Vault — How It Works

Seal/unseal mechanics, encryption barrier, auth flow, and dynamic secret generation.

Seal / Unseal Process

sequenceDiagram
    participant Admin as Admin (unseal keys)
    participant Vault as Vault Server
    participant Barrier as Encryption Barrier
    participant Storage as Storage Backend (Raft)

    Note over Vault: Server starts SEALED
    Admin->>Vault: Unseal key 1/3
    Admin->>Vault: Unseal key 2/3
    Admin->>Vault: Unseal key 3/3
    Vault->>Vault: Reconstruct master key (Shamir's Secret Sharing)
    Vault->>Barrier: Decrypt encryption key with master key
    Barrier->>Storage: Can now read/write encrypted data
    Note over Vault: Server is UNSEALED ✅

Authentication & Token Flow

sequenceDiagram
    participant App as Application
    participant Auth as Auth Method (K8s/OIDC/AppRole)
    participant Vault_H as Vault Core
    participant SE as Secret Engine
    participant Cloud_V as Cloud API (AWS/GCP)

    App->>Auth: Authenticate (SA token / OIDC / role_id + secret_id)
    Auth->>Vault_H: Validate identity
    Vault_H->>Vault_H: Check policies
    Vault_H-->>App: Vault token (with TTL + policies)
    App->>Vault_H: Read secret (with token)
    Vault_H->>SE: Generate dynamic credential
    SE->>Cloud_V: Create IAM user / DB role
    Cloud_V-->>SE: Credentials
    SE-->>App: Dynamic credentials (TTL: 1h)
    Note over SE: Vault auto-revokes after TTL

Secret Lease Lifecycle

stateDiagram-v2
    [*] --> Active: Generate credential
    Active --> Active: Renew (extend TTL)
    Active --> Revoked: TTL expires
    Active --> Revoked: Manual revoke
    Revoked --> [*]: Credential deleted from target system

Sources

• Vault Architecture
• Seal/Unseal