It is generally considered a best practice to not persist
root tokens. Instead a root token should be generated using
Vault's operator generate-root
command only when absolutely necessary. This
tutorial demonstrates regenerating a root token.
First, make sure to unseal the vault using the existing quorum of unseal keys. You do not need to be authenticated to generate a new root token, but the Vault must be unsealed and a quorum of unseal keys must be available.
$ vault operator unseal
Unseal Key (will be hidden):
»Use one-time password (OTP)
Initialize a root token generation.
$ vault operator generate-root -init A One-Time-Password has been generated for you and is shown in the OTP field. You will need this value to decode the resulting root token, so keep it safe. Nonce 15565c79-cc9e-5e64-b986-8506e7bd1918 Started true Progress 0/1 Complete false OTP 5JFQaH76Ky2TIuSt4SPvO1CGkx OTP Length 26
Nonce and one-time password (OTP) are generated. The nonce value should be distributed to all unseal key (recovery key if auto-unseal is used) holders.
NOTE: You will need the OTP value later to decode the generated root token.
Each unseal key holder provides their unseal key.
$ vault operator generate-root Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e Unseal Key (will be hidden):
If there is a tty, Vault will prompt for the key and automatically complete the nonce value. If there is no tty, or if the value is piped from stdin, the user must specify the nonce value from the
-init
operation.$ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
When the quorum of unseal keys (or recovery keys) are supplied, the final user will also get the encoded root token.
$ vault operator generate-root Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e Unseal Key (will be hidden): Nonce f67f4da3-4ae4-68fb-4716-91da6b609c3e Started true Progress 5/5 Complete true Encoded Token IxJpyqxn3YafOGhqhvP6cQ==
Decode the encoded token using the OTP generated during the initialization.
$ vault operator generate-root \ -decode=IxJpyqxn3YafOGhqhvP6cQ== \ -otp=mOXx7iVimjE6LXQ2Zna6NA== 24bde68f-3df3-e137-cf4d-014fe9ebc43f
NOTE: An interactive tutorial is also available if you do not have a Vault environment to perform the steps described in this tutorial. Click the Show Terminal button to start.
»Use PGP
Initialize a root token generation, providing the path to a GPG public key or keybase username of a user to encrypted the resulting token.
$ vault operator generate-root -init -pgp-key=keybase:sethvargo Nonce e24dec5e-f1ea-2dfe-ecce-604022006976 Started true Progress 0/5 Complete false PGP Fingerprint e2f8e2974623ba2a0e933a59c921994f9c27e0ff
The nonce value should be distributed to all unseal key holders.
Each unseal key holder providers their unseal key.
$ vault operator generate-root Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976 Unseal Key (will be hidden): ...
If there is a tty, Vault will prompt for the key and automatically complete the nonce value. If there is no tty, or if the value is piped from stdin, the user must specify the nonce value from the
-init
operation.$ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
When the quorum of unseal keys are supplied, the final user will also get the encoded root token.
$ vault operator generate-root Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976 Unseal Key (will be hidden): Nonce e24dec5e-f1ea-2dfe-ecce-604022006976 Started true Progress 1/1 Complete true PGP Fingerprint e2f8e2974623ba2a0e933a59c921994f9c27e0ff Encoded Token wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg...
Decrypt the encrypted token using associated private key.
$ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | gpg --decrypt d0f71e9b-ebff-6d8a-50ae-b8859f2e5671
or via keybase:
$ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | keybase pgp decrypt d0f71e9b-ebff-6d8a-50ae-b8859f2e5671