diff --git a/site/profiles/manifests/vault/unseal.pp b/site/profiles/manifests/vault/unseal.pp
index cff32a1..e7fe809 100644
--- a/site/profiles/manifests/vault/unseal.pp
+++ b/site/profiles/manifests/vault/unseal.pp
@@ -34,4 +34,14 @@ class profiles::vault::unseal (
     require   => File['/usr/local/bin/vault-unseal.sh'],
     subscribe => [Service['vault'],File['/etc/vault/unseal_keys']],
   }
+
+  # restart the vault-unseal service hourly to ensure vault is unsealled
+  cron { 'restart_vault_unseal':
+    ensure  => 'present',
+    user    => 'root',
+    command => '/bin/systemctl restart vault-unseal',
+    minute  => fqdn_rand(60),
+    hour    => '*',
+    require => Service['vault-unseal'],
+  }
 }