Skip to content
Latchkey

vault operator unseal: Unseal a Sealed Vault

vault operator unseal submits one unseal key share at a time until the threshold is met and Vault unseals.

A freshly started or restarted Vault begins sealed and serves no secrets. Unsealing reconstructs the master key from enough key shares. Auto-unseal removes this manual step.

What it does

vault operator unseal accepts one Shamir key share per invocation. Vault tracks progress (e.g. 1/3, 2/3) until the threshold is reached, then unseals. With an auto-unseal seal Vault unseals itself on start and this command is not needed for normal operation.

Common usage

Terminal
vault operator unseal   # prompts for a key
vault operator unseal "$KEY1"
vault operator unseal "$KEY2"
vault operator unseal "$KEY3"
# abort an in-progress attempt
vault operator unseal -reset

Options

FlagWhat it does
<key>Submit one unseal key share
-resetDiscard previously entered shares and start over
-statusPrint the current seal status without submitting
-format=jsonOutput unseal progress as JSON

In CI

For a test Vault initialized with threshold 1, a single vault operator unseal "$KEY" is enough. Pass keys as arguments or via stdin rather than relying on a prompt, which would hang a non-interactive job. Check vault status afterward to confirm Sealed false.

Common errors in CI

"Error unsealing: ... incorrect key share" means a wrong or truncated share, often a key copied with a trailing newline. The seal progress not advancing means you are submitting the same share twice; each must be distinct. "Vault is already unsealed" is benign. If VAULT_ADDR targets a standby node behind a load balancer, unseal may need to hit each node.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →