mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-18 04:27:02 +02:00
Code Issues Projects Releases Wiki Activity
1deaed2ffe
vault/website/source/docs/commands/operator/generate-root.html.md
Calvin Leung Huang 3189278c84
CLI Enhancements (#3897) 
* Use Colored UI if stdout is a tty

* Add format options to operator unseal

* Add format test on operator unseal

* Add -no-color output flag, and use BasicUi if no-color flag is provided

* Move seal status formatting logic to OutputSealStatus

* Apply no-color to warnings from DeprecatedCommands as well

* Add OutputWithFormat to support arbitrary data, add format option to auth list

* Add ability to output arbitrary list data on TableFormatter

* Clear up switch logic on format

* Add format option for list-related commands

* Add format option to rest of commands that returns a client API response

* Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead

* Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead

* Remove -no-color flag, use env var exclusively to toggle colored output

* Fix compile

* Remove -no-color flag in main.go

* Add missing FlagSetOutputFormat

* Fix generate-root/decode test

* Migrate init functions to main.go

* Add no-color flag back as hidden

* Handle non-supported data types for TableFormatter.OutputList

* Pull formatting much further up to remove the need to use c.flagFormat (#3950)

* Pull formatting much further up to remove the need to use c.flagFormat

Also remove OutputWithFormat as the logic can cause issues.

* Use const for env var

* Minor updates

* Remove unnecessary check

* Fix SSH output and some tests

* Fix tests

* Make race detector not run on generate root since it kills Travis these days

* Update docs

* Update docs

* Address review feedback

* Handle --format as well as -format
2018-02-12 18:12:16 -05:00

3.0 KiB
Raw Blame History

layout page_title sidebar_current description
docs operator generate-root - Command docs-commands-operator-generate-root The "operator generate-root" command generates a new root token by combining a quorum of share holders.

operator generate-root

The operator generate-root command generates a new root token by combining a quorum of share holders. One of the following must be provided to start the root token generation:

  • A base64-encoded one-time-password (OTP) provided via the -otp flag. Use the -generate-otp flag to generate a usable value. The resulting token is XORed with this value when it is returned. Use the -decode flag to output the final value.

  • A file containing a PGP key or a keybase username in the -pgp-key flag. The resulting token is encrypted with this public key.

An unseal key may be provided directly on the command line as an argument to the command. If key is specified as "-", the command will read from stdin. If a TTY is available, the command will prompt for text.

Please see the generate root guide for step-by-step instructions.

Examples

Generate an OTP code for the final token:

$ vault operator generate-root -generate-otp

Start a root token generation:

$ vault operator generate-root -init -otp="..."

Enter an unseal key to progress root token generation:

$ vault operator generate-root -otp="..."

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output Options

  • -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.

Command Options

  • -cancel (bool: false) - Reset the root token generation progress. This will discard any submitted unseal keys or configuration.

  • -decode (string: "") - Decode and output the generated root token. This option requires the -otp flag be set to the OTP used during initialization.

  • -generate-otp (bool: false) - Generate and print a high-entropy one-time-password (OTP) suitable for use with the "-init" flag.

  • -init (bool: false) - Start a root token generation. This can only be done if there is not currently one in progress.

  • -nonce (string; "")- Nonce value provided at initialization. The same nonce value must be provided with each unseal key.

  • -otp (string: "") - OTP code to use with -decode or -init.

  • -pgp-key (keybase or pgp)- Path to a file on disk containing a binary or base64-encoded public GPG key. This can also be specified as a Keybase username using the format "keybase:". When supplied, the generated root token will be encrypted and base64-encoded with the given public key.

  • -status (bool: false) - Print the status of the current attempt without providing an unseal key. The default is false.