I hold my vault seal key in my KeePass database. It's set to start and prompt for the master password when I login and it integrates into the FreeDesktop/DBus secrets API (and ssh-agent). Obviously I only need the seal/root tokens when the Vault server reboots. Once it's running it hands out secrets and certificates to everything else.