Skip to main content

/sys/unseal

The /sys/unseal endpoint is used to unseal the OpenBao.

Submit unseal key

This endpoint is used to enter a single root key share to progress the unsealing of the OpenBao. If the threshold number of root key shares is reached, OpenBao will attempt to unseal the OpenBao. Otherwise, this API must be called multiple times until that threshold is met.

Either the key or reset parameter must be provided; if both are provided, reset takes precedence.

MethodPath
POST/sys/unseal

Parameters

  • key (string: "") – Specifies a single root key share. This is required unless reset is true.

  • reset (bool: false) – Specifies if previously-provided unseal keys are discarded and the unseal process is reset.

  • migrate (bool: false) - Available in 1.0 - Used to migrate the seal from shamir to autoseal or autoseal to shamir. Must be provided on all unseal key calls.

Sample payload

{
"key": "abcd1234..."
}

Sample request

$ curl \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/unseal

Sample response

The "t" parameter is the threshold, and "n" is the number of shares.

{
"sealed": true,
"t": 3,
"n": 5,
"progress": 2,
"version": "0.6.2"
}

Sample response when OpenBao is unsealed.

{
"sealed": false,
"t": 3,
"n": 5,
"progress": 0,
"version": "0.6.2",
"cluster_name": "openbao-cluster-d6ec3c7f",
"cluster_id": "3e8b3fec-3749-e056-ba41-b62a63b997e8"
}