vault operator unseal: Unseal a Sealed Vault
vault operator unseal submits one unseal key share at a time until the threshold is met and Vault unseals.
A freshly started or restarted Vault begins sealed and serves no secrets. Unsealing reconstructs the master key from enough key shares. Auto-unseal removes this manual step.
What it does
vault operator unseal accepts one Shamir key share per invocation. Vault tracks progress (e.g. 1/3, 2/3) until the threshold is reached, then unseals. With an auto-unseal seal Vault unseals itself on start and this command is not needed for normal operation.
Common usage
vault operator unseal # prompts for a key
vault operator unseal "$KEY1"
vault operator unseal "$KEY2"
vault operator unseal "$KEY3"
# abort an in-progress attempt
vault operator unseal -resetOptions
| Flag | What it does |
|---|---|
| <key> | Submit one unseal key share |
| -reset | Discard previously entered shares and start over |
| -status | Print the current seal status without submitting |
| -format=json | Output unseal progress as JSON |
In CI
For a test Vault initialized with threshold 1, a single vault operator unseal "$KEY" is enough. Pass keys as arguments or via stdin rather than relying on a prompt, which would hang a non-interactive job. Check vault status afterward to confirm Sealed false.
Common errors in CI
"Error unsealing: ... incorrect key share" means a wrong or truncated share, often a key copied with a trailing newline. The seal progress not advancing means you are submitting the same share twice; each must be distinct. "Vault is already unsealed" is benign. If VAULT_ADDR targets a standby node behind a load balancer, unseal may need to hit each node.