The statement is false. The Vault encryption key is not stored in Vault’s backend storage, but rather in
Vault’s memory. The Vault encryption key is the key that is used to encrypt and decrypt the data that
is stored in Vault’s backend storage, such as secrets, tokens, policies, etc. The Vault encryption key is
derived from the master key, which is generated when Vault is initialized. The master key is split into
unseal keys using Shamir’s secret sharing algorithm, and the unseal keys are distributed to trusted
operators. To start Vault, a quorum of unseal keys is required to reconstruct the master key and
derive the encryption key. The encryption key is then kept in memory and used to protect the data in
Vault’s backend storage. The encryption key is never written to disk or exposed via the
API. Reference: Seal/Unseal | Vault | HashiCorp Developer, Key Rotation | Vault | HashiCorp
Developer
