Generate new vault keys.
Vault initialization data that will be useful.
$ vault operator init
Unseal Key 1: SLpEi9hrk52mgxay66UnW0ZS2u1tpoQMT7Dj4sYVFoWq Unseal Key 2: uC0VAgbWjLPYGf5mothT9bqLjSa5HW83F7VdWuFnLfAs Unseal Key 3: jy7w3CanszT2b7SgfFAtcyq7IBOHqiOMstq+TtaZAz2G Unseal Key 4: COo33dElKW8qLwbc/c+HbKkDe9UryCaWvd+PDcugUP+7 Unseal Key 5: sCJnTYQfYif5aUB9o49RAt6jpfVlMQSLivsDS+VFxJc4 Initial Root Token: hvs.BKpRwvIYboA6C9QrY5V7OnxA Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated root key. Without at least 3 keys to reconstruct the root key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.
$ vault status
Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.11.0 Build Date 2022-06-17T15:48:44Z Storage Type consul Cluster Name vault-cluster-d49add11 Cluster ID d73bc1ff-d088-e602-959c-cc72be323da9 HA Enabled true HA Cluster https://172.16.148.3:8201 HA Mode active Active Since 2022-07-17T19:07:08.353351812Z
Initialize key generation process.
$ vault operator rekey -init -key-shares 1 -key-threshold 1
WARNING! If you lose the keys after they are returned, there is no recovery. Consider canceling this operation and re-initializing with the -pgp-keys flag to protect the returned unseal keys along with -backup to allow recovery of the encrypted keys in case of emergency. You can delete the stored keys later using the -delete flag. Key Value --- ----- Nonce d3f59110-89db-ebf6-d451-34f194ed1415 Started true Rekey Progress 0/3 New Shares 1 New Threshold 1 Verification Required false
Provide unseal keys.
$ vault operator rekey
Rekey operation nonce: d3f59110-89db-ebf6-d451-34f194ed1415 Unseal Key (will be hidden): Key Value --- ----- Nonce d3f59110-89db-ebf6-d451-34f194ed1415 Started true Rekey Progress 1/3 New Shares 1 New Threshold 1 Verification Required false
$ vault operator rekey
Rekey operation nonce: d3f59110-89db-ebf6-d451-34f194ed1415 Unseal Key (will be hidden): Key Value --- ----- Nonce d3f59110-89db-ebf6-d451-34f194ed1415 Started true Rekey Progress 2/3 New Shares 1 New Threshold 1 Verification Required false
Check status in the meantime.
$ vault operator rekey -status
Key Value --- ----- Nonce d3f59110-89db-ebf6-d451-34f194ed1415 Started true Rekey Progress 2/3 New Shares 1 New Threshold 1 Verification Required false
$ vault operator rekey
Rekey operation nonce: d3f59110-89db-ebf6-d451-34f194ed1415 Unseal Key (will be hidden): Key 1: 9EaOcodYRYLfH46ml40sFHswczsV3cg6TKxtCLUP8uk= Operation nonce: d3f59110-89db-ebf6-d451-34f194ed1415 Vault rekeyed with 1 key shares and a key threshold of 1. Please securely distribute the key shares printed above. When Vault is re-sealed, restarted, or stopped, you must supply at least 1 of these keys to unseal it before it can start servicing requests.
Inspect vault status.
$ vault status
Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 1.11.0 Build Date 2022-06-17T15:48:44Z Storage Type consul Cluster Name vault-cluster-d49add11 Cluster ID d73bc1ff-d088-e602-959c-cc72be323da9 HA Enabled true HA Cluster https://172.16.148.16:8201 HA Mode standby Active Node Address https://172.16.148.16:8200
Done.