Regenerate a Vault root token
Your Vault root token is a special token that gives you access to all Vault operations. Best practice is to enable an appropriate authentication method for Vault admins once the server is running and revoke the root token.
For emergency situations where your require a root token, you can use the
operator generate-root
CLI
command and a one-time password (OTP) or Pretty Good Privacy (PGP) to generate
a new root token.
Before you start
- You need your Vault keys. If you use auto-unseal, you need your recovery keys, otherwise you need your unseal keys.
- Identify current key holders. You must distribute the token nonce to your unseal/recovery key holders during root token generation.
Step 1: Create a root token nonce
Generate a token nonce for your new root token:
You need the returned OTP value to decode the new root token.
Distribute the nonce to each of your unseal/recovery key holders.
Step 2: Establish key quorum with the token nonce
Use TTY to autocomplete the nonce
If you use a TTY, the operator generate-root
command prompts for your key
and automatically completes the nonce value.
Have each unseal/recovery key holder run
operator generator-root
with their key and the distributed nonce value:Vault returns the new, encoded root token to the user who triggers quorum:
Step 3: Decode the new root token
Decode the new root token using OTP or PGP.
Use operator generate-root
and the OTP value from nonce generation to decode
the new root token: