Beta

HashiCorp Certified: Vault Operations Professional 2022

Create a working Vault server configuration given a scenario

Demo Practice secure Vault initialization

This guide demonstrates how to initialize HashiCorp Vault with encrypted recovery keys and a root token using public OpenPGP keys. In this example, we’ll use three public keys—btk.pub, frank.pub, and susan.pub—located in your current directory.

Prerequisites

  • Vault server (v1.10.0+ent) installed and running
  • Three PGP public keys: btk.pub, frank.pub, susan.pub
  • GPG (GnuPG) installed for decryption

1. Verify Your PGP Keys

List the .pub files to ensure your public keys are accessible:

$ ls *.pub
btk.pub
frank.pub
susan.pub

Warning

Make sure these files are the intended public keys. Do not expose your private keys.

2. Confirm Vault Is Uninitialized

Check Vault’s status before initialization:

$ vault status
Key                     Value
---                     -----
Recovery Seal Type      awskms
Initialized             false
Sealed                  true
Total Recovery Shares   0
Threshold               0
Unseal Progress         0/0
Unseal Nonce            n/a
Version                 1.10.0+ent
Storage Type            raft
HA Enabled              true

Vault should be initialized: false and sealed: true.

3. Initialize Vault with Encrypted Shares

Run the vault operator init command to:

  • Create 3 recovery shares
  • Require 2 shares to meet the threshold
  • Encrypt each share with our PGP keys
$ vault operator init \
    --recovery-shares=3 \
    --recovery-threshold=2 \
    --recovery-pgp-keys="btk.pub,frank.pub,susan.pub" \
    > vaultinit.txt

Warning

The file vaultinit.txt contains sensitive data. Store it in a secure location—never commit it to version control.

Initialization Parameters

ParameterValue
recovery-shares3
recovery-threshold2
recovery-pgp-keysbtk.pub, frank.pub, susan.pub

4. Review the Initialization Output

Since the command redirected output to vaultinit.txt, your console is blank. Display the file to see each encrypted share and the root token:

$ cat vaultinit.txt
Recovery Key 1: wcFMA4Z9h7N72NGARAAzMm1xOnYclitFpuA07AOUVKDPOx03mKT0RyPQgRzsgVhs+748139se3DUAkprZx/...
Recovery Key 2: ZlXab7mVy0sR8b4JHJL0T2G9gC0KpLmYrKvWUkiFZ1...
Recovery Key 3: qW8/E7u5OzLmZk3R2H4jXn1a9vK5mCuXbJ9pR0gLZ2...
Initial Root Token: hvs.8CSU02a1xcS21iehKawiqWN
Success! Vault is initialized

Each recovery key is a Base64-encoded string—encrypted with the matching PGP public key. The root token remains in plaintext by default.

5. Decrypt a Recovery Share

To decrypt the share encrypted for Susan:

Note

Ensure you have Susan’s private key and know the GPG passphrase to unlock it.

$ echo "qW8/E7u5OzLmZk3R2H4jXn1a9vK5mCuXbJ9pR0gLZ2..." \
  | base64 --decode \
  | gpg --decrypt

GPG will prompt for the passphrase:

The image shows a dialog box prompting the user to enter a passphrase to unlock an OpenPGP secret key. It includes details about the key, such as the key ID and creation date.

Once unlocked, you’ll see the plaintext recovery key:

5f3e1c4a6d9b8e7c2d1f0a9b4c3e2f1a

6. Next Steps

With at least two decrypted shares (meeting the threshold), you can:

  • Unseal Vault or a DR cluster
  • Generate a new root token
  • Perform emergency recovery

By encrypting each recovery share with a different PGP key, you ensure that only authorized users can decrypt their respective shares, strengthening Vault’s security model.

References

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Secure Vault Initialization
Next
Regenerating a Root Token