I have a three-node cluster. In case the whole cluster needs to be sealed, is it possible to do it globally (one command to seal all nodes at once) instead of sealing each node separately?
Thank you
If you mean unseal, the auto-unseal feature could be the solution.
You will only have to unseal the auto-unseal key provider instance and your cluster will unseal by itself.
Actually, I really meant seal operation, not unseal. Unsealing is pretty straightforward in the documentation and Transit is the way to go for my cluster, but I can’t find anything about sealing all nodes at once and not one-by-one.
I am not sure, if this is even possible to do with some built-in command or feature.
Of course, this is probably something that only paranoid people would ask, but better safe than sorry, in case of security breach, even seconds matter 
I didn’t know this is even possible. I would ‘seal’ an instance by just restarting it. 
Yeah, that works too I guess 
. I mean, it is probably not a bad solution either. You can seal the vault with command vault operator seal btw, which seals the current node.
I also found this in the UI, where in the title it says that the cluster will be sealed, but in reality, only a single node is sealed…
2 Likes