1.2 KiB
1.2 KiB
| layout | page_title | sidebar_current | description |
|---|---|---|---|
| docs | Generate Root Tokens Using Unseal Keys | docs-guides-generate-root | Generate a new root token using a threshold of unseal keys. |
Generate Root Tokens Using Unseal Keys
It is generally considered a best practice to not persist
root tokens. Instead a root token should be generated using
Vault's generate-root command only when absolutely necessary. This guide
demonstrates regenerating a root token.
-
Unseal the vault using the existing quorum of unseal keys. You do not need to be authenticated.
$ vault unseal # ... -
Generate a one-time password:
$ vault generate-root -genotp -
Get the encoded root token:
$ vault generate-root -otp="<otp>"This will require a quorum of unseal keys. This will then output an encoded root token.
-
Decode the encoded root token:
$ vault generate-root -otp="<otp>" -decode="<encoded-token>"
Please see vault generate-root -help for information on the alternate
technique using a PGP key.