luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/content/docs/commands/operator/init.mdx
Ashlee M Boyer f3df55ad58
docs: Migrate link formats (#18696) 
* Adding check-legacy-links-format workflow

* Adding test-link-rewrites workflow

* Updating docs-content-check-legacy-links-format hash

* Migrating links to new format

Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
2023-01-25 16:12:15 -08:00

126 lines
5.4 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: operator init - Command
description: |-
The "operator init" command initializes a Vault server. Initialization is the
process by which Vault's storage backend is prepared to receive data. Since
Vault servers share the same storage backend in HA mode, you only need to
initialize one Vault to initialize the storage backend.
---
# operator init
The `operator init` command initializes a Vault server. Initialization is the
process by which Vault's storage backend is prepared to receive data. Since
Vault servers share the same storage backend in HA mode, you only need to
initialize one Vault to initialize the storage backend.
This command cannot be run against already-initialized Vault cluster.
During initialization, Vault generates a root key, which is stored in the storage backend alongside all other Vault data. The root key itself is encrypted and requires an _unseal key_ to decrypt it.
The default Vault configuration uses [Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) to split the root key into a configured number of shards (referred as key shares, or unseal keys). A certain threshold of shards is required to reconstruct the root key, which is then used to decrypt the Vault's encryption key.
Refer to the [Seal/Unseal](/vault/docs/concepts/seal#seal-unseal) documentation for further details.
## Examples
Start initialization with the default options:
```shell-session
$ vault operator init
```
Initialize, but encrypt the unseal keys with pgp keys:
```shell-session
$ vault operator init \
-key-shares=3 \
-key-threshold=2 \
-pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
```
Initialize Auto Unseal with a non-default threshold and number of recovery keys, and encrypt the recovery keys with pgp keys:
```shell-session
$ vault operator init \
-recovery-shares=7 \
-recovery-threshold=4 \
-recovery-pgp-keys="keybase:jeff,keybase:chris,keybase:brian,keybase:calvin,keybase:matthew,keybase:vishal,keybase:nick"
```
Encrypt the initial root token using a pgp key:
```shell-session
$ vault operator init -root-token-pgp-key="keybase:hashicorp"
```
## Usage
The following flags are available in addition to the [standard set of
flags](/vault/docs/commands) included on all commands.
### Output Options
- `-format` `(string: "")` - Print the output in the given format. Valid formats
are "table", "json", or "yaml". The default is table. This can also be
specified via the `VAULT_FORMAT` environment variable.
### Common Options
- `-key-shares` `(int: 5)` - Number of key shares to split the generated master
key into. This is the number of "unseal keys" to generate. This is aliased as
`-n`.
- `-key-threshold` `(int: 3)` - Number of key shares required to reconstruct the
root key. This must be less than or equal to -key-shares. This is aliased as
`-t`.
- `-pgp-keys` `(string: "...")` - Comma-separated list of paths to files on disk
containing public PGP keys OR a comma-separated list of Keybase usernames
using the format `keybase:<username>`. When supplied, the generated unseal
keys will be encrypted and base64-encoded in the order specified in this list.
The number of entries must match -key-shares, unless -stored-shares are used.
- `-root-token-pgp-key` `(string: "")` - Path to a file on disk containing a
binary or base64-encoded public PGP key. This can also be specified as a
Keybase username using the format `keybase:<username>`. When supplied, the
generated root token will be encrypted and base64-encoded with the given
public key.
- `-status` `(bool": false)` - Print the current initialization status. An exit
code of 0 means the Vault is already initialized. An exit code of 1 means an
error occurred. An exit code of 2 means the Vault is not initialized.
### Consul Options
- `-consul-auto` `(bool: false)` - Perform automatic service discovery using
Consul in HA mode. When all nodes in a Vault HA cluster are registered with
Consul, enabling this option will trigger automatic service discovery based on
the provided -consul-service value. When Consul is Vault's HA backend, this
functionality is automatically enabled. Ensure the proper Consul environment
variables are set (CONSUL_HTTP_ADDR, etc). When only one Vault server is
discovered, it will be initialized automatically. When more than one Vault
server is discovered, they will each be output for selection. The default is
false.
- `-consul-service` `(string: "vault")` - Name of the service in Consul under
which the Vault servers are registered.
### HSM and KMS Options
- `-recovery-pgp-keys` `(string: "...")` - Behaves like `-pgp-keys`, but for the
recovery key shares. This is only available with [Auto Unseal](/vault/docs/concepts/seal#auto-unseal) seals (HSM, KMS and Transit seals).
- `-recovery-shares` `(int: 5)` - Number of key shares to split the recovery key
into. This is only available with [Auto Unseal](/vault/docs/concepts/seal#auto-unseal) seals (HSM, KMS and Transit seals).
- `-recovery-threshold` `(int: 3)` - Number of key shares required to
reconstruct the recovery key. This is only available with [Auto Unseal](/vault/docs/concepts/seal#auto-unseal) seals (HSM, KMS and Transit seals).
- `-stored-shares` `(int: 0)` - Number of unseal keys to store on an HSM. This
must be equal to `-key-shares`.
-> **Recovery keys:** Refer to the
[Seal/Unseal](/vault/docs/concepts/seal#recovery-key) documentation to learn more
about recovery keys.
Reference in a new issue View git blame Copy permalink