I am completely new to Vault, but have managed to get it running on my dev machine, stored some secrets (username & password) in there and then pulled the information out through packer to authenticate to a vSphere environment and build a new template. Brilliant!
What I am struggling to understand though is sealing/unsealing.
I have the vault unsealed (manually by entering 3 of the 5 keys) so that Packer can request information from the vault store. But should Vault be left unsealed all the time? Surely not?
I do not use any public cloud services, so my question is, if Vault should be left sealed, unsealed when data is needed and then resealed afterwards, how would I go about doing this when I am using packer?