diff --git a/vault/entrypoint.sh b/vault/entrypoint.sh
index 93fa116..11181ab 100644
--- a/vault/entrypoint.sh
+++ b/vault/entrypoint.sh
@@ -1,50 +1,67 @@
 #!/bin/sh
 set -e
 
-# Start Vault server in background
+export VAULT_ADDR="http://127.0.0.1:8200"
+
+get_status_json() {
+  vault status -format=json 2>/dev/null || true
+}
+
+read_flag() {
+  json="$1"
+  key="$2"
+  printf '%s' "$json" | tr -d '\n' | sed -n "s/.*\"$key\":[[:space:]]*\\(true\\|false\\).*/\\1/p" | head -n1
+}
+
 vault server -config=/vault/config/vault.hcl &
 VAULT_PID=$!
 
-export VAULT_ADDR="http://127.0.0.1:8200"
-
-# Save env unseal key before anything overwrites it
-SAVED_UNSEAL_KEY="${VAULT_UNSEAL_KEY}"
-
-echo "Waiting for Vault to start..."
-until vault status -format=json 2>/dev/null | grep -q '"initialized"\|"sealed"'; do
+echo "Waiting for Vault status endpoint..."
+while true; do
+  STATUS_JSON="$(get_status_json)"
+  INIT_FLAG="$(read_flag "$STATUS_JSON" initialized)"
+  SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
+  if [ -n "$INIT_FLAG" ] && [ -n "$SEALED_FLAG" ]; then
+    break
+  fi
   sleep 1
 done
 
-# Check if initialized
-INITIALIZED=$(vault status -format=json 2>/dev/null | grep '"initialized"' | grep -c 'true' || true)
-
-if [ "$INITIALIZED" != "1" ]; then
-  echo "Vault not initialized, running operator init..."
-  vault operator init -key-shares=1 -key-threshold=1 -format=json > /vault/data/init.json
-  echo "Vault initialized. Keys saved to /vault/data/init.json"
+if [ "$INIT_FLAG" = "false" ]; then
+  echo "Vault is not initialized yet; auto-unseal skipped."
+  wait $VAULT_PID
+  exit $?
 fi
 
-# Determine unseal key: env > init.json
-if [ -n "$SAVED_UNSEAL_KEY" ]; then
-  UNSEAL_KEY="$SAVED_UNSEAL_KEY"
-  echo "Using VAULT_UNSEAL_KEY from environment."
-elif [ -f /vault/data/init.json ]; then
-  UNSEAL_KEY=$(grep -o '"unseal_keys_b64":\["[^"]*"' /vault/data/init.json | grep -o '\["[^"]*"' | tr -d '["')
-  echo "Using unseal key from /vault/data/init.json."
-fi
+if [ "$SEALED_FLAG" = "true" ]; then
+  UNSEAL_KEYS_RAW="${VAULT_UNSEAL_KEYS:-${VAULT_UNSEAL_KEY:-}}"
+  if [ -z "$UNSEAL_KEYS_RAW" ]; then
+    echo "Vault is sealed but VAULT_UNSEAL_KEY/VAULT_UNSEAL_KEYS is empty."
+    kill $VAULT_PID || true
+    exit 1
+  fi
 
-# Auto-unseal
-if [ -n "$UNSEAL_KEY" ]; then
-  SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true' || true)
-  if [ "$SEALED" = "1" ]; then
-    echo "Vault is sealed, unsealing..."
-    vault operator unseal "$UNSEAL_KEY"
-    echo "Vault unsealed."
-  else
-    echo "Vault is already unsealed."
+  echo "Vault is sealed; applying unseal keys from environment..."
+  for key in $(printf '%s' "$UNSEAL_KEYS_RAW" | tr ',;' ' '); do
+    [ -n "$key" ] || continue
+    vault operator unseal "$key" >/dev/null
+    STATUS_JSON="$(get_status_json)"
+    SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
+    if [ "$SEALED_FLAG" = "false" ]; then
+      echo "Vault unsealed."
+      break
+    fi
+  done
+
+  STATUS_JSON="$(get_status_json)"
+  SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
+  if [ "$SEALED_FLAG" != "false" ]; then
+    echo "Vault is still sealed after provided key(s)."
+    kill $VAULT_PID || true
+    exit 1
   fi
 else
-  echo "No unseal key available, skipping auto-unseal."
+  echo "Vault is already unsealed."
 fi
 
 wait $VAULT_PID