Vault Single-Node Unseal

Here are instructions on how to unseal a single-node vault cluster. 

 Vault CLI Comms 

 For the vault command to communicate with the running service, we must set an env variable for it: 

 export VAULT_ADDR=https://your_domain:8200 

 NOTE: You may have to set the above to http, if you haven’t given vault a valid ssl cert, yet. 

 Initialize the Vault 

 In order for the vault service to manage secrets, you must initialize its store. To do this, you need to run the following: 

 vault operator init -key-shares=3 -key-threshold=2 

 You can change the key shares and threshold based on your risk profile. 

 The vault CLI will respond with something like this: 

 Unseal Key 1: eZcJeydRrqeSMZ1zTN+VVll9TFT2KvJy7VlnxUgtvuz5

Unseal Key 2: ntmqCKq8rgNnKT1YSLCjVmCCZBAA3NwUeqxIyRpYD4Wm

Unseal Key 3: 3FK1+Hsorh4p8/L9mki3VskaEU2eQhLqGOI/pJkTHMbx

Initial Root Token: s.hY0ieybfDqCadz7JpL88uO3x 

 Save these values in a secure location, as this is the only time you will receive them. 

 Now, you can run the vault status command, and see it has changed to Initialized=true. 

 Run this to get vault status: 

 vault status 

 

 Now, you need to unseal the vault, so it can be used. 

 Notice the vault status showed an unseal progress of 0/2. This means, that at least two more unseal tokens must be submitted for it to be available for access. 

 Enter enough tokens to unlock your vault with this command, and paste in one of the tokens when prompted: 

 vault operator unseal 

 Once the unseal threshold has been met, the Sealed state will become ‘false’. 

 

 Your vault is available for access.