Question about seal and unseal

Hi, I’m confused about the strategy of “seal and unseal”. Shall we always leave vault as unsealed in a production environment ? Because in my opinion vault should be sealed until a new authentication request arrives. Any one has an idea? Thanks so much.

The unsealed state is needed for Vault to be able to process requests.

So in general you want all instances (both the active and any standby ones) to be unsealed in normal usage.

When it isn’t running it would be sealed, and you can seal all instances manually in the case of some emrgancy that needs Vault instantly disabling.