When enabling auto-unseal, how do you specify the seal type? (Choose two.)
When enabling auto-unseal, how do you specify the seal type? (Choose two.)
Specifying the seal type in Vault can be done by setting the VAULT_SEAL_TYPE environment variable or by creating a seal block in the server configuration file. The VAULT_SEAL_TYPE environment variable allows specifying the type of auto-unseal, and the seal block in the server configuration file is where the specific seal type and its configuration are defined.
https://developer.hashicorp.com/vault/docs/concepts/seal#auto-unseal & https://developer.hashicorp.com/vault/docs/commands/operator/init
AD The presence of a seal "awskms" block in Vault's configuration file The presence of the environment variable VAULT_SEAL_TYPE set to awskms. If enabling via environment variable, all other required values specific to AWS KMS (i.e. VAULT_AWSKMS_SEAL_KEY_ID) must be also supplied, as well as all other AWS-related environment variables that lends to successful authentication (i.e. AWS_ACCESS_KEY_ID, etc.).
Are these questions still valid?
CE https://developer.hashicorp.com/vault/docs/commands/operator/init This section explains it in detail: Migration from shamir to auto unseal To migrate from Shamir keys to Auto Unseal, take your server cluster offline and update the seal configuration with the appropriate seal configuration. Bring your server back up and leave the rest of the nodes offline if using multi-server mode, then run the unseal process with the -migrate flag and bring the rest of the cluster online. All unseal commands must specify the -migrate flag. Once the required threshold of unseal keys are entered, unseal keys will be migrated to recovery keys. $ vault operator unseal -migrate