When performing server updates, you may find that Vault is sealed. A sealed Vault cannot serve requests until it’s unsealed with the required keys.
Follow the steps below to unseal the Vault safely and verify its status.
Step 1: Log into the Vault Server
ssh user@your-vault-server
Step 2: Check Seal Status
Run the following command to check whether Vault is sealed:
vault status
If the output shows:
Sealed: true
Then you must proceed to unseal Vault.
Step 3: Unseal Vault with 3 Different Keys
You must run the unseal command three times, each with a different unseal key.
Run the following command and enter one key at a time:
vault operator unseal
When prompted, paste the first key (it will be hidden):
Unseal Key (will be hidden): PqiNxHoIs0baY5vEhffHjROvmKBz1TTm+teLRInrWlf1
Run the command again for the second key:
vault operator unseal
Unseal Key (will be hidden): 4w/fMlYY2iCsbS+ezQssFaWFquf1rreUD2UZrLIWxo51
Run the command a third time for the final key:
vault operator unseal
Unseal Key (will be hidden): xERkTKkmnpPxJqxC+8DALnDdRgnmu8HEqPZ5yuUcAUPe
After entering the third key, Vault should become unsealed.
Step 4: Verify Vault Status
Once all keys are entered, verify the status again:
vault status
Expected output:
Sealed: false
If you see Sealed: false, your Vault is now unsealed and operational.
