Vault in Prod mode starts in Sealed state after installation

I installed vault in prod mode, using this configuration -

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_disable = 1
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

after running the vault.service and checking for vault status, It is pre initialised and sealed and unable to unseal it. Please help

 vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       3
Threshold          2
Unseal Progress    0/2
Unseal Nonce       n/a
Version            1.11.0
Build Date         2022-06-17T15:48:44Z
Storage Type       file
HA Enabled         false

You can run hcdiag to see if it can detect any permission or filesystem issues.

The detail – /opt/vault/data should have 3 directories in it, all owned by the user that started Vault – most likely there is either an ownership or permission issue there.

  • I could find 3 directories inside /opt/vault/data

  • changed the ownership and permissions

  • tried to regenerate master token with the below command, but throws an error.

$ vault operator generate-root -generate-otp

Error getting root generation status: Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/generate-root/attempt

Code: 503. Errors:

  • Vault is sealed

Your vault is sealed. you have to unseal it. Run that hcdiag tool.

Vault does not pre initialise.

I can think of two possibilities:

  • You are running Vault with some kind of custom wrapper that does this.

  • Or, you have started up Vault with a data directory from a previous experiment, that was initialised.

Thanks max for the reply

  • not sure about the wrapper, I doubt that as it was a clean install.

  • I made sure to delete /opt/vault/data directory or any vault sub folder before reinstalling.

  • This is demo install on a prod server,

    did chown on tsl directory to vault user
    exported VAULT_ADDR

  • Why do I not see any certs being generated on starting vault.service in the tsl folder.

Not sure, What am I missing .

Thanks Aram for the reply,

Will try this out and update.

That’s a typo for tls I assume?

Why would you expect to see certs being generated? Vault doesn’t automatically generate certificates and write them to disk.


There’s really no way to explain this other than:

  • You manually initialized Vault
  • Someone else manually initialized Vault
  • Some software, that is not the main Vault binary itself, initialized Vault