Fix Vault 'Sealed' Status After Restart
The Symptom
After restarting Vault (or the underlying server), all API requests fail with:
Error making API request.
URL: GET https://vault.example.com/v1/sys/health
Code: 503. Errors:
* Vault is sealed
Running vault status confirms:
Sealed true
All applications relying on Vault lose access to secrets until the instance is unsealed.
Root Cause
By design, Vault starts in a sealed state. When sealed, Vault has access to its encrypted storage backend but cannot decrypt anything because the master key is not loaded into memory. This is a deliberate security measure: if a server is compromised while powered off, the attacker cannot access secrets without the unseal keys.
After every restart, Vault must be unsealed by providing a threshold number of unseal key shares (Shamir's Secret Sharing) or by having auto-unseal configured.
Step-by-Step Fix
1. Manual unseal (immediate recovery)
You need to provide the required threshold of unseal keys. The default is 3 out of 5:
vault operator unseal <unseal-key-1>
vault operator unseal <unseal-key-2>
vault operator unseal <unseal-key-3>
Check the progress after each key:
vault status
The Unseal Progress field shows how many keys have been provided versus the threshold.
2. Verify Vault is operational
vault status
# Sealed should now be false
vault token lookup
# Should return token info without errors
3. Set up auto-unseal to prevent this in the future
Auto-unseal delegates the unseal process to a trusted external KMS. Here is an example using AWS KMS:
# vault.hcl
seal "awskms" {
region = "us-east-1"
kms_key_id = "alias/vault-unseal-key"
}
For Azure Key Vault:
seal "azurekeyvault" {
tenant_id = "your-tenant-id"
vault_name = "vault-unseal-kv"
key_name = "vault-unseal-key"
}
After adding the seal stanza, you must migrate from Shamir to auto-unseal:
vault operator unseal -migrate
4. If running in HA mode
In HA mode with integrated storage (Raft), all nodes start sealed. Unseal the leader first, then the followers:
# On the leader node
vault operator unseal <key>
# On each follower
vault operator unseal <key>
Check cluster status once all nodes are unsealed:
vault operator raft list-peers
5. Handle the "recovery keys" distinction
With auto-unseal, the original unseal keys become recovery keys. They can no longer unseal Vault manually but are used for operations like generating a root token:
vault operator generate-root -init
Prevention Tips
- Always configure auto-unseal for production. Manual unseal creates operational risk and delays recovery during outages.
- Store unseal/recovery keys securely. Use a separate, offline medium for each key share. Never store all shares in one location.
- Monitor seal status. Set up an alert on the
/v1/sys/healthendpoint. A 503 response indicates a sealed instance. - Test restart recovery. Periodically restart a non-production Vault node to verify that auto-unseal works as expected and that your runbooks are current.
- Use Vault's built-in Raft snapshots. Schedule
vault operator raft snapshot saveto protect against storage corruption during unexpected shutdowns.
Was this article helpful?
CI/CD Engineering Lead
Automation evangelist who believes no deployment should require a human. I write pipelines, break pipelines, and write about both. Code-first, always.
Related Articles
Vault Token Renewal Failing: Fixing "token Is Not Renewable" And TTL Expiry Issues
If you've ever stared at a production alert screaming `token is not renewable` at 2 AM, you know the particular joy of Vault token management. These errors...
Fix Vault 'permission denied' on Secret Read
How to diagnose and fix HashiCorp Vault 'permission denied' errors when reading secrets, including ACL policy debugging and token inspection.
Vault Kubernetes Authentication: Injecting Secrets into Pods Without Hardcoding
Set up Vault's Kubernetes auth method so pods authenticate using their ServiceAccount tokens — then inject secrets via Vault Agent sidecar or the Vault Secrets Operator. Zero hardcoded credentials in your cluster.
HashiCorp Vault: Secrets Management from First Run to Production
How to set up and use HashiCorp Vault for secrets management — KV secrets engine, dynamic credentials, policies, AppRole authentication, and production hardening. Stop hardcoding credentials in environment variables.
Vault Dynamic Secrets: Short-Lived Credentials on Demand
Generate short-lived database credentials, AWS IAM roles, and PKI certificates with Vault dynamic secrets — eliminating long-lived credentials from your infrastructure.
HashiCorp Vault Fundamentals: Installation and First Secrets
Install HashiCorp Vault, understand seal/unseal mechanics, configure secret engines, and store your first secrets with policies and authentication methods.
More in Vault
View all →Vault with Kubernetes: Injecting Secrets into Pods
Inject HashiCorp Vault secrets into Kubernetes pods using the Agent Injector and CSI provider — with practical examples for database credentials and TLS certificates.
Vault in Production: HA, Auto-Unseal, and Disaster Recovery
Deploy Vault for production — HA with Raft storage, auto-unseal with cloud KMS, audit logging, performance tuning, backup strategies, and disaster recovery.