Vault
/sys/unseal
Restricted endpoint
The API path can only be called from the root namespace.The /sys/unseal
endpoint is used to unseal the Vault.
Submit unseal key
This endpoint is used to enter a single root key share to progress the unsealing of the Vault. If the threshold number of root key shares is reached, Vault will attempt to unseal the Vault. Otherwise, this API must be called multiple times until that threshold is met.
Either the key
or reset
parameter must be provided; if both are provided,
reset
takes precedence.
Method | Path |
---|---|
POST | /sys/unseal |
Parameters
key
(string: "")
– Specifies a single root key share. This is required unlessreset
is true.reset
(bool: false)
– Specifies if previously-provided unseal keys are discarded and the unseal process is reset.migrate
(bool: false)
- Used to migrate the seal from shamir to autoseal or autoseal to shamir. Must be provided on all unseal key calls.
Sample payload
{
"key": "abcd1234..."
}
Sample request
$ curl \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/unseal
Sample response
The "t" parameter is the threshold, and "n" is the number of shares.
{
"sealed": true,
"t": 3,
"n": 5,
"progress": 2,
"version": "0.6.2"
}
Sample response when Vault is unsealed.
{
"sealed": false,
"t": 3,
"n": 5,
"progress": 0,
"version": "0.6.2",
"cluster_name": "vault-cluster-d6ec3c7f",
"cluster_id": "3e8b3fec-3749-e056-ba41-b62a63b997e8"
}