HashiCorp Certified: Vault Associate Certification

Learning the Vault Architecture

Demo Unsealing with Auto Unseal

In this guide, you’ll configure HashiCorp Vault to use AWS KMS for automatic unsealing. By leveraging Cloud Auto Unseal, you eliminate the operational overhead of manual unseal keys and enhance your security posture.

Prerequisites

  • An EC2 instance running Vault
  • A Customer Managed Key (CMK) in AWS KMS (e.g., Vault Unseal Key)

1. Check Current Vault Status

SSH into your Vault server and run:

vault status

Example output:

Key                 Value
---                 -----
Seal Type           shamir
Initialized         false
Sealed              true
Total Shares        0
Threshold           0
Unseal Progress     0/0
Unseal Nonce        n/a
Version             1.7.1
Storage Type        raft
HA Enabled          true

Vault is not yet initialized and uses the default Shamir seal.

Note

By default, Vault uses Shamir’s Secret Sharing for unsealing. We’ll replace this with AWS KMS.


2. Review the Vault Configuration

Open /etc/vault.d/vault.hcl:

cat /etc/vault.d/vault.hcl
storage "raft" {
  path    = "/opt/vault/data"
  node_id = "node-a-us-east-1"
  retry_join {
    auto_join = "provider=aws region=us-east-1 tag_key=vault tag_value=us-east-1"
  }
}

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable     = 1
}

api_addr     = "http://10.0.1.37:8200"
cluster_addr = "http://10.0.1.37:8201"
cluster_name = "vault-prod-us-east-1"
ui           = true
log_level    = "INFO"

There’s no seal stanza yet—this is where we’ll plug in our AWS KMS configuration.


3. Add the AWS KMS Seal Stanza

  1. In the AWS Console, go to KMS → Customer managed keys and copy your CMK ARN (for example: arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-EXAMPLEKEY).

Warning

Treat your KMS key ARN and Vault configuration file as sensitive information. Do not expose them in public repositories.

  1. Edit the Vault HCL:
sudo vi /etc/vault.d/vault.hcl
  1. Insert the awskms seal stanza anywhere in the file:
seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-EXAMPLEKEY"
}
  1. Your complete configuration should now be:
storage "raft" {
  path    = "/opt/vault/data"
  node_id = "node-a-us-east-1"
  retry_join = [
    "provider=aws region=us-east-1 tag_key=vault tag_value=us-east-1"
  ]
}

seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-EXAMPLEKEY"
}

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable     = 1
}

api_addr     = "http://10.0.1.37:8200"
cluster_addr = "http://10.0.1.37:8201"
cluster_name = "vault-prod-us-east-1"
ui           = true
log_level    = "INFO"

4. Restart Vault and Verify Seal Type

Restart the Vault service:

sudo systemctl restart vault

Check the new status:

vault status
KeyValue
Seal Typeawskms
Initializedfalse
Sealedtrue
Total Recovery Shares0
Threshold0
Version1.7.1
Storage Typeraft
HA Enabledtrue

Vault is now configured to auto-unseal with AWS KMS, but still needs initialization.


5. Initialize the Vault Cluster

Initialize Vault:

vault operator init

Example output:

Recovery Key 1:  qDfLTvJNhT3Dgj8UWaep9o2qgQZcVq/+w6QXQ4Tq+
...
Recovery Key 5:  2/FshgVlCzLhqhG+C0M0azU3ry82c2KhmKSUpelv

Initial Root Token: s.7gu7dshRlK1KNoq8B9dFme

Success! Vault is initialized with 5 recovery shares and a threshold of 3.

Re-run vault status:

vault status
Key                     Value
---                     -----
Seal Type               awskms
Recovery Seal Type      shamir
Initialized             true
Sealed                  false
Total Recovery Shares   5
Threshold               3
Version                 1.7.1
Storage Type            raft
Cluster Name            vault-prod-us-east-1
Cluster ID              6245bbfd-8db5-b507-f689-ba48628ad2a5
HA Enabled              true
HA Cluster              http://10.0.1.37:8201
HA Mode                 active

Vault is now unsealed automatically via AWS KMS.


6. Use Vault as Usual

Authenticate with the root token:

vault login s.7gu7dshRlK1KNoq8B9dFme

Enable and list secrets engines:

vault secrets enable azure
vault secrets list
Path          Type        Accessor
----          ----        --------
azure/        azure       azure_6d868445
cubbyhole/    cubbyhole   cubbyhole_2e79ae0c
identity/     identity    identity_65b04cae
sys/          system      system_9d391d96

Everything works without manual unseal steps.


7. Confirm Auto-Unseal After Restart

Restart Vault again:

sudo systemctl restart vault
vault status

Vault remains unsealed thanks to AWS KMS auto-unseal, eliminating manual recovery.


Congratulations! You’ve successfully set up Cloud Auto Unseal with AWS KMS. This configuration streamlines your Vault operations and boosts security by removing manual unseal key handling.

Watch Video

Watch video content

Previous
Unsealing with Auto Unseal