open-vault/website/source/guides/generate-root.html.md

---
layout: "guides"
page_title: "Generate Root Tokens using Unseal Keys - Guides"
sidebar_current: "guides-generate-root"
description: |-
  Generate a new root token using a threshold of unseal keys.
---

# Generate Root Tokens Using Unseal Keys

It is generally considered a best practice to not persist
[root tokens][root-tokens]. Instead a root token should be generated using
Vault's `generate-root` command only when absolutely necessary. This guide
demonstrates regenerating a root token.

1. Unseal the vault using the existing quorum of unseal keys. You do not need to
  be authenticated.

    ```shell
    $ vault unseal
    # ...
    ```

2. Generate a one-time password:

    ```shell
    $ vault generate-root -genotp
    ```

3. Get the encoded root token:

    ```shell
    $ vault generate-root -otp="<otp>"
    ```

    This will require a quorum of unseal keys. This will then output an encoded
    root token.

4. Decode the encoded root token:

    ```shell
    $ vault generate-root -otp="<otp>" -decode="<encoded-token>"
    ```

Please see `vault generate-root -help` for information on the alternate
technique using a PGP key.

[root-tokens]: /docs/concepts/tokens.html#root-tokens
Additional changes to @rfay's PR from https://github.com/hashicorp/vault/pull/2217. - Renamed Cookbook to Guides - Made Guides index page - Moved Guides link on sidebar - Minor formatting changes to generate-root guide 2017-01-24 00:41:25 +00:00			`---`
Add rekeying guide & move guides to top-level (#2935) 2017-06-29 13:43:43 +00:00			`layout: "guides"`
			`page_title: "Generate Root Tokens using Unseal Keys - Guides"`
			`sidebar_current: "guides-generate-root"`
Additional changes to @rfay's PR from https://github.com/hashicorp/vault/pull/2217. - Renamed Cookbook to Guides - Made Guides index page - Moved Guides link on sidebar - Minor formatting changes to generate-root guide 2017-01-24 00:41:25 +00:00			`description: \|-`
Update title and other minor changes. 2017-01-24 16:47:53 +00:00			`Generate a new root token using a threshold of unseal keys.`
Additional changes to @rfay's PR from https://github.com/hashicorp/vault/pull/2217. - Renamed Cookbook to Guides - Made Guides index page - Moved Guides link on sidebar - Minor formatting changes to generate-root guide 2017-01-24 00:41:25 +00:00			`---`

Update title and other minor changes. 2017-01-24 16:47:53 +00:00			`# Generate Root Tokens Using Unseal Keys`
Additional changes to @rfay's PR from https://github.com/hashicorp/vault/pull/2217. - Renamed Cookbook to Guides - Made Guides index page - Moved Guides link on sidebar - Minor formatting changes to generate-root guide 2017-01-24 00:41:25 +00:00
Move upgrade into guides (#2460) * Move upgrades to guides * Make root token copy-pastable 2017-03-08 22:33:58 +00:00			`It is generally considered a best practice to not persist`
			`[root tokens][root-tokens]. Instead a root token should be generated using`
			Vault's `generate-root` command only when absolutely necessary. This guide
			`demonstrates regenerating a root token.`

			`1. Unseal the vault using the existing quorum of unseal keys. You do not need to`
			`be authenticated.`

			```shell
			`$ vault unseal`
			`# ...`
			```

			`2. Generate a one-time password:`

			```shell
			`$ vault generate-root -genotp`
			```

			`3. Get the encoded root token:`

			```shell
			`$ vault generate-root -otp="<otp>"`
			```

			`This will require a quorum of unseal keys. This will then output an encoded`
			`root token.`

			`4. Decode the encoded root token:`

			```shell
			`$ vault generate-root -otp="<otp>" -decode="<encoded-token>"`
			```

			Please see `vault generate-root -help` for information on the alternate
			`technique using a PGP key.`

			`[root-tokens]: /docs/concepts/tokens.html#root-tokens`