diff --git a/vault/core.go b/vault/core.go
index 73a6e97b37..527a766cb9 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -203,6 +203,7 @@ type Core struct {
 	// migrationSeal is the seal to use during a migration operation. It is the
 	// seal we're migrating *from*.
 	migrationSeal Seal
+	sealMigrated  *uint32
 
 	// unwrapSeal is the seal to use on Enterprise to unwrap values wrapped
 	// with the previous seal.
@@ -645,6 +646,7 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 		seal:                         conf.Seal,
 		router:                       NewRouter(),
 		sealed:                       new(uint32),
+		sealMigrated:                 new(uint32),
 		standby:                      true,
 		baseLogger:                   conf.Logger,
 		logger:                       conf.Logger.Named("core"),
@@ -1175,6 +1177,7 @@ func (c *Core) unsealPart(ctx context.Context, seal Seal, key []byte, useRecover
 		// At this point we've swapped things around and need to ensure we
 		// don't migrate again
 		c.migrationSeal = nil
+		atomic.StoreUint32(c.sealMigrated, 1)
 
 		// Ensure we populate the new values
 		bc, err := c.seal.BarrierConfig(ctx)
@@ -1738,6 +1741,11 @@ func (c *Core) postUnseal(ctx context.Context, ctxCancelFunc context.CancelFunc,
 		v()
 	}
 
+	if atomic.LoadUint32(c.sealMigrated) == 1 {
+		defer func() { atomic.StoreUint32(c.sealMigrated, 0) }()
+		c.postSealMigration(ctx)
+	}
+
 	c.logger.Info("post-unseal setup complete")
 	return nil
 }
diff --git a/vault/core_util.go b/vault/core_util.go
index 6e85ea79f3..8b909d75f7 100644
--- a/vault/core_util.go
+++ b/vault/core_util.go
@@ -124,3 +124,5 @@ func (c *Core) perfStandbyClusterHandler() (*replication.Cluster, *cache.Cache,
 }
 
 func (c *Core) initSealsForMigration() {}
+
+func (c *Core) postSealMigration(ctx context.Context) error { return nil }