mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-24 13:55:11 +00:00
a43e292424
* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
91 lines
3.1 KiB
Markdown
91 lines
3.1 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "operator generate-root - Command"
|
|
sidebar_title: "generate-root"
|
|
sidebar_current: "docs-commands-operator-generate-root"
|
|
description: |-
|
|
The "operator generate-root" command generates a new root token by combining a
|
|
quorum of share holders.
|
|
---
|
|
|
|
# operator generate-root
|
|
|
|
The `operator generate-root` command generates a new root token by combining a
|
|
quorum of share holders. One of the following must be provided to start the root
|
|
token generation:
|
|
|
|
- A base64-encoded one-time-password (OTP) provided via the `-otp` flag. Use the
|
|
`-generate-otp` flag to generate a usable value. The resulting token is XORed
|
|
with this value when it is returned. Use the `-decode` flag to output the
|
|
final value.
|
|
|
|
- A file containing a PGP key or a
|
|
[keybase](/docs/concepts/pgp-gpg-keybase.html) username in the `-pgp-key`
|
|
flag. The resulting token is encrypted with this public key.
|
|
|
|
An unseal key may be provided directly on the command line as an argument to the
|
|
command. If key is specified as "-", the command will read from stdin. If a TTY
|
|
is available, the command will prompt for text.
|
|
|
|
Please see the [generate root guide](/guides/operations/generate-root.html) for
|
|
step-by-step instructions.
|
|
|
|
## Examples
|
|
|
|
Generate an OTP code for the final token:
|
|
|
|
```text
|
|
$ vault operator generate-root -generate-otp
|
|
```
|
|
|
|
Start a root token generation:
|
|
|
|
```text
|
|
$ vault operator generate-root -init -otp="..."
|
|
```
|
|
|
|
Enter an unseal key to progress root token generation:
|
|
|
|
```text
|
|
$ vault operator generate-root -otp="..."
|
|
```
|
|
|
|
|
|
## Usage
|
|
|
|
The following flags are available in addition to the [standard set of
|
|
flags](/docs/commands/index.html) included on all commands.
|
|
|
|
### Output Options
|
|
|
|
- `-format` `(string: "table")` - Print the output in the given format. Valid
|
|
formats are "table", "json", or "yaml". This can also be specified via the
|
|
`VAULT_FORMAT` environment variable.
|
|
|
|
### Command Options
|
|
|
|
- `-cancel` `(bool: false)` - Reset the root token generation progress. This
|
|
will discard any submitted unseal keys or configuration.
|
|
|
|
- `-decode` `(string: "")` - Decode and output the generated root token. This
|
|
option requires the `-otp` flag be set to the OTP used during initialization.
|
|
|
|
- `-generate-otp` `(bool: false)` - Generate and print a high-entropy
|
|
one-time-password (OTP) suitable for use with the "-init" flag.
|
|
|
|
- `-init` `(bool: false)` - Start a root token generation. This can only be done
|
|
if there is not currently one in progress.
|
|
|
|
- `-nonce` `(string; "")`- Nonce value provided at initialization. The same
|
|
nonce value must be provided with each unseal key.
|
|
|
|
- `-otp` `(string: "")` - OTP code to use with `-decode` or `-init`.
|
|
|
|
- `-pgp-key` `(keybase or pgp)`- Path to a file on disk containing a binary or
|
|
base64-encoded public GPG key. This can also be specified as a Keybase
|
|
username using the format `keybase:<username>`. When supplied, the generated
|
|
root token will be encrypted and base64-encoded with the given public key.
|
|
|
|
- `-status` `(bool: false)` - Print the status of the current attempt without
|
|
providing an unseal key. The default is false.
|