From 2b9b8f355b0ee4101ef4a3a6f2e45f9b5de2c3c3 Mon Sep 17 00:00:00 2001 From: Jacob Friedman Date: Thu, 4 Mar 2021 15:57:47 -0800 Subject: [PATCH] Update init.mdx (#11044) * Update init.mdx Updated operator init documentation to try to avoid steering customers towards running Auto Unseal seals with recovery-shares=1 and recovery-threshold=1. This is a bad security posture, as it can allow a single user with access to that recovery share to create root tokens and do other very sensitive tasks. Also rewrote parts of the HSM/KMS Options section to indicate that recovery-related options are not solely for HSM-mode Vault but are for ANY Auto Unseal seal. * Update website/content/docs/commands/operator/init.mdx Adding an appropriate number of recovery-pgp-keys Co-authored-by: Yoko Co-authored-by: Yoko --- website/content/docs/commands/operator/init.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/website/content/docs/commands/operator/init.mdx b/website/content/docs/commands/operator/init.mdx index 0d48963b32..3482e5be1a 100644 --- a/website/content/docs/commands/operator/init.mdx +++ b/website/content/docs/commands/operator/init.mdx @@ -43,13 +43,13 @@ $ vault operator init \ -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo" ``` -Initialize Auto Unseal, but encrypt the recovery keys with pgp keys: +Initialize Auto Unseal with a non-default threshold and number of recovery keys, and encrypt the recovery keys with pgp keys: ```shell-session $ vault operator init \ - -recovery-shares=1 \ - -recovery-threshold=1 \ - -recovery-pgp-keys="keybase:grahamhashicorp" + -recovery-shares=7 \ + -recovery-threshold=4 \ + -recovery-pgp-keys="keybase:jeff,keybase:chris,keybase:brian,keybase:calvin,keybase:matthew,keybase:vishal,keybase:nick" ``` Encrypt the initial root token using a pgp key: @@ -113,13 +113,13 @@ flags](/docs/commands) included on all commands. ### HSM and KMS Options - `-recovery-pgp-keys` `(string: "...")` - Behaves like `-pgp-keys`, but for the - recovery key shares. This is only used in HSM mode. + recovery key shares. This is only used with Auto Unseal seals (HSM, KMS and Transit seals). - `-recovery-shares` `(int: 5)` - Number of key shares to split the recovery key - into. This is only used in HSM mode. + into. This is only used Auto Unseal seals (HSM, KMS and Transit seals). - `-recovery-threshold` `(int: 3)` - Number of key shares required to - reconstruct the recovery key. This is only used in HSM mode. + reconstruct the recovery key. This is only used Auto Unseal seals (HSM, KMS and Transit seals). - `-stored-shares` `(int: 0)` - Number of unseal keys to store on an HSM. This must be equal to `-key-shares`.