The statement is false. The Vault encryption key is not stored in Vault’s backend storage, but rather in Vault’s memory. The Vault encryption key is the key that is used to encrypt and decrypt the data that is stored in Vault’s backend storage, such as secrets, tokens, policies, etc. The Vault encryption key is derived from the master key, which is generated when Vault is initialized. The master key is split into unseal keys using Shamir’s secret sharing algorithm, and the unseal keys are distributed to trusted operators. To start Vault, a quorum of unseal keys is required to reconstruct the master key and derive the encryption key. The encryption key is then kept in memory and used to protect the data in Vault’s backend storage. The encryption key is never written to disk or exposed via the API. References: Seal/Unseal | Vault | HashiCorp Developer, Key Rotation | Vault | HashiCorp Developer