Distributing Key Shards
When Vault initializes (vault operator init), it generates a specified number of shares and a threshold number required to unseal. By default, Vault creates 5 shares and a threshold of 3.
| Total Shares | Threshold | Description |
|---|---|---|
| 5 | 3 | Any 3 of the 5 key shards must be combined to unseal Vault |
Unsealing Process
When Vault is sealed, no operations can occur until enough unseal keys are submitted. Each submitted key shard increments the unseal progress. Once the threshold is reached, Vault reconstructs the master key, decrypts its encryption key, and transitions to the unsealed state.1. Check Vault Status (Sealed)
2. Submit Unseal Shards
- Submit first key → Unseal Progress 1/3
- Submit second key → Unseal Progress 2/3
- Submit third key → Unseal Progress 3/3 → Vault transitions to unsealed
3. Verify Vault Status (Unsealed)
Vault logs the unseal progress but never records the actual key shards. This ensures shards remain confidential.
Key Shard Best Practices
Implement these practices to maintain strong security for your unseal keys:| Practice | Description |
|---|---|
| PGP Encryption | Provide each custodian’s public PGP key during initialization so Vault encrypts each shard. |
| Offline Storage | Store shards in secure offline devices (e.g., hardware safe or encrypted USB). |
| Access Controls | Restrict physical and digital access to unseal key holders only. |
| Custodian Roster | Maintain an up-to-date list of key holders and confirm availability. |
Ensure that at least the threshold number of custodians is reachable whenever Vault restarts or is sealed. Losing access to even one shard beyond the threshold can lock you out.