HashiCorp Certified: Vault Operations Professional 2022

Create a working Vault server configuration given a scenario

Demo Regenerating a Root Token

In this tutorial, you’ll learn how to recover access to your Vault cluster by regenerating a root token using the recovery keys. We’ll cover status verification, initialization, revocation, root token generation, and final validation.

Table of Contents

  1. Check Vault Status
  2. Initialize Vault
  3. Authenticate with the Initial Root Token
  4. Revoke the Root Token
  5. Begin Root Token Generation
  6. Submit Recovery Keys
  7. Decode the New Root Token
  8. Authenticate with the New Root Token
  9. Verify Restored Access

1. Check Vault Status

Start with a fresh, uninitialized Vault server configured with AWS KMS auto-unseal:

# Check initialization and seal state
vault status

Example output:

Key                     Value
---                     -----
Recovery Seal Type      awskms
Initialized             false
Sealed                  true
Version                 1.10.0+ent
Storage Type            raft
HA Enabled              true

Note

Vault is uninitialized and sealed. The Recovery Seal Type shows AWS KMS for auto-unseal.

2. Initialize Vault

Generate the recovery key shares and the initial root token:

vault operator init

Sample output:

Recovery Key 1: Sr90rdG3SEEz8pEmUd1HJhWmoDzMLiHwBay4EpD82Duy
Recovery Key 2: Mjk+TZO/p4sm36KTaZFXNuPuCMjdn6Y/Qvm65DLX2e8
Recovery Key 3: 6WltKoVAf8J4yTHVfMt/Ky9txhJL5P3XIlf9W6Baz93
Recovery Key 4: aDy61n4SezTFZFVtfkD6jiUTse16BG4BH4Cx1GRUPjm
Recovery Key 5: +xb/S9Sb4S2poactdbwzjl9zGpH7qB25YmyIOAJ2Yjx
Initial Root Token: hvs.jtEqNjivmy2aw9d30RRpt71
Success! Vault is initialized.

Warning

Securely distribute and store your recovery keys and initial root token. Anyone holding 3 of 5 keys can generate a new root token.

3. Authenticate with the Initial Root Token

Log in using the root token you just received:

vault login hvs.jtEqNjivmy2aw9d30RRpt71

You should see:

Success! You are now authenticated.
token                 hvs.jtEqNjivmy2aw9d30RRpt71
token_policies        ["root"]

4. Revoke the Root Token

Revoking the root token simulates loss of access:

vault token revoke hvs.jtEqNjivmy2aw9d30RRpt71

After revocation, any Vault API call will return a 403 permission denied:

vault policy list
# → Error listing policies: permission denied

Now no valid authentication mechanism remains.

5. Begin Root Token Generation

Initialize the root-token recovery process:

vault operator generate-root -init

Output includes:

Nonce         babe8c7d-8a2d-f604-0d27-3667f70e93bb
Progress      0/3
OTP           LlfdKVI8pV5pQZQExfi10s5LIRvws
OTP Length    28

Note

Save the Nonce and One-Time Password (OTP). You will need them to decode the final token.

6. Submit Recovery Keys

Enter recovery keys one at a time until you reach the threshold (3/3):

vault operator generate-root
# Enter Unseal Key when prompted

Repeat for each key:

AttemptCommandProgress
1vault operator generate-root1/3
2vault operator generate-root2/3
3vault operator generate-root3/3

After the third key, you’ll receive an Encoded Token:

Encoded Token: JBoVSgEbPDI6QQNZJmQeKSYhP3MgVnUKPzIH0Q

7. Decode the New Root Token

Use the Encoded Token and OTP to retrieve the actual root token:

vault operator generate-root \
  -decode="JBoVSgEbPDI6QQNZJmQeKSYhP3MgVnUKPzIH0Q" \
  -otp="LlfdKVI8pV5pQZQExfi10s5LIRvws"

Result:

hvs.jMupJyUlV5DxCYB0c9CMdPj

8. Authenticate with the New Root Token

Log in with your newly generated root token:

vault login hvs.jMupJyUlV5DxCYB0c9CMdPj

Expected output:

Success! You are now authenticated.
token                 hvs.jMupJyUlV5DxCYB0c9CMdPj
token_policies        ["root"]

9. Verify Restored Access

Confirm Vault is functional again:

vault policy list
vault secrets enable aws
# → Enables the AWS secrets engine

Example HCL Policy

path "sys/tools/hash" {
  capabilities = ["update"]
}

path "identity/oidc/provider/+authorize" {
  capabilities = ["read", "update"]
}

Regenerating the root token with recovery keys ensures you can restore full access even if the original token is lost or revoked. For more details, see the Vault CLI Generate-Root Documentation.

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Regenerating a Root Token