What's Actually Happening

HashiCorp Vault cannot be unsealed. Vault remains sealed after providing unseal keys, preventing access to secrets.

The Error You'll See

```bash $ vault operator unseal

Error unsealing: Error making API request.

URL: PUT https://vault:8200/v1/sys/unseal Code: 400. Errors: * 'key' is not a valid unseal key ```

Why This Happens

  1. 1.Wrong unseal key
  2. 2.Storage backend unavailable
  3. 3.Seal configuration mismatch
  4. 4.Insufficient key shares
  5. 5.Auto-unseal failure
  6. 6.Vault data corruption

Step 1: Check Vault Status

bash
vault status
vault operator seal-status

Step 2: Check Storage Backend

```bash # For Consul storage: consul members consul kv get vault/

# For file storage: ls -la /opt/vault/data/

# For S3: aws s3 ls s3://my-vault-bucket/ ```

Step 3: Check Vault Logs

bash
journalctl -u vault -f
tail -f /var/log/vault.log

Step 4: Verify Unseal Keys

bash
# Each key must be from the same initialization
# Keys must be base64 encoded
vault operator unseal <key>
# Check progress:
vault status

Step 5: Check Key Threshold

bash
vault status | grep "Seal Type\|Key Shares\|Key Threshold"
# Need to provide Key Threshold number of keys

Step 6: Check Auto-unseal Config

bash
# In vault config:
seal "awskms" {
  region = "us-east-1"
  kms_key_id = "key-id"
}

Step 7: Reinitialize (Data Loss!)

bash
# WARNING: All data will be lost!
rm -rf /opt/vault/data/*
vault operator init
vault operator unseal

Step 8: Check Network

bash
curl https://vault:8200/v1/sys/health
nc -zv vault 8200

Step 9: Debug Seal

bash
vault server -config=/etc/vault/config.hcl -dev
VAULT_LOG_LEVEL=debug vault server -config=/etc/vault/config.hcl

Step 10: Verify Unsealed

bash
vault status
# Sealed: false
vault login <root-token>
vault secrets list
  • [Fix Vault Token Renewal Failed](/articles/fix-vault-token-renewal-failed)
  • [Fix Vault Seal Failed No Key](/articles/fix-vault-unseal-failed-no-key)