diff --git a/internal/cluster/orchestrator_lifecycle.go b/internal/cluster/orchestrator_lifecycle.go
index 1185107..acfa84d 100644
--- a/internal/cluster/orchestrator_lifecycle.go
+++ b/internal/cluster/orchestrator_lifecycle.go
@@ -37,6 +37,14 @@ func (o *Orchestrator) Startup(ctx context.Context, opts StartupOptions) (err er
 		return invErr
 	}
 	o.noteStartupCheck("node-inventory", true, "inventory/user/port validation passed")
+	if err := o.waitForAPI(ctx, 1, time.Second); err == nil {
+		o.noteStartupCheckState("vault-unseal", "running", "ensuring vault is unsealed while kubernetes api is already available")
+		if err := o.ensureVaultUnsealed(ctx); err != nil {
+			o.noteStartupCheck("vault-unseal", false, err.Error())
+			return err
+		}
+		o.noteStartupCheck("vault-unseal", true, "vault is unsealed")
+	}
 	o.setStartupPhase("preflight-node-reachability", "waiting for ssh reachability across configured inventory")
 	if reachErr := o.waitForNodeInventoryReachability(ctx); reachErr != nil {
 		o.noteStartupCheck("node-inventory-reachability", false, reachErr.Error())
@@ -179,6 +187,12 @@ func (o *Orchestrator) Startup(ctx context.Context, opts StartupOptions) (err er
 		}
 	}
 	o.noteStartupCheck("kubernetes-api", true, "kubernetes api reachable")
+	o.noteStartupCheckState("vault-unseal", "running", "ensuring vault is unsealed before startup gates")
+	if err := o.ensureVaultUnsealed(ctx); err != nil {
+		o.noteStartupCheck("vault-unseal", false, err.Error())
+		return err
+	}
+	o.noteStartupCheck("vault-unseal", true, "vault is unsealed")
 	if err := o.ensureRequiredNodeLabels(ctx); err != nil {
 		return err
 	}