HashiCorp Certified: Vault Operations Professional 2022
Create a working Vault server configuration given a scenario
Demo Regenerating a Root Token
In this tutorial, you’ll learn how to recover access to your Vault cluster by regenerating a root token using the recovery keys. We’ll cover status verification, initialization, revocation, root token generation, and final validation.
Table of Contents
- Check Vault Status
- Initialize Vault
- Authenticate with the Initial Root Token
- Revoke the Root Token
- Begin Root Token Generation
- Submit Recovery Keys
- Decode the New Root Token
- Authenticate with the New Root Token
- Verify Restored Access
1. Check Vault Status
Start with a fresh, uninitialized Vault server configured with AWS KMS auto-unseal:
# Check initialization and seal state
vault status
Example output:
Key Value
--- -----
Recovery Seal Type awskms
Initialized false
Sealed true
Version 1.10.0+ent
Storage Type raft
HA Enabled true
Note
Vault is uninitialized and sealed. The Recovery Seal Type shows AWS KMS for auto-unseal.
2. Initialize Vault
Generate the recovery key shares and the initial root token:
vault operator init
Sample output:
Recovery Key 1: Sr90rdG3SEEz8pEmUd1HJhWmoDzMLiHwBay4EpD82Duy
Recovery Key 2: Mjk+TZO/p4sm36KTaZFXNuPuCMjdn6Y/Qvm65DLX2e8
Recovery Key 3: 6WltKoVAf8J4yTHVfMt/Ky9txhJL5P3XIlf9W6Baz93
Recovery Key 4: aDy61n4SezTFZFVtfkD6jiUTse16BG4BH4Cx1GRUPjm
Recovery Key 5: +xb/S9Sb4S2poactdbwzjl9zGpH7qB25YmyIOAJ2Yjx
Initial Root Token: hvs.jtEqNjivmy2aw9d30RRpt71
Success! Vault is initialized.
Warning
Securely distribute and store your recovery keys and initial root token. Anyone holding 3 of 5 keys can generate a new root token.
3. Authenticate with the Initial Root Token
Log in using the root token you just received:
vault login hvs.jtEqNjivmy2aw9d30RRpt71
You should see:
Success! You are now authenticated.
token hvs.jtEqNjivmy2aw9d30RRpt71
token_policies ["root"]
4. Revoke the Root Token
Revoking the root token simulates loss of access:
vault token revoke hvs.jtEqNjivmy2aw9d30RRpt71
After revocation, any Vault API call will return a 403 permission denied:
vault policy list
# → Error listing policies: permission denied
Now no valid authentication mechanism remains.
5. Begin Root Token Generation
Initialize the root-token recovery process:
vault operator generate-root -init
Output includes:
Nonce babe8c7d-8a2d-f604-0d27-3667f70e93bb
Progress 0/3
OTP LlfdKVI8pV5pQZQExfi10s5LIRvws
OTP Length 28
Note
Save the Nonce and One-Time Password (OTP). You will need them to decode the final token.
6. Submit Recovery Keys
Enter recovery keys one at a time until you reach the threshold (3/3):
vault operator generate-root
# Enter Unseal Key when prompted
Repeat for each key:
| Attempt | Command | Progress |
|---|---|---|
| 1 | vault operator generate-root | 1/3 |
| 2 | vault operator generate-root | 2/3 |
| 3 | vault operator generate-root | 3/3 |
After the third key, you’ll receive an Encoded Token:
Encoded Token: JBoVSgEbPDI6QQNZJmQeKSYhP3MgVnUKPzIH0Q
7. Decode the New Root Token
Use the Encoded Token and OTP to retrieve the actual root token:
vault operator generate-root \
-decode="JBoVSgEbPDI6QQNZJmQeKSYhP3MgVnUKPzIH0Q" \
-otp="LlfdKVI8pV5pQZQExfi10s5LIRvws"
Result:
hvs.jMupJyUlV5DxCYB0c9CMdPj
8. Authenticate with the New Root Token
Log in with your newly generated root token:
vault login hvs.jMupJyUlV5DxCYB0c9CMdPj
Expected output:
Success! You are now authenticated.
token hvs.jMupJyUlV5DxCYB0c9CMdPj
token_policies ["root"]
9. Verify Restored Access
Confirm Vault is functional again:
vault policy list
vault secrets enable aws
# → Enables the AWS secrets engine
Example HCL Policy
path "sys/tools/hash" {
capabilities = ["update"]
}
path "identity/oidc/provider/+authorize" {
capabilities = ["read", "update"]
}
Regenerating the root token with recovery keys ensures you can restore full access even if the original token is lost or revoked. For more details, see the Vault CLI Generate-Root Documentation.
Watch Video
Watch video content
Practice Lab
Practice lab