Difficulty: beginner
Estimated Time: 5 minutes

Vault logo

When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on the Vault, it must be unsealed. Unsealing is the process of constructing the master key necessary to decrypt the data encryption key.

Vault supports opt-in automatic unsealing via cloud technologies: AliCloud KMS, Amazon KMS, Azure Key Vault, Google Cloud KMS as well as Transit Secrets Engine. This feature enables operators to delegate the unsealing process to trusted cloud providers to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters.

This scenario demonstrates how to auto-unseal Vault with Transit Secrets Engine.

In this lab, you are going to perform the following tasks:

  1. Configure Auto-unseal Key Provider
  2. Configure Auto-unseal
  3. Audit the incoming request

To learn more about the auto-unseal feature, refer to the following:

Vault Auto-Unseal

Step 1 of 3

Configure and Start Vault 1

To enable Transit Auto-Unseal, you would need two Vault servers.

Open the config-vault-1.hcl file to review the server configuration file for Vault 1:

disable_mlock = true

storage "file" {
  path = "~/vault-1/data"

listener "tcp" {
  address     = ""
  tls_disable = 1

For the purpose of demonstration, the file storage backend stores Vault's data on the filesystem using a standard directory structure (/vault-1/data) in this example.

The listener stanza specifies the TCP address/port that Vault listens to for incoming requests, and Vault 1 listens to port 8200.

Execute the following command to start the Vault 1 server:

vault server -config=config-vault-1.hcl

Notice the output indicating that the Storage is set to file system, and the Listener address is

==> Vault server configuration:

             Cgo: disabled
      Listener 1: tcp (addr: "", cluster address: "", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
       Log Level: info
           Mlock: supported: true, enabled: false
         Storage: file
         Version: Vault v1.1.1
     Version Sha: a3dcd63451cf6da1d04928b601bbe9748d53842e

Click the + next to the opened Terminal, and select Open New Terminal.

New Terminal

Execute the following command to initialize the Vault.

export VAULT_ADDR=""
vault operator init -key-shares=1 -key-threshold=1 > key.txt

Execute the vault operator unseal command to enter the first unseal key:

vault operator unseal \
    $(grep 'Key 1:' key.txt | awk '{print $NF}')

Log into Vault using the initial root token (key.txt):

vault login $(grep 'Initial Root Token:' key.txt | awk '{print $NF}')

Next, you are going to setup a transit secrets engine in Vault 1.