2017-01-24 00:41:25 +00:00
|
|
|
---
|
2017-06-29 13:43:43 +00:00
|
|
|
layout: "guides"
|
|
|
|
|
page_title: "Generate Root Tokens using Unseal Keys - Guides"
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
sidebar_title: "Root Token Generation"
|
2018-02-23 00:24:01 +00:00
|
|
|
sidebar_current: "guides-operations-generate-root"
|
2017-01-24 00:41:25 +00:00
|
|
|
description: |-
|
2017-01-24 16:47:53 +00:00
|
|
|
Generate a new root token using a threshold of unseal keys.
|
2017-01-24 00:41:25 +00:00
|
|
|
---
|
|
|
|
|
|
2017-01-24 16:47:53 +00:00
|
|
|
# Generate Root Tokens Using Unseal Keys
|
2017-01-24 00:41:25 +00:00
|
|
|
|
2017-03-08 22:33:58 +00:00
|
|
|
It is generally considered a best practice to not persist
|
|
|
|
|
[root tokens][root-tokens]. Instead a root token should be generated using
|
2018-03-31 15:17:08 +00:00
|
|
|
Vault's `operator generate-root` command only when absolutely necessary. This
|
|
|
|
|
guide demonstrates regenerating a root token.
|
2017-03-08 22:33:58 +00:00
|
|
|
|
|
|
|
|
1. Unseal the vault using the existing quorum of unseal keys. You do not need to
|
2017-09-05 03:52:05 +00:00
|
|
|
be authenticated to generate a new root token, but the Vault must be unsealed
|
|
|
|
|
and a quorum of unseal keys must be available.
|
2017-03-08 22:33:58 +00:00
|
|
|
|
|
|
|
|
```shell
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator unseal
|
2017-03-08 22:33:58 +00:00
|
|
|
# ...
|
|
|
|
|
```
|
|
|
|
|
|
2017-09-05 03:52:05 +00:00
|
|
|
### Using OTP
|
2017-03-08 22:33:58 +00:00
|
|
|
|
2017-09-05 03:52:05 +00:00
|
|
|
In this method, an OTP is XORed with the generated token on final output.
|
|
|
|
|
|
|
|
|
|
1. Generate a one-time password (OTP) to use for XORing the resulting token:
|
|
|
|
|
|
|
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator generate-root -generate-otp
|
2017-09-05 03:52:05 +00:00
|
|
|
mOXx7iVimjE6LXQ2Zna6NA==
|
2017-03-08 22:33:58 +00:00
|
|
|
```
|
|
|
|
|
|
2017-09-05 03:52:05 +00:00
|
|
|
Save this OTP because you will need it to get the decoded final root token.
|
2017-03-08 22:33:58 +00:00
|
|
|
|
2017-09-05 03:52:05 +00:00
|
|
|
1. Initialize a root token generation, providing the OTP code from the step
|
|
|
|
|
above:
|
|
|
|
|
|
|
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator generate-root -init -otp=mOXx7iVimjE6LXQ2Zna6NA==
|
2017-09-05 03:52:05 +00:00
|
|
|
Nonce f67f4da3-4ae4-68fb-4716-91da6b609c3e
|
|
|
|
|
Started true
|
|
|
|
|
Progress 0/5
|
|
|
|
|
Complete false
|
2017-03-08 22:33:58 +00:00
|
|
|
```
|
|
|
|
|
|
2017-09-05 03:52:05 +00:00
|
|
|
The nonce value should be distributed to all unseal key holders.
|
2017-03-08 22:33:58 +00:00
|
|
|
|
2018-02-13 16:03:35 +00:00
|
|
|
1. Each unseal key holder provides their unseal key:
|
2017-03-08 22:33:58 +00:00
|
|
|
|
2017-09-05 03:52:05 +00:00
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator generate-root
|
2017-09-05 03:52:05 +00:00
|
|
|
Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e
|
|
|
|
|
Unseal Key (will be hidden): ...
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If there is a tty, Vault will prompt for the key and automatically
|
|
|
|
|
complete the nonce value. If there is no tty, or if the value is piped
|
|
|
|
|
from stdin, the user must specify the nonce value from the `-init`
|
|
|
|
|
operation.
|
|
|
|
|
|
|
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
$ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
|
2017-09-05 03:52:05 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1. When the quorum of unseal keys are supplied, the final user will also get
|
|
|
|
|
the encoded root token.
|
|
|
|
|
|
|
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator generate-root
|
2017-09-05 03:52:05 +00:00
|
|
|
Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e
|
|
|
|
|
Unseal Key (will be hidden):
|
|
|
|
|
|
|
|
|
|
Nonce f67f4da3-4ae4-68fb-4716-91da6b609c3e
|
|
|
|
|
Started true
|
|
|
|
|
Progress 5/5
|
|
|
|
|
Complete true
|
|
|
|
|
Root Token IxJpyqxn3YafOGhqhvP6cQ==
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1. Decode the encoded token using the OTP:
|
|
|
|
|
|
|
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator generate-root \
|
2017-09-05 03:52:05 +00:00
|
|
|
-decode=IxJpyqxn3YafOGhqhvP6cQ== \
|
|
|
|
|
-otp=mOXx7iVimjE6LXQ2Zna6NA==
|
|
|
|
|
|
|
|
|
|
24bde68f-3df3-e137-cf4d-014fe9ebc43f
|
2017-03-08 22:33:58 +00:00
|
|
|
```
|
|
|
|
|
|
2017-09-05 03:52:05 +00:00
|
|
|
### Using PGP
|
|
|
|
|
|
|
|
|
|
1. Initialize a root token generation, providing the path to a GPG public key
|
|
|
|
|
or keybase username of a user to encrypted the resulting token.
|
|
|
|
|
|
|
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator generate-root -init -pgp-key=keybase:sethvargo
|
2017-09-05 03:52:05 +00:00
|
|
|
Nonce e24dec5e-f1ea-2dfe-ecce-604022006976
|
|
|
|
|
Started true
|
|
|
|
|
Progress 0/5
|
|
|
|
|
Complete false
|
|
|
|
|
PGP Fingerprint e2f8e2974623ba2a0e933a59c921994f9c27e0ff
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The nonce value should be distributed to all unseal key holders.
|
|
|
|
|
|
|
|
|
|
1. Each unseal key holder providers their unseal key:
|
|
|
|
|
|
|
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator generate-root
|
2017-09-05 03:52:05 +00:00
|
|
|
Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976
|
|
|
|
|
Unseal Key (will be hidden): ...
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If there is a tty, Vault will prompt for the key and automatically
|
|
|
|
|
complete the nonce value. If there is no tty, or if the value is piped
|
|
|
|
|
from stdin, the user must specify the nonce value from the `-init`
|
|
|
|
|
operation.
|
|
|
|
|
|
|
|
|
|
```text
|
2018-03-31 15:17:08 +00:00
|
|
|
$ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
|
2017-09-05 03:52:05 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1. When the quorum of unseal keys are supplied, the final user will also get
|
|
|
|
|
the encoded root token.
|
|
|
|
|
|
|
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator generate-root
|
2017-09-05 03:52:05 +00:00
|
|
|
Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976
|
|
|
|
|
Unseal Key (will be hidden):
|
|
|
|
|
|
|
|
|
|
Nonce e24dec5e-f1ea-2dfe-ecce-604022006976
|
|
|
|
|
Started true
|
|
|
|
|
Progress 1/1
|
|
|
|
|
Complete true
|
|
|
|
|
PGP Fingerprint e2f8e2974623ba2a0e933a59c921994f9c27e0ff
|
|
|
|
|
Root Token wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg...
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1. Decrypt the encrypted token using associated private key:
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
$ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | gpg --decrypt
|
|
|
|
|
|
|
|
|
|
d0f71e9b-ebff-6d8a-50ae-b8859f2e5671
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
or via keybase:
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
$ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | keybase pgp decrypt
|
|
|
|
|
|
|
|
|
|
d0f71e9b-ebff-6d8a-50ae-b8859f2e5671
|
|
|
|
|
```
|
2017-03-08 22:33:58 +00:00
|
|
|
|
|
|
|
|
[root-tokens]: /docs/concepts/tokens.html#root-tokens
|