diff --git a/README.md b/README.md
index ff34324..7d95ec1 100644
--- a/README.md
+++ b/README.md
@@ -95,18 +95,16 @@ The default Vault unseal method uses Shamir's Secret Sharing, which requires man
 4. Apply the policy:
 
     ```shell
-    vault policy write transit-unseal-policy transit-unseal-policy.hcl
+    vault policy write transit-unseal transit_unseal_policy.hcl
     ```
 
 5. Create a token with the policy attached:
 
     ```shell
-    vault token create -policy="transit-unseal-policy"
+    vault token create -orphan -policy="transit-unseal" -wrap-ttl=120 -period=24h -field=wrapping_token > wrapping-token.txt
     ```
 
-    Save the generated token for later use.
-
-6. Verify connectivity from the main Vault to the KMS Vault.
+6. Copy the `wrapping-token.txt` file securely to the main Vault server. It can be copied using `scp` or any other secure method.
 
 7. Store the KMS Vault unseal key and root token securely. Make an offline backup of the KMS Vault.
 
@@ -156,16 +154,57 @@ Depending on main Vault state (new or existing), some of the following steps are
 
 1. If the main Vault is already initialized, shut it down and back up its data directory and configuration file.
 
-2. Update the main Vault configuration file (usually located at `/etc/vault.d/vault.hcl`) to include the Auto Unseal configuration:
+2. Verify connectivity from the main Vault to the KMS Vault.
+
+    ```shell
+    VAULT_ADDR=https://kms.koszewscy.waw.pl:8200 vault status
+    ```
+
+    or
+
+    ```shell
+    curl -s https://kms.koszewscy.waw.pl:8200/v1/sys/seal-status | jq .
+    ```
+
+
+3. Update the main Vault configuration file (usually located at `/etc/vault.d/vault.hcl`) to include the Auto Unseal configuration:
 
     ```hcl
+    ui = true
+
+    storage "file" {
+      path = "/opt/vault/data"
+    }
+
+    # HTTP listener
+    listener "tcp" {
+      address = "127.0.0.1:8200"
+      tls_disable = "true"
+    }
+
+    # HTTPS listener
+    listener "tcp" {
+      address       = "192.168.2.10:443"
+      tls_cert_file = "/opt/vault/tls/tls.crt"
+      tls_key_file  = "/opt/vault/tls/tls.key"
+    }
+
     seal "transit" {
-      address            = "https://pbs.koszewscy.waw.pl:8200"
-      key_name           = "transit-unseal"
-      mount_path        = "transit/"
+      address         = "https://kms.koszewscy.waw.pl:8200"
+      disable_renewal = "false"
+      key_name        = "unseal-key"
+      mount_path      = "transit/"
     }
     ```
-3. Put the KMS Vault token created earlier into the environment file `/etc/vault.d/vault.env`:
+
+
+4. Unwrap the token to get the KMS Vault token:
+
+    ```shell
+    VAULT_ADDR=https://kms.koszewscy.waw.pl:8200 vault unwrap -field=token $(cat wrapping-token.txt) > kms-vault-token.txt
+    ```
+
+5. Put the unwrapped KMS Vault token into the environment file `/etc/vault.d/vault.env`:
 
     ```shell
     VAULT_TOKEN="s.xxxxxxx"
@@ -178,6 +217,17 @@ Depending on main Vault state (new or existing), some of the following steps are
     EnvironmentFile=/etc/vault.d/vault.env
     ```
 
+5. Add systemd override `/etc/systemd/system/vault.service.d/override.conf` if not already present:
+
+    ```ini
+    [Service]
+    AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
+    CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
+    NoNewPrivileges=yes
+    ```
+
+    That will allow the vault process to bind to low-numbered ports (443) and lock memory.
+
 5. If the main Vault was already initialized, start it and unseal with `-migrate` parameter.
 
     ```shell
@@ -189,6 +239,8 @@ Depending on main Vault state (new or existing), some of the following steps are
 
 7. Uninitialized main Vault will automatically encrypt the root key with the transit key from the KMS Vault during initialization and present recovery keys for Shamir's Secret Sharing.
 
+If for any reason the Auto Unseal method fails, you can always unseal the main Vault using the recovery keys provided during initialization. If the token expires, generate a new one using the KMS Vault, and transfer it to the main Vault as described above.
+
 ## Offline Backup
 
 Vault installs the following directories:
diff --git a/policies/transit_unseal_policy.hcl b/policies/transit_unseal_policy.hcl
new file mode 100644
index 0000000..ed3d978
--- /dev/null
+++ b/policies/transit_unseal_policy.hcl
@@ -0,0 +1,7 @@
+path "transit/decrypt/unseal-key" {
+  capabilities = ["update"]
+}
+
+path "transit/encrypt/unseal-key" {
+  capabilities = ["update"]
+}
\ No newline at end of file