Regenerate a Vault root token
Your Vault root token is a special token that gives you access to all Vault operations. Best practice is to enable an appropriate authentication method for Vault admins once the server is running and revoke the root token.
For emergency situations where your require a root token, you can use the
operator generate-root
CLI
command and a one-time password (OTP) or Pretty Good Privacy (PGP) to generate
a new root token.
Before you start
- You need your Vault keys. If you use auto-unseal, you need your recovery keys, otherwise you need your unseal keys.
- Identify current key holders. You must distribute the token nonce to your unseal/recovery key holders during root token generation.
Step 1: Create a root token nonce
Generate a token nonce for your new root token:
You need the returned OTP value to decode the new root token.
$ vault operator generate-root -init A One-Time-Password has been generated for you and is shown in the OTP field.You will need this value to decode the resulting root token, so keep it safe.Nonce 15565c79-cc9e-5e64-b986-8506e7bd1918Started trueProgress 0/1Complete falseOTP 5JFQaH76Ky2TIuSt4SPvO1CGkxOTP Length 26
Distribute the nonce to each of your unseal/recovery key holders.
Step 2: Establish key quorum with the token nonce
Use TTY to autocomplete the nonce
If you use a TTY, the operator generate-root
command prompts for your key
and automatically completes the nonce value.
Have each unseal/recovery key holder run
operator generator-root
with their key and the distributed nonce value:$ echo ${UNSEAL_OR_RECOVERY_KEY} | vault operator generate-root -nonce=${NONCE_VALUE} - Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3eUnseal Key (will be hidden):
Vault returns the new, encoded root token to the user who triggers quorum:
Nonce f67f4da3-4ae4-68fb-4716-91da6b609c3eStarted trueProgress 5/5Complete trueEncoded Token IxJpyqxn3YafOGhqhvP6cQ==
Step 3: Decode the new root token
Decode the new root token using OTP or PGP.
Use operator generate-root
and the OTP value from nonce generation to decode
the new root token:
$ vault operator generate-root \ -decode=${ENCODED_TOKEN} \ -otp=${NONCE_OTP} hvs.XXXXXXXXXXXXXXXXXXXXXXXX