Skip to main content
Vault initialization is a one-time operation that prepares your storage backend to securely store and manage secrets. During this step, Vault generates encryption keys, shards them, and issues an initial root token. Initialization must be performed exactly once per Vault cluster—never re-initialize after a restore or node failure.

What Happens During Initialization

When you run: 
$ vault operator init <options>
Vault will:
  1. Generate a master key that encrypts the data-encryption key.
  2. Create a data-encryption key for all subsequent operations.
  3. Split the master key into key shares (using Shamir’s Secret Sharing) or generate recovery keys if an auto-unseal mechanism is enabled.
  4. Issue the initial root token for first-time authentication.
Initialization writes to your storage backend only once. If your cluster is lost or restored from backup, you skip initialization and go straight to unsealing.

Key Shares, Thresholds, and Recovery Keys

By default:
  • Key shares: 5
  • Threshold: 3 (number of shares needed to unseal)
Customize these values: 
$ vault operator init \
    -key-shares=10 \
    -key-threshold=6
If you use a cloud KMS or HSM for auto-unseal, Vault generates recovery keys instead of traditional unseal keys. These recovery keys are only needed for manual recovery or re-sealing.

Encrypting Unseal Keys and Root Token

Protect your unseal/recovery keys and root token with PGP encryption. Supply one or more public keys during initialization: 
$ vault operator init \
    -pgp-keys="alice_pubkey.pem" \
    -pgp-keys="bob_pubkey.pem"
Each key share (and the root token, optionally) is encrypted to the corresponding PGP public key. Only private key holders can decrypt them.

Initialization Methods

Vault supports three initialization interfaces:
MethodUse CaseExample
CLIStand up a new cluster or quick manual setupvault operator init
APIAutomation workflows, CI/CD pipelinesHTTP PUT /v1/sys/init
UIInteractive setup via Vault Web UINavigate to System → Initialization

CLI Examples

Default initialization: 
$ vault operator init
Custom shares, threshold, and PGP encryption: 
$ vault operator init \
    -key-shares=7 \
    -key-threshold=4 \
    -pgp-keys="team1_pub.pem" \
    -pgp-keys="team2_pub.pem"

Post-Initialization Steps

  1. Auto-Unseal
    Vault contacts the configured KMS/HSM and unseals automatically.
  2. Manual Unseal
    Supply unseal key shares on a single Vault node: 
    $ vault operator unseal <key-share-1>
$ vault operator unseal <key-share-2>
$ vault operator unseal <key-share-3>
  3. Authenticate
    Log in with the initial root token: 
    $ vault login <initial-root-token>
Once unsealed and authenticated, you can configure policies, enable secrets engines, and onboard applications.

Watch Video