Articles

Vault AWS KMS Auto-Unseal: Remove Manual Unseal Steps (2026)

April 6, 2026 3 min read

Vault’s AWS KMS auto-unseal is actually a sophisticated distributed consensus system masquerading as a simple encryption key wrapper.

Let’s see Vault’s AWS KMS auto-unseal in action. Imagine you’re starting up a fresh Vault cluster, or perhaps restarting a node that was down for maintenance.

# On a Vault server, after starting the binary
vault status

Initially, you’ll see something like this:

Sealed: true
Key Shares: 5
Key Threshold: 3

This "Sealed: true" state is critical. It means Vault is encrypted and won’t serve any requests. To get out of this, you’d traditionally need to run vault unseal with enough key shares. But with auto-unseal enabled, the magic happens in the background.

Here’s a typical Vault configuration snippet for AWS KMS auto-unseal:

storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault"
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = 1
}

api_addr = "http://127.0.0.1:8200"

# AWS KMS Auto-Unseal Configuration
seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "alias/my-vault-unseal-key"
}

When Vault starts up with this configuration, it doesn’t just magically know how to decrypt itself. It uses the seal "awskms" stanza to interact with AWS KMS. The kms_key_id points to a specific KMS Customer Master Key (CMK) you’ve pre-created in AWS.

Here’s the mental model:

  1. Encryption: When you first initialize Vault, it generates a master encryption key (the "core key"). This core key is then encrypted using your specified AWS KMS CMK. This encrypted core key is stored within Vault’s storage backend, alongside all your secrets.
  2. Sealed State: When Vault starts, it loads the encrypted core key from storage. Since it doesn’t have the plaintext core key, it’s "sealed."
  3. Auto-Unseal Process: The seal "awskms" configuration tells Vault: "When you start up and are sealed, try to decrypt the stored encrypted core key using this AWS KMS CMK."
  4. KMS Interaction: Vault makes an API call to AWS KMS (kms:Decrypt operation) using the IAM credentials it has (either from environment variables, EC2 instance profile, etc.). It passes the encrypted core key to KMS.
  5. Decryption: AWS KMS, using the specified CMK, decrypts the core key and returns the plaintext core key to Vault.
  6. Unsealed State: Vault receives the plaintext core key, decrypts its own data, and transitions to the "Sealed: false" state. It’s now ready to serve requests.

The most surprising part is that the KMS CMK itself never leaves AWS. Vault never sees the plaintext of the KMS CMK. It only sees the plaintext of its own core key, which is then used to decrypt the rest of your secrets. This means the security of your Vault data is intrinsically tied to the security of your AWS KMS CMK and the IAM permissions granting Vault access to kms:Decrypt.

If you’ve correctly configured the IAM role for your Vault server (e.g., an EC2 instance profile) to have kms:Decrypt permissions on your specified KMS key, and the kms_key_id in your Vault config matches an existing KMS key, the unsealing will happen automatically. The vault status command will eventually show Sealed: false.

The next hurdle you’ll likely face is ensuring your Vault cluster’s high availability setup is correctly configured to handle leader elections and failovers seamlessly.

More Deep Dives in Vault

Want structured learning?

Take the full Vault course →