2017-06-29 13:43:43 +00:00
---
2020-01-18 00:18:09 +00:00
layout: guides
page_title: Rekeying & Rotating Vault - Guides
sidebar_title: Rekeying & Rotating
2017-06-29 13:43:43 +00:00
description: |-
Vault supports generating new unseal keys as well as rotating the underlying
encryption keys. This guide covers rekeying and rotating Vault's encryption
keys.
---
# Rekeying & Rotating Vault
~> **Advanced Topic** This guide presents an advanced topic that is not required
for a basic understanding of Vault. Knowledge of this topic is not required for
daily Vault use.
## Background
In order to prevent no one person from having complete access to the system,
2017-08-01 14:27:06 +00:00
Vault employs [Shamir's Secret Sharing Algorithm][shamir]. Under this process,
2017-06-29 13:43:43 +00:00
a secret is divided into a subset of parts such that a subset of those parts are
needed to reconstruct the original secret. Vault makes heavy use of this
2020-01-22 20:05:41 +00:00
algorithm as part of the [unsealing process](/docs/concepts/seal).
2017-06-29 13:43:43 +00:00
When a Vault server is first initialized, Vault generates a master key and
immediately splits this master key into a series of key shares following
Shamir's Secret Sharing Algorithm. Vault never stores the master key, therefore,
the only way to retrieve the master key is to have a quorum of unseal keys
re-generate it.
The master key is used to decrypt the underlying encryption key. Vault uses the
encryption key to encrypt data at rest in a storage backend like the filesystem
or Consul.
Typically each of these key shares is distributed to trusted parties in the
organization. These parties must come together to "unseal" the Vault by entering
their key share.
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
[](/img/vault-shamir-secret-sharing.svg)
2017-06-29 13:43:43 +00:00
[shamir]: https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
In some cases, you may want to re-generate the master key and key shares. Here
are a few examples:
- Someone joins or leaves the organization
- Security wants to change the number of shares or threshold of shares
- Compliance mandates the master key be rotated at a regular interval
In addition to rekeying the master key, there may be an independent desire to
rotate the underlying encryption key Vault uses to encrypt data at rest.
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
[](/img/vault-rekey-vs-rotate.svg)
2017-06-29 13:43:43 +00:00
In Vault, _rekeying_ and _rotating_ are two separate operations. The process for
generating a new master key and applying Shamir's algorithm is called
"rekeying". The process for generating a new encryption key for Vault to encrypt
data at rest is called "rotating".
Both rekeying the Vault and rotating Vault's underlying encryption key are fully
online operations. Vault will continue to service requests uninterrupted during
either of these processes.
## Rekeying Vault
Rekeying the Vault requires a quorum of unseal keys. Before continuing, you
2017-12-02 18:34:51 +00:00
should ensure enough unseal key holders are available to assist with the
rekeying to match the threshold configured when the keys were issued.
2017-06-29 13:43:43 +00:00
2020-12-17 21:53:33 +00:00
Please also observe that if Vault is configured with _auto_unseal_ (and the keys thus are the _recovery_keys_), an extra flag `-target=recovery` has to be provided for each of the commands below. Otherwise the _key-shares_ will default to **1** no matter what value you set.
2020-06-08 13:26:49 +00:00
2017-06-29 13:43:43 +00:00
First, initialize a rekeying operation. The flags represent the **newly
desired** number of keys and threshold:
2020-05-21 17:18:17 +00:00
```shell-session
2017-09-21 20:56:29 +00:00
$ vault operator rekey -init -key-shares=3 -key-threshold=2
2017-06-29 13:43:43 +00:00
```
This will generate a nonce value and start the rekeying process. All other
unseal keys must also provide this nonce value. This nonce value is not a
secret, so it is safe to distribute over insecure channels like chat, email, or
carrier pigeon.
```text
2017-09-21 20:56:29 +00:00
Key Value
--- -----
Nonce dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
Started true
Rekey Progress 0/1
New Shares 3
New Threshold 2
2017-06-29 13:43:43 +00:00
```
Each unseal key holder runs the following command and enters their unseal key:
2020-05-21 17:18:17 +00:00
```shell-session
2018-06-05 16:37:26 +00:00
$ vault operator rekey -nonce=<nonce>
2017-09-21 20:56:29 +00:00
Rekey operation nonce: dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
2017-06-29 13:43:43 +00:00
Key (will be hidden):
```
When the final unseal key holder enters their key, Vault will output the new
unseal keys:
```text
Key 1: EDj4NZK6z5Y9rpr+TtihTulfdHvFzXtBYQk36dmBczuQ
Key 2: sCkM1i5BGGNDFk5GsqtVolWRPyd5mWn2eZG0gUySiCF7
Key 3: e5DUvDIH0cPU8Q+hh1KNVkkMc9lliliPVe9u3Fzbzv38
2017-09-21 20:56:29 +00:00
Operation nonce: dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
2017-06-29 13:43:43 +00:00
Vault rekeyed with 3 keys and a key threshold of 2. Please
securely distribute the above keys. When the vault is re-sealed,
restarted, or stopped, you must provide at least 2 of these keys
to unseal it again.
Vault does not store the master key. Without at least 2 keys,
your vault will remain permanently sealed.
```
Like the initialization process, Vault supports PGP encrypting the resulting
unseal keys and creating backup encryption keys for disaster recovery.
## Rotating the Encryption Key
Unlike rekeying the Vault, rotating Vault's encryption key does not require a
quorum of unseal keys. Anyone with the proper permissions in Vault can perform
the encryption key rotation.
To trigger a key rotation, execute the command:
2020-05-21 17:18:17 +00:00
```shell-session
2018-06-05 16:37:26 +00:00
$ vault operator rotate
2017-06-29 13:43:43 +00:00
```
This will output the key version and installation time:
```text
Key Term: 2
Installation Time: ...
```
This will add a new key to the keyring. All new values written to the storage
backend will be encrypted with this new key.
