I unseal using ansible (with the unseal keys in ansible-vault) and automate the configuration fully through ansible. For example you can use the ansible expect module:

  - name: unseal 1
    expect:
      command: '/usr/bin/vault unseal'
      responses:
        'Key \(will be hidden\): ': "{{vault_seal_key_1}}"
      echo: yes
    when: vault_sealed_result.rc == 2 and vault_seal_key_1 is defined
    tags:
      unseal

I'm interested in your solution, you are using ansible-vault to store the Hashicorp Vault unseal key(s)? Isn't this just pushing the problem out another level or am I missing something? Thanks.

I wrote a tool to ease this: https://github.com/jaxxstorm/unseal it's not perfect, but it makes the process much, much easier

I read this presentation a little while ago and I felt it was slightly disingenuous. Many of the "problems" are process related and have nothing to do with vault itself. Then your approach is using ParameterStore which provides a UI and is built on the AWS ecosystem proper which I guess works if you are sticking to only AWS. I guess it comes down to how you view "secrets" but i'd rather that be spelled out than suggesting hard to automate and not easy to work with.

Thanks for sharing. Was your talk recorded by any chance? I would be interested in watching it.

aws-vault and chamber both look fantastic. When was the talk given? Has the situation improved since? Would you still recommend both those tools over Hashicorp Vault?