diff --git a/vault/Dockerfile b/vault/Dockerfile
index c928e89..a27a3bd 100644
--- a/vault/Dockerfile
+++ b/vault/Dockerfile
@@ -1,7 +1,9 @@
 FROM hashicorp/vault:1.21.3
 
 COPY config /vault/config
+COPY entrypoint.sh /vault/entrypoint.sh
+RUN chmod +x /vault/entrypoint.sh
 
 EXPOSE 8200 8201
 
-CMD ["vault", "server", "-config=/vault/config/vault.hcl"]
+ENTRYPOINT ["/vault/entrypoint.sh"]
diff --git a/vault/entrypoint.sh b/vault/entrypoint.sh
new file mode 100644
index 0000000..7d26712
--- /dev/null
+++ b/vault/entrypoint.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+set -e
+
+# Start Vault server in background
+vault server -config=/vault/config/vault.hcl &
+VAULT_PID=$!
+
+# Wait for Vault to be ready
+export VAULT_ADDR="http://127.0.0.1:8200"
+echo "Waiting for Vault to start..."
+until vault status -format=json 2>/dev/null | grep -q '"initialized"'; do
+  sleep 1
+done
+
+# Auto-unseal if VAULT_UNSEAL_KEY is set
+if [ -n "$VAULT_UNSEAL_KEY" ]; then
+  SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true' || true)
+  if [ "$SEALED" = "1" ]; then
+    echo "Vault is sealed, auto-unsealing..."
+    vault operator unseal "$VAULT_UNSEAL_KEY"
+    echo "Vault unsealed."
+  else
+    echo "Vault is already unsealed."
+  fi
+else
+  echo "VAULT_UNSEAL_KEY not set, skipping auto-unseal."
+fi
+
+# Wait for Vault process
+wait $VAULT_PID