diff --git a/vault/expiration.go b/vault/expiration.go
index 628df8e973b0..710fcb8f0b16 100644
--- a/vault/expiration.go
+++ b/vault/expiration.go
@@ -1104,6 +1104,9 @@ func (m *ExpirationManager) persistEntry(le *leaseEntry) error {
 		Key:   le.LeaseID,
 		Value: buf,
 	}
+	if le.Auth != nil && len(le.Auth.Policies) == 1 && le.Auth.Policies[0] == "root" {
+		ent.SealWrap = true
+	}
 	if err := m.idView.Put(&ent); err != nil {
 		return fmt.Errorf("failed to persist lease entry: %v", err)
 	}
diff --git a/vault/token_store.go b/vault/token_store.go
index 35a6a8e057d4..fd52a71e25f1 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -838,6 +838,9 @@ func (ts *TokenStore) storeCommon(entry *TokenEntry, writeSecondary bool) error
 	// Write the primary ID
 	path := lookupPrefix + saltedId
 	le := &logical.StorageEntry{Key: path, Value: enc}
+	if len(entry.Policies) == 1 && entry.Policies[0] == "root" {
+		le.SealWrap = true
+	}
 	if err := ts.view.Put(le); err != nil {
 		return fmt.Errorf("failed to persist entry: %v", err)
 	}