mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-16 03:27:01 +02:00
Code Issues Projects Releases Wiki Activity
365c71800f
vault/website/source/docs/guides/generate-root.html.md
Seth Vargo d38a3ba861 Move upgrade into guides (#2460) 
* Move upgrades to guides

* Make root token copy-pastable
2017-03-08 17:33:58 -05:00

49 lines
1.2 KiB
Markdown
Raw Blame History

---
layout: "docs"
page_title: "Generate Root Tokens Using Unseal Keys"
sidebar_current: "docs-guides-generate-root"
description: |-
Generate a new root token using a threshold of unseal keys.
---
# Generate Root Tokens Using Unseal Keys
It is generally considered a best practice to not persist
[root tokens][root-tokens]. Instead a root token should be generated using
Vault's `generate-root` command only when absolutely necessary. This guide
demonstrates regenerating a root token.
1. Unseal the vault using the existing quorum of unseal keys. You do not need to
be authenticated.
```shell
$ vault unseal
# ...
```
2. Generate a one-time password:
```shell
$ vault generate-root -genotp
```
3. Get the encoded root token:
```shell
$ vault generate-root -otp="<otp>"
```
This will require a quorum of unseal keys. This will then output an encoded
root token.
4. Decode the encoded root token:
```shell
$ vault generate-root -otp="<otp>" -decode="<encoded-token>"
```
Please see `vault generate-root -help` for information on the alternate
technique using a PGP key.
[root-tokens]: /docs/concepts/tokens.html#root-tokens
Reference in New Issue View Git Blame Copy Permalink