mirror of
https://github.com/hashicorp/vault.git
synced 2025-11-18 17:21:13 +01:00
989 B
989 B
layout, page_title, sidebar_current, description
| layout | page_title | sidebar_current | description |
|---|---|---|---|
| docs | Generate Root Tokens Using Unseal Keys | docs-guides-generate-root | Generate a new root token using a threshold of unseal keys. |
Generate Root Tokens Using Unseal Keys
It's considered best practice not to
keep root tokens around, as they are all-powerful. Instead, if one is
absolutely needed, create it using Vault's generate-root command:
- Unseal the vault. You do not need to be authenticated (you do not need an existing root token).
- Generate a one-time password with
vault generate-root -genotp. - Get the encoded root token with
vault generate-root -otp <generated_otp>. (Requires a quorum of unseal keys again, so needs to be done <quorum> times.) - Decode the encoded root token with
vault generate-root -otp <generated_otp> -decode=<encoded_root_token>.
See vault generate-root -help for information on the alternate technique
using a PGP key.