Hashicorp Vault – Rekey or Unseal Vault

Unseal the vault

After the vault service has been restarted, the password vault is in a sealed state. This means that the encryption keys are not in memory, and the encrypted database on the disk cannot be read. More on this topic can be read here: https://www.vaultproject.io/docs/concepts/seal.html
Rekey the vault
To Start the rekey process:

To unseal the vault:

  1. Open terminal
  2. type: vault unseal
  3. enter unseal key

Repeat the above process until you have entered enough keys to unseal the vault. We require a threshold of 2 keys. This means that at least two admins must be present in order to unseal the vault.

To manually seal the vault:

vault seal

Rekey the vault

vault rekey -init -key-shares=10 -key-threshold=2

Output will include a unique ID called a nonce. This Nonce is the identifier for this rekey operation. The Nonce will be displayed during the rest of the process so you can be sure that everyone is working on the same rekey operation

Run: Vault rekey

Enter unseal key when prompted

Repeat process until threshold is met

After threshold is met, a list of new keys will be displayed on the screen. Distribute these keys as in a secure manner to everyone who should have them. You can adjust the threshold and key shares to your liking.