Vault Unseal Key

Bridgecrew Policy ID: BC_GIT_71
Chekov Check ID: CKV_SECRET_71
Severity: LOW

Vault Unseal Key


When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn't know how to decrypt any of it. Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault.

Fix - Buildtime


Step 1: Revoke the key

  1. Connect to Vault
  2. Run vault operator key revoke followed by the number, such as vault operator key revoke 2
  3. Verify it was revoked with vault operator key status

Step 2: Monitor for abuse