You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vault reads its TLS private key from the server's filesystem, and requires it to be in plaintext unless a human is present to supply a passphrase.
That's not ideal when auto-unseal is enabled, since it means a human still has to be present to spin up a new Vault instance even though there's no longer an unseal key.
Auto-unseal environments need an external service that supports encrypting and decrypting data. That could be used to decrypt the private key, such that the key doesn't need to be stored in plaintext on the server filesystem but Vault can still start up with TLS enabled without human intervention.
The text was updated successfully, but these errors were encountered:
Vault reads its TLS private key from the server's filesystem, and requires it to be in plaintext unless a human is present to supply a passphrase.
That's not ideal when auto-unseal is enabled, since it means a human still has to be present to spin up a new Vault instance even though there's no longer an unseal key.
Auto-unseal environments need an external service that supports encrypting and decrypting data. That could be used to decrypt the private key, such that the key doesn't need to be stored in plaintext on the server filesystem but Vault can still start up with TLS enabled without human intervention.
The text was updated successfully, but these errors were encountered: