# Runbook 03 — Vault Initialization

**STATUS: PLACEHOLDER** — drafted during deploy phase.

## Purpose

Initialize the Vault instance(s), unseal, authorize, and let certificate
relations resolve so dependent charms reach `active/idle`.

## Prerequisites

- Bundle deployed; Vault charm in `blocked` waiting for init
- etcd cluster in `active/idle` (Vault HA backend per D-006)
- easyrsa active (TLS bootstrap)

## TODO

- [ ] `juju run vault/leader generate-root-ca` — capture root CA cert
- [ ] `vault operator init -key-shares=5 -key-threshold=3` — capture keys
- [ ] Unseal with 3 of 5 keys
- [ ] `juju run vault/leader authorize-charm token=<root-token>`
- [ ] Verify all `:certificates` relations complete (no charms stuck
      waiting on certs)
- [ ] Store unseal keys in `~/.vault-keys/` (chmod 600); back up