Skip to main content
Skip table of contents

Initializing and unsealing the vault

The pods will keep on crashing as the vault is not initialised and it is sealed. We need to initialise vault and unseal it in order to make it working. For that purpose, run the following commands:

CODE 
kubectl -n vault exec -it vault-0 -- sh

Once inside the container, run the following command to initialise the vault

CODE 
vault operator init

This wil make the vault to print 5 unseal keys and root token. The idea behind this phenomenon is to distribute these 5 keys among 5 different employees like physical keys. Whenever the vault is down because of any disaster, 3 of the 5 persons will have to come and unseal the vault. Otherwise vault will not work.

CODE 
$ vault operator init
Unseal Key 1: MUcSNth10QhmlD248kmplbPlMv1Gw3diG+wiLMM3/EOm
Unseal Key 2: 5i9ycHgozma+NhIX3U0PE7nsygtY3lcl3TK8oZkSdh6P
Unseal Key 3: zKjjuYpqF9TwGEKO/oxGkYKcAGMyX5gj1yGRhNQCk3mL
Unseal Key 4: W7VhbUQkZJxoT2XMjmyxJUSZtvDM0nuubS5mj/bvXshI
Unseal Key 5: FXCTyc1X6edPQihf5czSYL43Rq4wJL0uvK8Qc7alfyJA

Initial Root Token: hvs.0Wf74EVWgKhl873wUFRDqafQ

Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute and store the key shares printed above.
When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to reconstruct the root key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.

Exit from the vault pod by using

CODE 
exit

To unseal the vault, create the below script file

CODE 
vi unseal-vault.sh

Copy and paste the below content in it. Replace the key1, key2 and key3 with any of the 3 unseal keys out of the 5 you have.

CODE 
#!/bin/bash

# --- CONFIG START ---
UNSEAL_KEYS=("key1" "key2" "key3")
POD_PREFIX="vault"
N_PODS=5
N_KEYS=3  # Number of keys required to unseal (threshold)
NODES=$(seq 0 $((N_PODS - 1)))
# --- CONFIG END ---

echo "Unsealing Vault pods..."

for i in $NODES; do
  POD="${POD_PREFIX}-${i}"
  echo "Unsealing $POD..."
  for j in $(seq 0 $((N_KEYS - 1))); do
    kubectl exec -n $POD_PREFIX -i $POD -- vault operator unseal "${UNSEAL_KEYS[$j]}"
  done
done

# Optional: Wait for all pods to be ready
kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=vault --timeout=120s

# --- SELF DESTRUCT ---
echo "Unseal complete. Deleting this script..."
rm -- "$0"

Execute the script

CODE 
chmod +x unseal-vault.sh
CODE 
./unseal-vault.sh

To ensure the unseal keys are not left exposed, the script deletes itself automatically after execution.

Once all of instances are unseal, run the following command to check the status of all the vault instances. They should have following information

CODE 
kubectl -n vault exec -it vault-0 -- vault status
kubectl -n vault exec -it vault-1 -- vault status
kubectl -n vault exec -it vault-2 -- vault status
kubectl -n vault exec -it vault-3 -- vault status
kubectl -n vault exec -it vault-4 -- vault status

you should see the following information:

CODE 
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
.............................

If due to any reason, all the vault pod are not unsealed (sealed = false) then execute the same 2 steps above under 'Execute the script' to ensure all pods of vault are unsealed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close