Unsealing when using Vault with Packer

Hi all,

I am completely new to Vault, but have managed to get it running on my dev machine, stored some secrets (username & password) in there and then pulled the information out through packer to authenticate to a vSphere environment and build a new template. Brilliant!

What I am struggling to understand though is sealing/unsealing.

I have the vault unsealed (manually by entering 3 of the 5 keys) so that Packer can request information from the vault store. But should Vault be left unsealed all the time? Surely not?

I do not use any public cloud services, so my question is, if Vault should be left sealed, unsealed when data is needed and then resealed afterwards, how would I go about doing this when I am using packer?

Vault should be unsealed in normal operation.
You’re protecting the access/authoritzation to the secrets stored inside the barrier (the barrier being, well, sealed when it is not unsealed) by the Vault auth methods and policy. Ie, Vault is unsealed all the time and clients come in with a token/username/auth method that is valid and they can get into the Vault and retrieve secrets.

1 Like

Hi Mike,

Thanks for replying. So just so I am clear

  1. Install vault
  2. Unseal it
  3. Add info in
  4. Leave it unsealed and use it

I should only reseal if there is a breach, or if im going to reboot the host node?

Basically, yeah.

Before you rely on Vault for storing secrets, make sure you understand all the sealing/unsealing here https://www.vaultproject.io/docs/concepts/seal.html

As well as root token, recovery keys, shamir keys, etc - so that you don’t get in a position that a sealed Vault leaves you with no way to unseal at some point.

You don’t have to seal before rebooting. It’ll auto seal.