diff --git a/vault/entrypoint.sh b/vault/entrypoint.sh
index 7d26712..d7114f2 100644
--- a/vault/entrypoint.sh
+++ b/vault/entrypoint.sh
@@ -5,14 +5,23 @@ set -e
 vault server -config=/vault/config/vault.hcl &
 VAULT_PID=$!
 
-# Wait for Vault to be ready
 export VAULT_ADDR="http://127.0.0.1:8200"
 echo "Waiting for Vault to start..."
-until vault status -format=json 2>/dev/null | grep -q '"initialized"'; do
+until vault status -format=json 2>/dev/null | grep -q '"initialized"\|"sealed"'; do
   sleep 1
 done
 
-# Auto-unseal if VAULT_UNSEAL_KEY is set
+# Check if initialized
+INITIALIZED=$(vault status -format=json 2>/dev/null | grep '"initialized"' | grep -c 'true' || true)
+
+if [ "$INITIALIZED" != "1" ]; then
+  echo "Vault not initialized, running operator init..."
+  vault operator init -key-shares=1 -key-threshold=1 -format=json > /vault/data/init.json
+  VAULT_UNSEAL_KEY=$(cat /vault/data/init.json | grep -o '"unseal_keys_b64":\["[^"]*"' | grep -o '\["[^"]*"' | tr -d '["')
+  echo "Vault initialized. Unseal key saved to /vault/data/init.json"
+fi
+
+# Auto-unseal
 if [ -n "$VAULT_UNSEAL_KEY" ]; then
   SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true' || true)
   if [ "$SEALED" = "1" ]; then