Vault Shamir Secret Sharing: Manual Unseal (2026)

Vault splits the master key that encrypts its storage using Shamir secret sharing, so the key can only be reconstructed once a quorum of shards is collected. This is what we call key sharding.

This article walks through N-of-M threshold design, manual vs. auto-unseal, and the difference between rekey and recovery keys, with command examples and operational guardrails. The summary is tuned for Associate / Ops level exam questions.

Shamir Secret Sharing Basics and Vault's Seal Behavior

Shamir secret sharing splits one secret into M shards in such a way that the secret can only be reconstructed when N or more shards are collected. Vault leverages this property: it never stores the master key directly and instead reconstructs it at unseal time from a threshold of shards.

When Vault starts up, it is sealed by default and the data in storage sits behind an encrypted barrier. Once enough unseal keys (shards) are supplied to meet the threshold, the master key is reconstructed and Vault unseals. With auto-unseal, an HSM or cloud KMS performs this decryption automatically, and what gets distributed via Shamir is the recovery key instead.

A typical N-of-M configuration is 3-of-5: distribute to 5 people, and any 3 of them can unseal.
An unseal key is not the secret itself — it is a shard used to reconstruct the secret.
With auto-unseal, unseal keys are not used in normal operation. Recovery keys are issued instead.

3-of-5 Shamir and the Vault seal/unseal flow

Example: Check the current seal status

vault status
# Key             Value
# Seal Type       shamir | awskms | gcpckms | hsm ...
# Sealed          true/false
# Unseal Progress 0/3  など

Key Sharding Design Considerations

Choose the shard count M and the threshold N to balance business continuity against internal controls. Too many shards increases distribution overhead and leak risk; too high a threshold risks not being able to unseal during an incident. M=5-7 with N=3 is a reasonable starting point.

Even with auto-unseal, define how recovery keys are stored in case of disaster recovery or lost root tokens. In practice, encrypt each shard individually with PGP and separate hot/cold lines and audit roles.

Distribute shards across roles (SRE, security, management, etc.) for separation of duties
Set the threshold N with availability in mind — account for vacations and on-call rotation
Diversify storage media (paper, HSM cards, password managers) and separate physical storage locations
If using PGP, pass keys via the -pgp-keys flag on vault operator init

Item	Unseal Key (Shamir)	Recovery Key (Shamir)	Auto-Unseal (KMS/HSM)
Primary use	Reconstruct master key during manual unseal	Recovery operations (generate-root, rekey, etc.)	Automatic unseal at startup
When generated	Generated when auto-unseal is not in use	Generated when auto-unseal is in use	Used whenever auto-unseal is enabled
Who is required	A threshold number of holders, supplied in person or via secure channel	A threshold number of holders (usually only in emergencies)	Whoever controls the external KMS/HSM, plus the Vault server itself
Benefits	Full control with no external dependencies	Improves recoverability if the KMS fails	Operational automation and short recovery time
Caveats	Human-dependent — recovery takes time	Not used day-to-day, so storage and procedures tend to get forgotten	Hinges on solid IAM and availability design for the KMS/HSM

Example: Initialization options aligned with your threshold design

vault operator init \
  -key-shares=5 \
  -key-threshold=3 \
  -pgp-keys="key1.asc,key2.asc,key3.asc,key4.asc,key5.asc"
# 出力される各シャードは対応するPGP公開鍵で個別暗号化される

Initialization and Unseal Procedures

During initialization, Vault builds the encrypted barrier in its backend and generates Shamir-split keys plus an initial root token. With auto-unseal, the output is recovery keys rather than unseal keys.

Unsealing requires entering keys repeatedly until the threshold is met. In a cluster, every node must be unsealed individually (auto-unseal excepted).

Initialize exactly once — never re-initialize storage that is already initialized
Hand over each shard offline and securely — avoid chat and email
Rotate the admin token promptly after the initial unseal completes

Example commands: Initialization and unseal

# 初期化（手動アンシール構成の例）
vault operator init -key-shares=5 -key-threshold=3 > init.out

# 出力からUnseal Key 1..5を安全に配布

# アンシール（しきい値分を順に入力）
vault operator unseal <Unseal_Key_1>
vault operator unseal <Unseal_Key_2>
vault operator unseal <Unseal_Key_3>

# 状態確認
vault status

# 自動アンシール構成時は初期化でRecovery Keyが出力される
# 通常運用ではunsealは不要（自動）。recovery操作時のみ鍵を使用

Rekey and Root Token Generation / Rotation

Use rekey whenever you need to change the shard recipients or threshold mid-operation. Rekey requires a threshold-meeting set of current keys and produces a brand-new set of shards. If you use PGP, supply new PGP keys to re-encrypt the output.

If the root token is lost, use generate-root. With auto-unseal, you must meet the recovery key threshold instead.

Run rekey inside a planned maintenance window
Be aware that raising the threshold lowers availability
Always distribute the new key set and collect / destroy the old one

Example commands: Rekey and root token generation

# アンシール鍵のリキー（手動アンシール構成）
vault operator rekey -init -key-shares=7 -key-threshold=4
# 出力されたNonceを保持し、しきい値分の現行鍵を順に入力して承認
vault operator rekey -nonce=<nonce> <Unseal_Key_1>
...

# 自動アンシール構成でのリカバリ鍵のリキー
vault operator rekey -target=recovery -init -key-shares=5 -key-threshold=3
vault operator rekey -target=recovery -nonce=<nonce> <Recovery_Key_1>
...

# ルートトークンの再生成（generate-root）
vault operator generate-root -init
# 出力されたOTP/Nonceを保持し、しきい値分の鍵を提供
vault operator generate-root -nonce=<nonce> <Key_Share_1>
...
# 完了すると新しいルートトークンが表示（またはOTPで復号）

Operational Guardrails and Exam-Prep Highlights

For Associate / Ops, it is enough to clearly distinguish Shamir N-of-M, unseal keys vs. recovery keys, the benefits and prerequisites of auto-unseal, and when to use rekey vs. generate-root.

In production, what makes or breaks key sharding is separation of duties, diversifying key media and storage locations, enabling auditing, and rehearsing disaster recovery.

Enable audit devices to track key operations and management API calls
Use response wrapping with a wrap TTL to protect key and token handoffs
Design IAM, availability, and DR for the KMS/HSM at the same level as Vault itself
In a cluster, verify per-node unseal requirements and auto-unseal behavior
Keep runbooks in an offline-accessible form and rehearse them at least once a year

Checklist example: Auditing and safe handoff

# 監査の有効化（ファイル例）
vault audit enable file file_path=/var/log/vault_audit.log

# レスポンスラッピング（一次シークレットの受け渡し）
VAULT_TOKEN=<admin> vault kv get -wrap-ttl=5m secret/bootstrap
# 受け取り側はwrapping_tokenのみを受領し、unwrap
vault unwrap <wrapping_token>

Check Your Understanding

Associate / Ops

問題 1

You operate Vault with manual unseal, initialized with -key-shares=5 and -key-threshold=3. You want to recover quickly after a planned restart. Which is the correct action?

Collect one unseal key from each of 3 holders and enter them one at a time with vault operator unseal
Collect keys from all 5 holders and feed them in bulk to vault operator rekey
Logging in with an admin token automatically completes the unseal
Collect 2 recovery keys and run vault operator generate-root

正解: A

Manual unseal only requires entering N unseal keys (3 in this case) one after another. Rekey regenerates keys and is not a required restart step. Logging in with an admin token does not unseal. Recovery keys are for emergency operations under auto-unseal.

Frequently Asked Questions

Is Shamir still used when auto-unseal is configured?

Yes. KMS/HSM handles the routine unseal, but Shamir-split Recovery keys are still generated for emergency recovery, generate-root, and rekey operations. You do not need to enter them during normal startup.

Can the threshold N be changed later?

Yes. Run vault operator rekey with new -key-shares and -key-threshold values. You must provide enough current keys to meet the existing threshold, after which the old key set is swapped out for the new one.

Does every node in a cluster need to be unsealed?

With manual unseal, yes — every node must be unsealed individually. With auto-unseal, an external KMS/HSM decrypts at node startup, so every node is unsealed automatically.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる

Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.

Shamir Secret Sharing and Key Sharding in HashiCorp Vault