Vault starts in a sealed state, meaning it knows where to access the data, and

how, but can’t decrypt it

• Almost no operations are possible when Vault is in a sealed state (only status

check and unsealing are possible)

• Unsealing Vault means that a node can reconstruct the master key in order to

decrypt the encryption key, and ultimately and read the data

• After unsealing, the encryption key is stored in memory

Sealing Vault means Vault “throws away” the encryption key and requires

another unseal to perform any further operations

• Vault will start in a sealed state – you can also manually seal it via UI, CLI, or API

• When would I seal Vault?

• Key shards are inadvertently exposed

• Detection of a compromise or network intrusion

• Spyware/malware on the Vault nodes