From 320d1b7c074d3710345c1918205e3528a20bfbd7 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Wed, 10 Oct 2018 11:51:05 -0400 Subject: [PATCH] Update website docs around root token generation --- website/source/api/system/generate-root.html.md | 14 +++++++++----- website/source/api/system/replication-dr.html.md | 14 +++++++++----- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/website/source/api/system/generate-root.html.md b/website/source/api/system/generate-root.html.md index d8284df3b9..02f5727a86 100644 --- a/website/source/api/system/generate-root.html.md +++ b/website/source/api/system/generate-root.html.md @@ -54,15 +54,18 @@ This endpoint initializes a new root generation attempt. Only a single root generation attempt can take place at a time. One (and only one) of `otp` or `pgp_key` are required. +Note: `otp` can be empty, in which case an OTP of suitable length will be +generated for you, which is recommended. Future versions of Vault will remove +the need to set this parameter at all. + | Method | Path | Produces | | :------- | :--------------------------- | :--------------------- | | `PUT` | `/sys/generate-root/attempt` | `200 application/json` | ### Parameters -- `otp` `(string: )` – Specifies a base64-encoded 16-byte - value. The raw bytes of the token will be XOR'd with this value before being - returned to the final unseal key provider. +- `otp` `(string: )` – Set, but leave this value blank, to + have Vault generate a suitable OTP and return it. - `pgp_key` `(string: )` – Specifies a base64-encoded PGP public key. The raw bytes of the token will be encrypted with this value @@ -72,7 +75,7 @@ generation attempt can take place at a time. One (and only one) of `otp` or ```json { - "otp": "CB23==" + "otp": "" } ``` @@ -94,7 +97,8 @@ $ curl \ "progress": 1, "required": 3, "encoded_token": "", - "pgp_fingerprint": "816938b8a29146fbe245dd29e7cbaf8e011db793", + "otp": "2vPFYG8gUSW9npwzyvxXMug0", + "otp_length" :24, "complete": false } ``` diff --git a/website/source/api/system/replication-dr.html.md b/website/source/api/system/replication-dr.html.md index 81769813ee..7b5af94d3c 100644 --- a/website/source/api/system/replication-dr.html.md +++ b/website/source/api/system/replication-dr.html.md @@ -457,15 +457,18 @@ This endpoint initializes a new generation attempt. Only a single generation attempt can take place at a time. One (and only one) of `otp` or `pgp_key` are required. +Note: `otp` can be empty, in which case an OTP of suitable length will be +generated for you, which is recommended. Future versions of Vault will remove +the need to set this parameter at all. + | Method | Path | Produces | | :------- | :--------------------------- | :--------------------- | | `PUT` | `/sys/replication/dr/secondary/generate-operation-token/attempt` | `200 application/json` | ### Parameters -- `otp` `(string: )` – Specifies a base64-encoded 16-byte - value. The raw bytes of the token will be XOR'd with this value before being - returned to the final unseal key provider. +- `otp` `(string: )` – Set, but leave this value blank, to + have Vault generate a suitable OTP and return it. - `pgp_key` `(string: )` – Specifies a base64-encoded PGP public key. The raw bytes of the token will be encrypted with this value @@ -475,7 +478,7 @@ generation attempt can take place at a time. One (and only one) of `otp` or ```json { - "otp": "CB23==" + "otp": "" } ``` @@ -497,7 +500,8 @@ $ curl \ "progress": 1, "required": 3, "encoded_token": "", - "pgp_fingerprint": "816938b8a29146fbe245dd29e7cbaf8e011db793", + "otp": "2vPFYG8gUSW9npwzyvxXMug0", + "otp_length" :24, "complete": false } ```