key-threshold=3

Once executed, the vault node will reply with 5 unseal keys and an initial root token.

Distribute each of these unseal keys to individualtrusted staff,admins, to store in offline password storage.

NOTE: Three (3) unseal keys are required to unseal the vault.

Use

the

initial root token to setup policies and auth.
Then, retire it.

Back to top