Generate Root Tokens Using Unseal Keys
It is generally considered a best practice not to persist root tokens. Use the root token only for just enough initial setup. Once you enabled an auth method with appropriate policies allowing Vault admins to log in and perform operational tasks, the admins should authenticate with Vault instead of using the root token.
In case of an emergency when a root token is absolutely necessary, Vault
operator should generate a new root token using the operator generate-root
command. This tutorial demonstrates the steps to regenerate a root token.
Launch Terminal
This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.
First, make sure to unseal the vault using the existing quorum of unseal keys. You do not need to be authenticated to generate a new root token, but the Vault must be unsealed and a quorum of unseal keys must be available.
Use one-time password (OTP)
Initialize a root token generation.
Nonce and one-time password (OTP) are generated. The nonce value should be distributed to all unseal key (recovery key if auto-unseal is used) holders.
Note
You will need the OTP value later to decode the generated root token.
Each unseal key holder provides their unseal key.
If there is a tty, Vault will prompt for the key and automatically complete the nonce value. If there is no tty, or if the value is piped from stdin, the user must specify the nonce value from the
-init
operation.When the quorum of unseal keys (or recovery keys) are supplied, the final user will also get the encoded root token.
Decode the encoded token using the OTP generated during the initialization.
Use PGP
Initialize a root token generation, providing the path to a GPG public key or keybase username of a user to encrypted the resulting token.
The nonce value should be distributed to all unseal key holders.
Each unseal key holder providers their unseal key.
If there is a tty, Vault will prompt for the key and automatically complete the nonce value. If there is no tty, or if the value is piped from stdin, the user must specify the nonce value from the
-init
operation.When the quorum of unseal keys are supplied, the final user will also get the encoded root token.
Decrypt the encrypted token using associated private key.
or via keybase: