mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-13 01:57:03 +02:00
Code Issues Projects Releases Wiki Activity
415d260995
vault/website/content/docs/troubleshoot/generate-root-token.mdx
Yoko Hyakuna 34a1796d03
[Docs] Create 'Troubleshoot' section (#28028) 
* Create 'Troubleshoot' section

* Remove extra spaces

* Update redirects.js

* Remove extra comma

* Change the title

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* Update website/content/docs/troubleshoot/generate-root-token.mdx

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>

* edit suggestions (#28047)

* Fix the relative path - add missing '/'

* Fix a typo

---------

Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
2024-08-09 14:21:41 -07:00

162 lines
4.2 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Regenerate a Vault root token
description: >-
Regenerate a lost or revoked root token.
---
# Regenerate a Vault root token
Your Vault root token is a special token that gives you access to **all** Vault
operations. Best practice is to enable an appropriate authentication method for
Vault admins once the server is running and revoke the root token.
For emergency situations where your require a root token, you can use the
[`operator generate-root`](/vault/docs/commands/operator/generate-root) CLI
command and a one-time password (OTP) or Pretty Good Privacy (PGP) to generate
a new root token.
## Before you start
- **You need your Vault keys**. If you use auto-unseal, you need your
[recovery](/vault/docs/concepts/seal#recovery-key) keys, otherwise you need
your unseal keys.
- **Identify current key holders**. You must distribute the token nonce to your
unseal/recovery key holders during root token generation.
## Step 1: Create a root token nonce
1. Generate a token nonce for your new root token:
<Tabs>
<Tab heading="OTP" group="otp">
**You need the returned OTP value to decode the new root token**.
```shell-session
$ vault operator generate-root -init
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce 15565c79-cc9e-5e64-b986-8506e7bd1918
Started true
Progress 0/1
Complete false
OTP 5JFQaH76Ky2TIuSt4SPvO1CGkx
OTP Length 26
```
</Tab>
<Tab heading="PGP" group="pgp">
Use the `-pgp-key` option to provide a path to your PGP public key or Keybase
username to encrypt the new root token. **You will need the returned PGP
value to decode the new root token**.
```shell-session
$ vault operator generate-root -init -pgp-key=keybase:sethvargo
Nonce e24dec5e-f1ea-2dfe-ecce-604022006976
Started true
Progress 0/5
Complete false
PGP Fingerprint e2f8e2974623ba2a0e933a59c921994f9c27e0ff
```
</Tab>
</Tabs>
1. Distribute the nonce to each of your unseal/recovery key holders.
## Step 2: Establish key quorum with the token nonce
<Highlight title="Use TTY to autocomplete the nonce">
If you use a TTY, the `operator generate-root` command prompts for your key
and automatically completes the nonce value.
</Highlight>
1. Have each unseal/recovery key holder run `operator generator-root` with their
key and the distributed nonce value:
```shell-session
$ echo ${UNSEAL_OR_RECOVERY_KEY} | vault operator generate-root -nonce=${NONCE_VALUE} -
Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e
Unseal Key (will be hidden):
```
1. Vault returns the new, encoded root token to the user who triggers quorum:
<Tabs>
<Tab heading="OTP" group="otp">
```shell-session
Nonce f67f4da3-4ae4-68fb-4716-91da6b609c3e
Started true
Progress 5/5
Complete true
Encoded Token IxJpyqxn3YafOGhqhvP6cQ==
```
</Tab>
<Tab heading="PGP" group="pgp">
```shell-session
Nonce e24dec5e-f1ea-2dfe-ecce-604022006976
Started true
Progress 1/1
Complete true
PGP Fingerprint e2f8e2974623ba2a0e933a59c921994f9c27e0ff
Encoded Token wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg...
```
</Tab>
</Tabs>
## Step 3: Decode the new root token
Decode the new root token using OTP or PGP.
<Tabs>
<Tab heading="OTP" group="otp">
Use `operator generate-root` and the OTP value from nonce generation to decode
the new root token:
```shell-session
$ vault operator generate-root \
-decode=${ENCODED_TOKEN} \
-otp=${NONCE_OTP}
hvs.XXXXXXXXXXXXXXXXXXXXXXXX
```
</Tab>
<Tab heading="PGP" group="pgp">
Use your PGP credentials and `gpg` or `keybase` to decrypt the new root token.
**`gpg`**:
```shell-session
$ echo ${ENCODED_TOKEN} | base64 --decode | gpg --decrypt
hvs.XXXXXXXXXXXXXXXXXXXXXXXX
```
**`keybase`**:
```shell-session
$ echo ${ENCODED_TOKEN} | base64 --decode | keybase pgp decrypt
hvs.XXXXXXXXXXXXXXXXXXXXXXXX
```
</Tab>
</Tabs>
Reference in New Issue View Git Blame Copy Permalink