a3dfde5cec
* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
118 lines
4.6 KiB
Markdown
118 lines
4.6 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "operator init - Command"
|
|
sidebar_title: "init"
|
|
sidebar_current: "docs-commands-operator-init"
|
|
description: |-
|
|
The "operator init" command initializes a Vault server. Initialization is the
|
|
process by which Vault's storage backend is prepared to receive data. Since
|
|
Vault server's share the same storage backend in HA mode, you only need to
|
|
initialize one Vault to initialize the storage backend.
|
|
---
|
|
|
|
# operator init
|
|
|
|
The `operator init` command initializes a Vault server. Initialization is the
|
|
process by which Vault's storage backend is prepared to receive data. Since
|
|
Vault server's share the same storage backend in HA mode, you only need to
|
|
initialize one Vault to initialize the storage backend.
|
|
|
|
During initialization, Vault generates an in-memory master key and applies
|
|
Shamir's secret sharing algorithm to disassemble that master key into a
|
|
configuration number of key shares such that a configurable subset of those key
|
|
shares must come together to regenerate the master key. These keys are often
|
|
called "unseal keys" in Vault's documentation.
|
|
|
|
This command cannot be run against already-initialized Vault cluster.
|
|
|
|
For more information on sealing and unsealing, please the [seal concepts page](/docs/concepts/seal.html).
|
|
|
|
## Examples
|
|
|
|
Start initialization with the default options:
|
|
|
|
```text
|
|
$ vault operator init
|
|
```
|
|
|
|
Initialize, but encrypt the unseal keys with pgp keys:
|
|
|
|
```text
|
|
$ vault operator init \
|
|
-key-shares=3 \
|
|
-key-threshold=2 \
|
|
-pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
|
|
```
|
|
|
|
Encrypt the initial root token using a pgp key:
|
|
|
|
```text
|
|
$ vault operator init -root-token-pgp-key="keybase:hashicorp"
|
|
```
|
|
|
|
## Usage
|
|
|
|
The following flags are available in addition to the [standard set of
|
|
flags](/docs/commands/index.html) included on all commands.
|
|
|
|
### Output Options
|
|
|
|
- `-format` `(string: "")` - Print the output in the given format. Valid formats
|
|
are "table", "json", or "yaml". The default is table. This can also be
|
|
specified via the `VAULT_FORMAT` environment variable.
|
|
|
|
### Common Options
|
|
|
|
- `-key-shares` `(int: 5)` - Number of key shares to split the generated master
|
|
key into. This is the number of "unseal keys" to generate. This is aliased as
|
|
`-n`.
|
|
|
|
- `-key-threshold` `(int: 3)` - Number of key shares required to reconstruct the
|
|
master key. This must be less than or equal to -key-shares. This is aliased as
|
|
`-t`.
|
|
|
|
- `-pgp-keys` `(string: "...")` - Comma-separated list of paths to files on disk
|
|
containing public GPG keys OR a comma-separated list of Keybase usernames
|
|
using the format `keybase:<username>`. When supplied, the generated unseal
|
|
keys will be encrypted and base64-encoded in the order specified in this list.
|
|
The number of entries must match -key-shares, unless -store-shares are used.
|
|
|
|
- `-root-token-pgp-key` `(string: "")` - Path to a file on disk containing a
|
|
binary or base64-encoded public GPG key. This can also be specified as a
|
|
Keybase username using the format `keybase:<username>`. When supplied, the
|
|
generated root token will be encrypted and base64-encoded with the given
|
|
public key.
|
|
|
|
- `-status` `(bool": false)` - Print the current initialization status. An exit
|
|
code of 0 means the Vault is already initialized. An exit code of 1 means an
|
|
error occurred. An exit code of 2 means the Vault is not initialized.
|
|
|
|
### Consul Options
|
|
|
|
- `-consul-auto` `(bool: false)` - Perform automatic service discovery using
|
|
Consul in HA mode. When all nodes in a Vault HA cluster are registered with
|
|
Consul, enabling this option will trigger automatic service discovery based on
|
|
the provided -consul-service value. When Consul is Vault's HA backend, this
|
|
functionality is automatically enabled. Ensure the proper Consul environment
|
|
variables are set (CONSUL_HTTP_ADDR, etc). When only one Vault server is
|
|
discovered, it will be initialized automatically. When more than one Vault
|
|
server is discovered, they will each be output for selection. The default is
|
|
false.
|
|
|
|
- `-consul-service` `(string: "vault")` - Name of the service in Consul under
|
|
which the Vault servers are registered.
|
|
|
|
### HSM Options
|
|
|
|
- `-recovery-pgp-keys` `(string: "...")` - Behaves like `-pgp-keys`, but for the
|
|
recovery key shares. This is only used in HSM mode.
|
|
|
|
- `-recovery-shares` `(int: 5)` - Number of key shares to split the recovery key
|
|
into. This is only used in HSM mode.
|
|
|
|
- `-recovery-threshold` `(int: 3)` - Number of key shares required to
|
|
reconstruct the recovery key. This is only used in HSM mode.
|
|
|
|
- `-stored-shares` `(int: 0)` - Number of unseal keys to store on an HSM. This
|
|
must be equal to `-key-shares`.
|