Default option for unsealing – no configuration needed
• No single person should have access to all key shards
• Ideally, each key shard should be stored by a different employee
• When initializing Vault, you can request the individual shards to be encrypted
with different PGP keys
• When unsealing Vault, you will need an equal number of employees to provide
their key which is equal to the threshold
• Key shards should not be stored online and should be highly protected – ideally
stored encrypted