Need help with vault-unsealer?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

127 Stars 31 Forks Apache License 2.0 85 Commits 16 Opened issues


Vault Unseal automation

Services available


Need anything else?

Contributors list


This project aims to make it easier to automate the secure unsealing of a Vault server.


This is a CLI tool to help automate the setup and management of
Hashicorp Vault.

It will continuously attempt to unseal the target Vault instance, by retrieving unseal keys from a Google Cloud KMS keyring.

Usage: vault-unsealer [command]

Available Commands: help Help about any command init Initialise the target Vault instance unseal A brief description of your command

Flags: --aws-kms-key-id string The ID or ARN of the AWS KMS key to encrypt values --aws-ssm-key-prefix string The Key Prefix for SSM Parameter store --google-cloud-kms-crypto-key string The name of the Google Cloud KMS crypt key to use --google-cloud-kms-key-ring string The name of the Google Cloud KMS key ring to use --google-cloud-kms-location string The Google Cloud KMS location to use (eg. 'global', 'europe-west1') --google-cloud-kms-project string The Google Cloud KMS project to use --google-cloud-storage-bucket string The name of the Google Cloud Storage bucket to store values in --google-cloud-storage-prefix string The prefix to use for values store in Google Cloud Storage -h, --help help for vault-unsealer --mode string Select the mode to use 'google-cloud-kms-gcs' => Google Cloud Storage with encryption using Google KMS; 'aws-kms-ssm' => AWS SSM parameter store using AWS KMS encryption (default "google-cloud-kms-gcs") --secret-shares int Total count of secret shares that exist (default 1) --secret-threshold int Minimum required secret shares to unseal (default 1)

Use "vault-unsealer [command] --help" for more information about a command.

How to setup vault-unsealer via AWS KMS and SSM

Instruction on existing and new vaults for unsealing vault using KMS and SSM

Build from source

go get
make -C $(go env GOPATH)/src/ build

Build a Docker image

docker build -t vault-unsealer: .

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.