mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/api-docs/system/init.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

122 lines
3.9 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: api
page_title: /sys/init - HTTP API
description: The `/sys/init` endpoint is used to initialize a new Vault.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# `/sys/init`
@include 'alerts/restricted-root.mdx'
The `/sys/init` endpoint is used to initialize a new Vault.
## Read initialization status
This endpoint returns the initialization status of Vault.
| Method | Path |
| :----- | :---------- |
| `GET` | `/sys/init` |
### Sample request
```shell-session
$ curl \
http://127.0.0.1:8200/v1/sys/init
```
### Sample response
```json
{
"initialized": true
}
```
## Start initialization
This endpoint initializes a new Vault. The Vault must not have been previously
initialized. The recovery options, as well as the stored shares option, are only
available when using [Auto Unseal](/vault/docs/concepts/seal#auto-unseal).
| Method | Path |
| :----- | :---------- |
| `POST` | `/sys/init` |
### Parameters
- `pgp_keys` `(array<string>: nil)` Specifies an array of PGP public keys used
to encrypt the output unseal keys. Ordering is preserved. The keys must be
base64-encoded from their original binary representation. The size of this
array must be the same as `secret_shares`.
- `root_token_pgp_key` `(string: "")`  Specifies a PGP public key used to
encrypt the initial root token. The key must be base64-encoded from its
original binary representation.
- `secret_shares` `(int: <required>)`  Specifies the number of shares to
split the root key into.
- `secret_threshold` `(int: <required>)`  Specifies the number of shares
required to reconstruct the root key. This must be less than or equal
`secret_shares`.
Additionally, the following options are only supported using Auto Unseal:
- `stored_shares` `(int: <required>)` Specifies the number of shares that
should be encrypted by the HSM and stored for auto-unsealing. Currently must
be the same as `secret_shares`.
- `recovery_shares` `(int: 0)` Specifies the number of shares to
split the recovery key into. This is only available when using Auto Unseal.
- `recovery_threshold` `(int: 0)`  Specifies the number of shares
required to reconstruct the recovery key. This must be less than or equal to
`recovery_shares`. This is only available when using Auto Unseal.
- `recovery_pgp_keys` `(array<string>: nil)` Specifies an array of PGP public
keys used to encrypt the output recovery keys. Ordering is preserved. The keys
must be base64-encoded from their original binary representation. The size of
this array must be the same as `recovery_shares`. This is only available when using Auto Unseal.
### Sample payload
```json
{
"secret_shares": 10,
"secret_threshold": 5
}
```
### Sample request
```shell-session
$ curl \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/init
```
### Sample response
A JSON-encoded object including the (possibly encrypted, if `pgp_keys` was
provided) root keys, base 64 encoded root keys and initial root token:
```json
{
"keys": ["one", "two", "three"],
"keys_base64": ["cR9No5cBC", "F3VLrkOo", "zIDSZNGv"],
"root_token": "foo"
}
```
-> **Warning:** Please be reminded that recovery keys are used as an
authentication flow for rekeying and regeneration of root credentials and cannot
be used to unseal Vault in the case of the unavailability of the seal mechanism.
Refer to the full warning in the documentation for
[Auto Unseal](/vault/docs/concepts/seal#auto-unseal).
Reference in New Issue View Git Blame Copy Permalink