securityCritical
Fix: HashiCorp Vault Sealed and Inaccessible
Vault API returns 503 with 'Vault is sealed'
!Symptoms
- Vault API returns 503 with 'Vault is sealed'
- Applications failing to authenticate — secrets unavailable
- Vault UI shows sealed status
- All dependent services failing simultaneously
?Root Causes
- Vault server restarted and auto-unseal not configured
- Auto-unseal KMS key deleted or permissions revoked
- Raft storage corruption after unclean shutdown
- All Vault nodes restarted at the same time (rolling restart skipped)
- Seal migration failed or was interrupted
#Diagnosis Steps
- 1Check Vault status: `vault status` — look for Sealed: true
- 2Check Vault logs: `journalctl -u vault` or container logs
- 3If auto-unseal, check KMS connectivity and permissions
- 4Check Raft peers: `vault operator raft list-peers`
- 5Verify the unseal keys are available (stored in secure location)
>Fix
- 1Unseal manually with unseal keys: `vault operator unseal <key>` (need threshold count)
- 2Fix auto-unseal KMS permissions and restart Vault
- 3If Raft corrupted, restore from snapshot: `vault operator raft snapshot restore <file>`
- 4For HA clusters, unseal one node and let others join via Raft
- 5If keys are lost: reinitialize Vault (DESTRUCTIVE — all secrets lost)
*Prevention
- Always configure auto-unseal (AWS KMS, GCP KMS, Azure Key Vault, or Transit)
- Never restart all Vault nodes simultaneously — use rolling restarts
- Take regular Raft snapshots: `vault operator raft snapshot save backup.snap`
- Store unseal keys in multiple secure locations (Shamir's Secret Sharing)
- Monitor Vault seal status and alert immediately on seal events
Related Error Messages
Vault is sealed503 Service Unavailablepermission denied: token not foundfailed to unseal: stored unseal keys are exhausted