On first visit, you can generate the keys for the vault by specifying the number of shares and the threshold. The idea is that a master key is generated and split into the number of shares. To unlock the vault, you must provide atleast threshold count of the parts. See this blog for a full explanation on how Vault uses Shamir’s secret sharing algorithm.
Vault stores all the secrets in memory. It uses the mlock capability of the kernel to prevent swapping. When the app restarts or the server restarts, it must be unsealed using the keys that were generated during setup. This is by Vault design.
After the Vault is unsealed, you can run the following command to enable Cloudron authentication.
The root token is part of the keys generated during setup.