49 lines
1.2 KiB
Markdown
49 lines
1.2 KiB
Markdown
---
|
|
layout: "guides"
|
|
page_title: "Generate Root Tokens using Unseal Keys - Guides"
|
|
sidebar_current: "guides-generate-root"
|
|
description: |-
|
|
Generate a new root token using a threshold of unseal keys.
|
|
---
|
|
|
|
# Generate Root Tokens Using Unseal Keys
|
|
|
|
It is generally considered a best practice to not persist
|
|
[root tokens][root-tokens]. Instead a root token should be generated using
|
|
Vault's `generate-root` command only when absolutely necessary. This guide
|
|
demonstrates regenerating a root token.
|
|
|
|
1. Unseal the vault using the existing quorum of unseal keys. You do not need to
|
|
be authenticated.
|
|
|
|
```shell
|
|
$ vault unseal
|
|
# ...
|
|
```
|
|
|
|
2. Generate a one-time password:
|
|
|
|
```shell
|
|
$ vault generate-root -genotp
|
|
```
|
|
|
|
3. Get the encoded root token:
|
|
|
|
```shell
|
|
$ vault generate-root -otp="<otp>"
|
|
```
|
|
|
|
This will require a quorum of unseal keys. This will then output an encoded
|
|
root token.
|
|
|
|
4. Decode the encoded root token:
|
|
|
|
```shell
|
|
$ vault generate-root -otp="<otp>" -decode="<encoded-token>"
|
|
```
|
|
|
|
Please see `vault generate-root -help` for information on the alternate
|
|
technique using a PGP key.
|
|
|
|
[root-tokens]: /docs/concepts/tokens.html#root-tokens
|