comprehension question: Why seal/unseal the storage of hashicorp vault?

Question

today we start playaround with hashicorp vault in the office and with some good tutorials we can already manage the storaged secrets. But there is a point I still don't understand why do I have to unseal the storage first? At my point of understand at the moment hashicorp vault give me two boxes the first one I have to unseal with i.e. 2 of 3 keys before I can access the second with a seperate key at which is additional protected by a policy.

Maybe there is a way or a scenario I didn't see but at the moment I think I would unseal the outer box when I start the server and it will be sealed if the server is shutting down so that the secrets are "only" protected by the application tokens and the policies.

I would be very thanksful if someone here can give me a little explanation in which way the concept of seal-/unsealing give me addition security. best regards Dan

Answer 1

Quoting from Hashicorp doc

The data stored by Vault is stored encrypted. Vault needs the encryption key in order to decrypt the data. The encryption key is also stored with the data, but encrypted with another encryption key known as the master key. The master key isn't stored anywhere.

Therefore, to decrypt the data, Vault must decrypt the encryption key which requires the master key. Unsealing is the process of reconstructing this master key.

Instead of distributing this master key as a single key to an operator, Vault uses an algorithm known as Shamir's Secret Sharing to split the key into shards. A certain threshold of shards is required to reconstruct the master key.

This is the unseal process: the shards are added one at a time (in any order) until enough shards are present to reconstruct the key and decrypt the data.