Configuring HA and AutoSeal On Premises Only

I’m looking to use Vault for keeping passwords secure for my Terraform deployments.
I’ve setup a single instance of Vault and all is great until the VM running Vault is restarted and the Vault is then sealed.
I’ve investigated AutoSealing and it all requires cloud based KMS solutions or expensive HSM devices.
I’m trying to find a solution for my home lab setup that could also be used for purely on premises setups that is suitable/secure for production use.
Basically my requirements are:

  1. High availability (I’ve found some install docs using Consul, which look promising)
  2. Easy integration with Terraform (there’s a module for that).
  3. Automatic unsealing if the servers are rebooted - this is my problem area.

There is a way of using a second Vault to store the credentials to enable the first Vault to automatically unseal, but that just moves the problem to the second Vault :frowning:

I have noticed an open source SoftHSM, but no idea if that will work with Vault (does it work at all or only with the paid for Vault?)

Has anyone got a solution that is fully automated?


You can use another vault instance with transit, but then it turns into a vicious circle. For a homelab you can use AWS KMS as a free service, Vault doesn’t use enough to go above the free tier limit.