diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml
index bb2ad99..6c93a10 100644
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -160,3 +160,7 @@ vault_base_secrets:
 vault_extra_secrets: {}
 vault_host_secrets: {}
 vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"
+
+# If set, vault will be auto-unsealed on start. This is not recommanded for obvious security reasons
+# but might be conveniant on test systems
+vault_unseal_keys: []
diff --git a/roles/vault/tasks/directories.yml b/roles/vault/tasks/directories.yml
index 854ab3a..108660c 100644
--- a/roles/vault/tasks/directories.yml
+++ b/roles/vault/tasks/directories.yml
@@ -7,6 +7,7 @@
       owner: root
       group: root
       mode: 755
+    - dir: /bin
     - dir: backup
       owner: root
       group: root
diff --git a/roles/vault/tasks/install.yml b/roles/vault/tasks/install.yml
index bf592d3..51bb656 100644
--- a/roles/vault/tasks/install.yml
+++ b/roles/vault/tasks/install.yml
@@ -36,3 +36,7 @@
     - pre
     - post
   tags: vault
+
+- name: Install unseal script
+  template: src=unseal dest={{ vault_root_dir }}/bin/unseal mode=700
+  tags: vault
diff --git a/roles/vault/templates/unseal b/roles/vault/templates/unseal
new file mode 100644
index 0000000..ae39f01
--- /dev/null
+++ b/roles/vault/templates/unseal
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+export VAULT_ADDR={{ vault_conf.api_addr }}
+
+UNSEAL='{% if vault_unseal_keys | length > 0 %}{{ vault_unseal_keys | join(',') }}{% endif %}'
+STATUS=$(vault status -format json)
+
+if [ "$(echo ${STATUS} | jq -r .initialized)" != "true" ]; then
+  echo "Vault not initialized yet"
+  exit 0
+fi
+
+if [ "$(echo ${STATUS} | jq -r .sealed)" != "true" ]; then
+  echo "Vault not sealed, nothing to do"
+  exit 0
+fi
+
+for KEY in $(echo ${UNSEAL} | sed -E 's/,/\n/g'); do
+  vault operator unseal "${KEY}"
+done
diff --git a/roles/vault/templates/vault.service.j2 b/roles/vault/templates/vault.service.j2
index 9057a1d..7dd090d 100644
--- a/roles/vault/templates/vault.service.j2
+++ b/roles/vault/templates/vault.service.j2
@@ -22,6 +22,9 @@ CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
 NoNewPrivileges=yes
 ExecStart=/usr/local/bin/vault server -config={{ vault_root_dir }}/etc/
 ExecReload=/bin/kill --signal HUP $MAINPID
+{%- if vault_unseal_keys | length > 0 +%}
+ExecStartPost=!{{ vault_root_dir }}/bin/unseal }}
+{%- endif +%}
 KillMode=process
 KillSignal=SIGINT
 Restart=on-failure