Skip to main content
Skip table of contents

Initalizing and unseal vault

The pods will keep on crashing as the vault is not initialised and it is sealed. We need to initialise vault and unseal it in order to make it working. For that purpose, run the following commands:

CODE 
kubectl -n vault exec -it vault-0 -- sh

Once inside the container, run the following command to initialise the vault

CODE 
vault operator init

This wil make the vault to print 5 unseal keys and root token. The idea behind this phenomenon is to distribute these 5 keys among 5 different employees like physical keys. Whenever the vault is down because of any disaster, 3 of the 5 persons will have to come and unseal the vault. Otherwise vault will not work.

CODE 
$ vault operator init
Unseal Key 1: MUcSNth10QhmlD248kmplbPlMv1Gw3diG+wiLMM3/EOm
Unseal Key 2: 5i9ycHgozma+NhIX3U0PE7nsygtY3lcl3TK8oZkSdh6P
Unseal Key 3: zKjjuYpqF9TwGEKO/oxGkYKcAGMyX5gj1yGRhNQCk3mL
Unseal Key 4: W7VhbUQkZJxoT2XMjmyxJUSZtvDM0nuubS5mj/bvXshI
Unseal Key 5: FXCTyc1X6edPQihf5czSYL43Rq4wJL0uvK8Qc7alfyJA
Initial Root Token: hvs.0Wf74EVWgKhl873wUFRDqafQ
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

to unsesal the vault, run the following command and provide 3 of the 5 unseal keys. You basically have to run below command 3 times and input 3 different keys.

CODE 
kubectl -n vault exec -it vault-0 -- vault operator unseal

check the status of vault-0 by running:

CODE 
kubectl -n vault exec -it vault-0 -- vault status
CODE 
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.13.3
Build Date              2023-06-06T18:12:37Z
Storage Type            raft
Cluster Name            vault-integrated-storage
Cluster ID              f157e7a5-3e4c-3874-c0c8-bc3b33eb6a03
HA Enabled              true
HA Cluster              n/a
HA Mode                 standby
Active Node Address     <none>
Raft Committed Index    31
Raft Applied Index      31

 

repeat this process of unsealing for rest of the 4 instances of vault i.e. vault-1, vault-2, vault-3 and vault-4

CODE 
kubectl -n vault exec -it vault-1 -- vault operator unseal
CODE 
kubectl -n vault exec -it vault-2 -- vault operator unseal
CODE 
kubectl -n vault exec -it vault-3 -- vault operator unseal
CODE 
kubectl -n vault exec -it vault-4 -- vault operator unseal

once all of instances are unseal, run the following command to check the status of all the vault instances. They should have following information

CODE 
kubectl -n vault exec -it vault-0 -- vault status
kubectl -n vault exec -it vault-1 -- vault status
kubectl -n vault exec -it vault-2 -- vault status
kubectl -n vault exec -it vault-3 -- vault status
kubectl -n vault exec -it vault-4 -- vault status

you should see the following information:

CODE 
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
.............................
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close