Vault
PGP encrypted key shares
Vault encrypts data with an encryption key. That encryption key is further encrypted with a second key, known as the root key. At Vault initialization time, you can choose to split the root key into a number of key shares using Shamir's Secret Sharing algorithm. When using the Shamir seal, these key shares are called unseal keys, but when using an auto seal or HSM, they're known as recovery keys.
By default, Vault splits the root key into 5 key shares, and requires a quorum of 3 key shares for reconstruction of the root key to use in rekey or unseal operations. In the diagram, the key shares held by Alice, Carol, and Dan satisfy the quorum, and represent the users which participate in the examples for this tutorial.
Challenge
When you initialize Vault, it returns hexadecimal-encoded or base64-encoded representations of the key shares and initial root token value in plaintext, as shown in these examples.
Learn more about the init operation and its output using the Vault HTTP API, CLI, or web UI.
$ vault operator init
Example expected output:
Unseal Key 1: eUc0ff332w8rOLBMyvP2yWRZ+t8NlwZ+cMUDbAe4Zm+8
Unseal Key 2: w9uzo61xXcxu5hz9uzJwsvz5RQCXc0ff33tN44HjOWy0
Unseal Key 3: 5es3Q9ZPoEU4xldKKQ5bWb8c0ff33rk1gO/rZNZltfGD
Unseal Key 4: jm7s/xixDc0ff33cqKw+LLUWj2yqtH3I0LovL9jBYVb2
Unseal Key 5: ejfqbLS8wSfYcTfes3fjQNkkYoTcmqE9YMJwbfc0ff33
Initial Root Token: hvs.7wc0ff33iCtoMXiP7LoJOGjj
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Vault returns base64-encoded unseal keys, and a plaintext initial root token value when initialized through the vault
CLI.
This is acceptable in certain circumstances, such as development or evaluation clusters, but you could require more protection of the key shares and initial root token when operating in production.
Solution
Vault can encrypt the key shares and initial root token value at initialization time with user-supplied public keys generated from any RFC 4880 compliant PGP software, such as GNU Privacy Guard (GPG).
Tip
Vault also directly supports encrypting key shares with GPG public keys from Keybase usernames, but that is not specifically covered in this tutorial.
When you initialize Vault with the pgp-keys and root-token-pgp-key options, it encrypts the unseal keys and root token value with the specified GPG public keys, base64 encodes the encrypted values, and outputs those values instead of plaintext values.
Scenario introduction
Your goal in this scenario is to explore using Vault with the Shamir seal, and to encrypt the unseal key shares with GPG at initialization time. You'll then learn how to use the GPG encrypted key shares to unseal and rekey Vault.
First, you'll use a terminal session to configure and start a simplified Vault server Docker container.
You'll then use GPG to generate 5 distinct sets of keys to use for encrypting and decrypting the Vault key shares.
Then, it's time to initialize Vault. Acting as all 5 personas, you'll pass in the GPG public key from each persona to initialize Vault with the API, CLI, or UI. Once Vault initializes, it returns the key shares, each one encrypted with the GPG public keys which you passed in at initialization time.
The 5 key shares are distributed to Alice, Bob, Carol, Dan, and Frank, which for the purpose of this tutorial just means that the encrypted key share value gets assigned to an environment variable after initialization.
You'll then act as 3 of the 5 personas (Alice, Carol, and Dan), and use their encrypted key shares to unseal Vault.
After you unseal Vault, you can then act as the 3 personas, and use their encrypted key shares to rekey Vault.
If you are unfamiliar with initialization, rekeying, seals and keys, you can review the operator init, operator rekey, operator unseal, and Seal/Unseal concepts documentation to learn more.
Personas
The steps described in this tutorial are typically performed by a team of security engineers.
You'll assume 4 of these hypothetical named security engineer roles in the hands-on lab scenario:
Alice: Team lead; coordinates distribution of teams GPG public keys, starts the Vault initialization process, and takes part in unseal and rekeying operations.
Bob: Provides a GPG public key to Alice for use in initializing Vault, but does not take part in unseal or rekeying operations unless needed.
Carol: Provides a GPG public key to Alice for use in initializing Vault, and also takes part in unseal and rekeying operations.
Dan: Provides a GPG public key to Alice for use in initializing Vault, and also takes part in unseal and rekeying operations.
Frank: Provides a GPG public key to Alice for use in initializing Vault, but does not take part in unseal or rekeying operations unless needed.
Dave: Vault operator. Configure and start the Vault server.
Prerequisites
You need the following to perform the tasks described in this tutorial:
Docker Desktop installed (tutorial tested with Docker Desktop version 4.18.0 and Docker Engine version 20.10.24).
Working internet from the Docker host computer to download Docker images.
Familiarity with initializing, unsealing, and rekeying Vault is helpful, but not required to follow along with the hands-on lab. If you are unfamiliar with these concepts and their related tasks, reviewing the Seal/Unseal concepts documentation along with the operator init, operator unseal, and operator rekey can help you.
Tip
For a thorough understanding of the initialization, unseal, and rekey operations, you can also review the /sys/init, /sys/unseal, and /sys/rekey API documentation.
Lab setup
The lab for this scenario is a single Vault server Docker container with integrated storage.
You'll also deploy some community image based GPG Docker containers on which you generate 5 sets of GPG keys. You can then use these keys to encrypt and decrypt the Vault key shares for all operations in the hands-on lab.
Tip
The hands-on lab uses GPG Docker containers for ease of use, and to avoid conflicts with any GPG software already installed on your computer.
Create hands-on lab home
You can create a temporary directory to hold all the content needed for this hands-on lab, and then assign its path to an environment variable for later reference.
Open a terminal, and create the directory /tmp/learn-vault-pgp
.
$ mkdir /tmp/learn-vault-pgp
Export the hands-on directory path as the value to the HC_LEARN_LAB
environment variable.
$ export HC_LEARN_LAB=/tmp/learn-vault-pgp
Vault server setup
The goal of this section is to deploy a simple Vault server container that you'll use for the hands-on lab.
Create directories for Vault configuration and data.
$ mkdir -p "$HC_LEARN_LAB"/vault/{config,data}
Pull the latest Vault Docker image.
$ docker pull hashicorp/vault:latest
Example abbreviated output:
latest: Pulling from hashicorp/vault ...snip... docker.io/hashicorp/vault:latest
Create a Docker network named
learn-vault
.$ docker network create learn-vault d6a8247e3f138344c4686a517834ec2e2af68be9d728afb08bcfe21aae616785
Create the Vault server configuration file.
$ cat > "$HC_LEARN_LAB"/vault/config/vault-server.hcl <<EOF ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } storage "raft" { path = "/vault/file" } EOF
Note
The listener stanza disables TLS (
tls_disable = 1
) just for this tutorial. Vault should always be used with TLS in production deployments. This configuration requires a certificate file and key file on each Vault host.Start Vault server container.
$ docker run \ --name=learn-vault \ --hostname=learn-vault \ --network=learn-vault \ --publish 8200:8200 \ --env VAULT_ADDR="http://localhost:8200" \ --env VAULT_CLUSTER_ADDR="http://learn-vault:8201" \ --env VAULT_API_ADDR="http://learn-vault:8200" \ --env VAULT_RAFT_NODE_ID="learn-vault" \ --volume "$HC_LEARN_LAB"/vault/config/:/vault/config \ --volume "$HC_LEARN_LAB"/vault/data/:/vault/file:z \ --cap-add=IPC_LOCK \ --detach \ --rm \ hashicorp/vault vault server -config=/vault/config/vault-server.hcl
Confirm that the Vault server container is up.
$ docker ps -f name=learn-vault --format "table {{.Names}}\t{{.Status}}"
Example expected output:
NAMES STATUS learn-vault Up 5 seconds
Export an environment variable for the
vault
CLI to address the primary server.$ export VAULT_ADDR=http://127.0.0.1:8200
Verify Vault server status
$ vault status
Example expected output:
Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 0/3 Unseal Nonce n/a Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft HA Enabled true
The Vault server is now ready for you to initialize and unseal with unseal keys.
Prepare GPG key sets
Your goal in this section is to create 5 sets of simple GPG keys, which you use later for encrypting and decrypting Vault key shares. An example CLI workflow diagram is shown for the Alice persona, and the workflow is similar for each persona.
You can use a community GnuPG Docker container to generate keys for demonstrating the features in this tutorial.
Note
The example GPG configuration and runtime environment is just for this tutorial. You are encouraged to use a configuration and runtime environment that is compliant with your organization's security policies for actual use cases.
You do these tasks as each of the 5 main personas.
You'll non-interactively generate the 5 GPG keys with a configuration like this example for Alice:
%echo Generating a basic OpenPGP key for Alice
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: Alice
Name-Comment: Alice is a Vault PGP user
Name-Email: alice@example.com
Expire-Date: 1
Passphrase: recede-yard-unwilling-shrouded
%commit
%echo done
Each set of keys has these properties as defined in the configuration:
- RSA key and subkey
- 4096 bit key size for key and subkey
- Persona name
- Persona email
- Expires in 1 day
- Passphrase in configuration for tutorial simplicity
Create directories for each of the personas.
$ mkdir "$HC_LEARN_LAB"/{alice,bob,carol,dan,frank}
Change modes on the persona directories. This increases security for access to the directories. If you omit this step, GPG warns you that the directory permissions are insecure whenever you execute it.
$ chmod 0700 "$HC_LEARN_LAB"/{alice,bob,carol,dan,frank}
Pull the community GnuPG Docker container image.
$ docker pull vladgh/gpg:latest
Example abbreviated output:
latest: Pulling from vladgh/gpg ...snip... docker.io/vladgh/gpg:latest
You're now prepared to use GPG containers to generate each persona's keys.
Note
When exporting the public key values, you do not need the common ASCII armored format (i.e., --armor
) parameter. This is because Vault expects a plain base64-encoded version of the binary key output without any extra characters like those present in ASCII armored public key output. Instead, pipe the command output to base64
for encoding prior to writing the file.
Alice's GPG key
Complete these steps as the persona Alice.
Define a shell alias
gpg
that interacts with the Docker GPG container for the Alice persona. The container is named, uses a volume mapping between the host and container for all GPG configuration and key material. The GPG console is specified with an environment variable, and the container removes itself after each execution.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg"
Create the GPG configuration for Alice.
$ cat > "$HC_LEARN_LAB"/alice/alice_key.conf << EOF %echo Generating a basic OpenPGP key for Alice Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Alice Name-Comment: Alice is a Vault PGP user Name-Email: alice@example.com Expire-Date: 1 Passphrase: recede-yard-unwilling-shrouded %commit %echo done EOF
Generate the key for Alice.
$ gpg --full-gen-key --batch /root/.gnupg/alice_key.conf
Example expected output:
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Alice gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/848950117127B2BA8615ABE08930D1B13CA8F9BB.rev' gpg: done
Export the public key for Alice into the file
$HC_LEARN_LAB/alice/alice_key.pub
.$ gpg --output /root/.gnupg/alice_key.pub --export alice@example.com
This command is expected to produce no output.
Bob's GPG key
Complete these steps as the persona Bob.
Update the
gpg
alias so it interacts with the Docker GPG container for the Bob persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-bob --volume $HC_LEARN_LAB/bob:/root/.gnupg vladgh/gpg"
Create the GPG configuration for bob.
$ cat > "$HC_LEARN_LAB"/bob/bob_key.conf << EOF %echo Generating a basic OpenPGP key for Bob Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: bob Name-Comment: Bob is a Vault PGP user Name-Email: bob@example.com Expire-Date: 1 Passphrase: giggle-suing-starring-sugar %commit %echo done EOF
Generate the key for bob.
$ gpg --full-gen-key --batch /root/.gnupg/bob_key.conf
Example expected output:
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Bob gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/0F4AA2FB5D60A0ACB2B0736CBABA346598D87E72.rev' gpg: done
Export the public key for bob into the file
$HC_LEARN_LAB/bob/bob_key.pub
.$ gpg --output /root/.gnupg/bob_key.pub --export bob@example.com
This command is expected to produce no output.
Carol's GPG key
Complete these steps as the persona Carol.
Update the
gpg
alias so it interacts with the Docker GPG container for the Carol persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg"
Create the GPG configuration for Carol.
$ cat > "$HC_LEARN_LAB"/carol/carol_key.conf << EOF %echo Generating a basic OpenPGP key for Carol Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Carol Name-Comment: Carol is a Vault PGP user Name-Email: carol@example.com Expire-Date: 1 Passphrase: unnerving-appealing-primarily-overload %commit %echo done EOF
Generate the key for Carol.
$ gpg --full-gen-key --batch /root/.gnupg/carol_key.conf
Example expected output:
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Carol gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/54D8C3DB5FA6B8E44B271778C81FB6D3D670977B.rev' gpg: done
Export the public key for Carol into the file
$HC_LEARN_LAB/carol/carol_key.pub
.$ gpg --output /root/.gnupg/carol_key.pub --export carol@example.com
This command is expected to produce no output.
Dan' GPG key
Complete these steps as the persona Dan.
Update the
gpg
alias so it interacts with the Docker GPG container for the Dan persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg"
Create the GPG configuration for Dan.
$ cat > "$HC_LEARN_LAB"/dan/dan_key.conf << EOF %echo Generating a basic OpenPGP key for Dan Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Dan Name-Comment: Dan is a Vault PGP user Name-Email: dan@example.com Expire-Date: 1 Passphrase: shawl-stem-elective-stoop %commit %echo done EOF
Generate the key for Dan.
$ gpg --full-gen-key --batch /root/.gnupg/dan_key.conf
Example expected output:
gpg: Generating a basic OpenPGP key for Dan gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/A6047CE604B888DD04DEFCE28B973C1C27DA6FBE.rev' gpg: done
Export the public key for Dan into the file
$HC_LEARN_LAB/dan/dan_key.pub
.$ gpg --output /root/.gnupg/dan_key.pub --export dan@example.com
This command is expected to produce no output.
Frank's GPG key
Complete these steps as the persona Frank.
Update the
gpg
alias so it interacts with the Docker GPG container for the Frank persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-frank --volume $HC_LEARN_LAB/frank:/root/.gnupg vladgh/gpg"
Create the GPG configuration for Frank.
$ cat > "$HC_LEARN_LAB"/frank/frank_key.conf << EOF %echo Generating a basic OpenPGP key for Frank Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Frank Name-Comment: Frank is a Vault PGP user Name-Email: frank@example.com Expire-Date: 1 Passphrase: capitol-wasting-darwinism-surcharge %commit %echo done EOF
Generate the key for Frank.
$ gpg --full-gen-key --batch /root/.gnupg/frank_key.conf
Example expected output:
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Frank gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/4B6324B4C2AE1ED061075BB56D3AEFA0E11E803D.rev' gpg: done
Export the public key for Frank into the file
$HC_LEARN_LAB/frank/frank_key.pub
.$ gpg --output /root/.gnupg/frank_key.pub --export frank@example.com
This command is expected to produce no output.
Some of the steps later require base64-encoded versions of the persona's GPG public keys. Before proceeding, create a base64-encoded version of each persona's GPG public key.
You can complete this step as the Alice persona.
$ for persona in alice bob carol dan frank; do \
cat "$HC_LEARN_LAB"/"$persona"/"$persona"_key.pub \
| base64 > "$HC_LEARN_LAB"/"$persona"/"$persona"_key_base64.pub;
done
Now that you've generated all of the GPG keys, you can use them to initialize, unseal, and rekey Vault.
Initialize Vault with public keys
Initialize Vault with the 5 GPG public keys specified to encrypt the key shares, and Carol's GPG public key to encrypt the initial root token value. Write the initialization output to the file "$HC_LEARN_LAB"/vault_init_output.txt
.
$ vault operator init -pgp-keys "$HC_LEARN_LAB/alice/alice_key.pub,$HC_LEARN_LAB/bob/bob_key.pub,$HC_LEARN_LAB/carol/carol_key.pub,$HC_LEARN_LAB/dan/dan_key.pub,$HC_LEARN_LAB/frank/frank_key.pub" -root-token-pgp-key "$HC_LEARN_LAB/alice/alice_key.pub" > "$HC_LEARN_LAB"/vault_init_output.txt
This command is expected to produce no output, but you can list the file contents if you want to verify.
$ cat "$HC_LEARN_LAB"/vault_init_output.txt
Example expected output:
Unseal Key 1: wcFMA7NpuNG2vp+sARAAjP/ddU9tNliX32nLSqfGjFsoD0hVwIFPRyBZJIoREX1gb3vcmeosFHvT4sJjE63q0JB776epNjxevj3X3sqPV3h+0groThnzdSQhluwYOVY532I42B3ffKdAY4MMeH1izCLvBzP5ZT2plPlcHKhbem47/gnp9ndbhXntBYGSBvnCa50zPDZ60pnG6BQ6rV+VlM5lYLOc/kfnmthrC1UQm1tuBOpHdPsYfh/FwlraKnLl0XUkLNfWdw3Pd17bdCLYqU/AeYS+ae5Hbk5d1MTvUhxRsjearE7J/iDgjjNUpi8qMBjrrzd3Lj2lMyYb8iE+IUFi+y1ZyhfMDX7QTIVlkjq5cl3MTUfk6yckbsEngkeWKA4IjlUjlDFMqty9m9IDBVt6WUl7LF2S15duS9gAgBP3dSxYP/xXrJuSaiCv07IzLSP4r08VPueyemMBwo8ODTZk3Cz8GXQPB+TX21KcJ/nWRZPKTxrIIqKSJsVnaRkeAXd5dYXA0pvdPvf4EuPgq/f/SnJJUOvJ8x2dEtBlc8FiXWgkh+NERSdFFHZ78TtLciEd4+046CED6vj+LypFo2GBqCX99Iaw9lSo4dhXIa53QOllZJ58XQ0u0wOct75aaFjGDdFa/wcwSoOohu02zTz5i/pJ5rmp8AbbEN0GLmuuPZRZIdUxPPc4WpwQ7tXScwGAVMpRpu6oaLK7uaTQ3qA3+k9DqFT2uHw7u0qmTSQmTmexrC/JbtnAVdMmATItHsCCxLLIPd/R5xNHeMEFkw99neGSJ5K98k7o5BVZfvgJoaig3fGoW3uO5lNVaocO0UgCiXHRJTcwJix+S6Qie4jJCbg=
Unseal Key 2: wcFMAw4Dy3YtKW8nARAAnk1TvAJZ7Ve2N00c1krxxxXWXP/h7cbO66sfIBeBycCWhFK/kxzEMIOonlZwshCa9ZxL9LEITKuS7VdWoMWocNC0dz3pK/j8eb61cZii98STNbZJW8bKV1AQu5sKNd9FMyMcU8QUZ/dto+azemF2Ro82HI3pu4gHmK4bC2gWwaF01N7Xh9UcTOSOiuAXq1uP3B1UZpocfqIaxTgv7fZjoPasmcoPHX3wf5YiRpWy4FS9Yl+19tiYy+8TQ4pFmrR/18+y6CUhmwyS9MFCzMuw16M+7vnBvzeMsvvFYczq1/R3ygqz6BakT+noNp9XO2C0V37BE8rxatUb5dY7FwRrJ8IKCfR0IMxjUB9inI3HZL62gUEosC/tj9+RZhDcubTMN/pV3dIW6LF+C4HK4FzvKYPKyyEjIxRtjSXSQR3k+60MrM9Lq1DXmUR4vfNP1PWg9hlYUcypx+A//zCmVbZ9KEcIYqQ47F1dlS2sCk5Jefk8pB6+ZG1beT+sCNP7WhGU8v5Wj9GAglsi/PglQVIPQX6wvzgOhxj+MZxhF6bMwxHw6/k/K3rrWHqfaTN1lbfu58hkmhxTOT702PS7CSfDbtCHhhtji7yohwmmz0c01AFQJm5O53umOML99gHXUoZzegPkKYbj7o7AZ3SIvAvssevIoMZE1XG1/Qq0ffU2F4LScwGFN1JTmk11rLkqe8egWwxBQseZv8KxYArZRSMhp7xrISoAeUzBl1vAEHfddUqj0vdAUCKX7FePQVbnukS0qtaEKLtTMHkU5WfjKfVxb7Gtd//Hey2WBrD/UR7o5VY3GkzKkF35Dm25bpDLzD1CSlz5LY4=
Unseal Key 3: wcFMA8d6pxB9YmVGAQ/+N3RTigxf2cv0BP02qYgrztsA+ZaYLq/EIOgE3C6RvWwuhdkQ+qtuIr1i3bZbioWWCl8nHbLLWp49zTJsUpWYFCVyodeRywIWIhFG++JrZf2I4oX4NcKqSpk4404v2mpQUgFnI7WyccCgaWtrRFkT94s0ooiDp0cloX96YfRsC+s1tDOMJdOGCfQfzOSGCtjtpCRVplD0hOEd4+Mfyk16SspegQXGwikOQze/sQOgZlGvNMtV0rFZFTEXdFr98UQw4Hg13nrffydNc4Qa5Z6WQIs5AUewBHW8rmlw3bmnVuYrOvWgABE9/DbeW1K6Jl5y8Pxc8maGZQciYxv1jDyXCm188NS7RE+GwW879Fxub6F405W9sQJbB6b4Wphhk9oybWMSMZNBy95mfHTBaOCFsIPfF0Mb9O8khoTHd6DAw1mbeWByhjXGIF53FVs8H+ifEj80qipllZpqKWIg0bhJLw+qDhL4kYAFKV01N+cYzdeiEMqrNG0OiQ2LgJKquMplkuqT/B3mIRZt2daO5UU9smp6YdNk18phvOeJnInWe7plj205NlEXY5IR8CFXmhnNgKKyIbxl5ij6tCsa+DYcAmOfVGeHhbdhXzztuYN6FD1uncG1eo0jKgjmxPnZoNmTCDk2VTTW5MqUutabeLRAtAQUXLiqSvfGefvb2Y5iKXLScwG4Y2wkPP8rITaJMlifz5FXzXWLkD/xiDTthWGYRhmId6TYcV5AeG3koHmCcWhG/xxtatvsXsLT18Ki50SdL1wFr4sGw5Wu+OWv7EqtPmN5tUJDJqacS28sKD4eWhnkokgkEvQGWUG/4nRlmkb8N0kg8r0=
Unseal Key 4: wcFMA4lyDC6UCT1HAQ//b2ZUUBw8vlur3J++zxMVsKUtFpJy0xD0cY1X/6yDOlxHpnMexMKYazebPKxoulmZZ3eh7IghCvV2hOvhUPgh+BdlWnz/5w4bXF9G6An/7kG/ILvcZD4+pwr6CGf0LNr7pQWgdTzxd10XhvUgJdmd3O6i9GVAnc8gFscbjxt+vOrUvjfaMvqCnHHIEybChctryiDdDH+BMgE7mdIUHJMAWkqsl86xWoXBhOPruQEiQ13wI63rxxMaC6aXOAkJ5ezvtuyuQ1YohxnS7giTEw0vBjOwZSd8URmIaud0b6Q0RJOIkjjUkXXDOT7dMSUD7i8mwBnwrdFb//2DhjC6/JoOkrPbQzaMvoq8r66hM/eBD3SieDSyDrYtMzeV5aQhfPyZpv7Meg/yOcesP1Dy5vdhXROcAi08k0+Zl/vUvTs/gQIhrm//GJEzrx9QZSKi3yAJUCAzW/ResK4APhfjRzOxFwLFbqx1W7AvC73DUaVl0LY7jb4uiIM4791HqPefFaZRT9B9mrrb1rEMIW7HB+R1eX+/+ahxmX/2stfBfqSeIIFcWCLznfrpRqIVeL3og6fS9kmAn7ojCfBoF4hEBqqDaR942P9XkJ0okzv3Cc+hlP5OknV1wDXtUhJ8TbdBUDOhhpUf1a5azybdwa0T2J3tPeSHUqcnhjTmMWxiT2KggCTScwFRo1EIOVIPwgn8SN0mJ8PBeZgXTriU1NED3/xEs/zzUxv7K6uNeahdOcYXqZJAplPfFY/PeiGZqePdyICzApuuwbyXm1hM8yDXV2jXz1mSn33ycyJd4CrBcPEnNRvDjdQXnthyMtlwxwBNgrUOJxP6ELY=
Unseal Key 5: wcFMA0eb9Y4KFLbTARAAz8w8bePJ6D2txcwQ6Rse5rIss//tfsItTvQpVHCWZKjoYYt5ftLwnzEStIWC2mxI74tjujl7rNxJ+vuek7l/P6gGqF44yCmq7lRF35tNDPsLbf7lqGPnjqJgrQby56RYfm4qHYNB5XW4CkkUuXpHYtp850/1p6vhjHrgrIfJs0wwOIuEB+yJDlQiq5wOLe0+L2U0fM/zbUK9z9SnMrHROYXXXvUpMqe9stTpl8UQMZY1HNsOqo+ZRvF6YpaS5hAa/v9WnefRMzr/7ItrxgTKhMspuIjb9lTKImZdLXKjHWg9AP8CBRDLfqEibyAZLPd3xbV5kUwgpHsVvRZXc+H7DdR5fvBfKVO5+oft7PEhV7c74v6z9NFrRFwAiOp03mw14Gom40zdrDdmiVfc43I7nrPWGxbVrINkzUsesDCII1j/9rxw+XdHdVhTWKJ7UDsZFivdVHI/5qrEZvcEqB25AXHCYerAJ3jgOilv9ZH0Y1IxaUiw3EQxgZvsfUGUABE6NZY4j/p1yNxF5/utYUj4PpqP/AKaSuqfM+wuLaGZK3A0MpYfTxNbtqXqWbvK37NUH8JQpG5+h4KP7dK7SorhU9q1IaVmiAT72N6cE5tQcyt2Z1I1cxawB2w6BLOGV7vmHUH99V9OhgWMpI6YNL/EoxvvWXwj9FzkhN9PjjSMbiHScwE+ahzP6X+PUm4vIPzy2+Ph2e1/DewVT4s6/6nMlE6TNJHtV4LnCbPFF1rJUI/Nx4CoRUgyL9rmKUuj4GA+xvvNzkO7wVOFPp+YaLzVfCPX5e1fdf1B7b0CI7lKRQOSGv7AjeU4qw7I4GoFqcuiN8FYhRg=
Initial Root Token: wcFMA7NpuNG2vp+sAQ//c75x1o+Zqr/gDxvMhKsnI5+MH765KnlMN2wwPN9YkSAksb4jFll3Xshgo+J7hJ7BO2wxA1rHuWT0OVMkUlLhkCV8LJib3d//iC73c5s1DBFbJoQKXy/LlV4B3XZ+/QQ2vskDdhZNugU+Mml7s9poI/zMhKXlp7oaKgyC9lDVbelgJu5YDarm1cjGBO6RPTOKhsJ9e4zzEs+5uwlhDrczxIT36SMAq8uQjR/Vxqpl9WszVpwIPFVlWMWVqL5EN4DtugpKrLt/uoGaGXOYUgJ+HaguarCx/HbHY8bThKIGx1xYNgsF5tJlfrINfiNQh9h1zNOTQ77/P8uNOpfQM+EGNUQzEnY7PWTVTBODrNrqfKaWsZDhZgu0TqKeVwZoHHMF2ixciUKX8Z3BdX91ihJyh47LaXyhTbgrLMS9fIh17fW53vDoZFVnXa/EAkRgPuYj/Crsnv5GrEUsTBGTU4Cp0OP75YGfK7HLM4nut/Sq1c/ZppD/42ZbYGvPYywwVNdUHxASop8m1D5kiBV9Gcv0Fgg8/6sj2157UCMWoTDvAr7p5ZBCcMLz1DziZXmIf3r0nR5BQ1gz5VlgTLxqebx9PE5Kktggn1snPNpylViPVtGT83E5uON1f8lyO2j4p0w3dlR59vSEVm7viugbsdqLrOcgiTec13TwAyovJJe+MqPSTQE/fIBrsni0mHIMKdPV0jrfKp4jX0uAIROtFoLCPKXSf1OK2Mnodb0V0pFksH0GjSaceizcd0P4ZRv/fb7LKRStnBZMyclx7ixv2mGO
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
The initialization output shows base64-encoded and encrypted unseal key and initial root token values.
Unseal Vault with encrypted key shares
You initialized Vault, and it output the GPG encrypted unseal key shares and initial root token value.
Now you can use the encrypted key shares for Alice, Carol, and Dan to unseal Vault.
Your workflow for each encrypted unseal key is to use Base64 for decoding the Vault output value, then GPG to decrypt that decoded value. The result is an unseal key share that you can pass to Vault for rekeying or unsealing.
Tip
For the examples in this tutorial, the following passphrases are used. You need these passphrases to decrypt each of the key shares used in the following examples.
- Alice:
recede-yard-unwilling-shrouded
- Bob:
giggle-suing-starring-sugar
- Carol:
unnerving-appealing-primarily-overload
- Dan:
shawl-stem-elective-stoop
- Frank:
capitol-wasting-darwinism-surcharge
Vault returned Alice's encrypted key share as the value of
Unseal Key 1:
when you initialized it. To make the unseal key data available for decryption, you can base64 decode it and write it to the file$HC_LEARN_LAB/alice/alice_unseal_key.dat
, which gets mapped to/root/.gnupg/alice_unseal_key.dat
in the GPG Docker container.$ grep 'Unseal Key 1' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/alice/alice_unseal_key.dat
Carol's encrypted key share is the value of
Unseal Key 3:
. Base64 decode it, and write it to the file$HC_LEARN_LAB/carol/carol_unseal_key.dat
, which gets mapped to/root/.gnupg/carol_unseal_key.dat
in the GPG Docker container.$ grep 'Unseal Key 3' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/carol/carol_unseal_key.dat
Dan's encrypted key share is the value of
Unseal Key 4:
. Base64 decode it, and write it to the file$HC_LEARN_LAB/dan/dan_unseal_key.dat
, which gets mapped to/root/.gnupg/dan_unseal_key.dat
in the GPG Docker container.$ grep 'Unseal Key 4' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/dan/dan_unseal_key.dat
Define a shell alias
gpg
that interacts with the Docker GPG container for the Alice persona. For the purpose of this tutorial, you can pass in Alice's GPG key passphrase with the--passphrase
flag.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
As the Alice persona, begin the unseal operation by decrypting the encrypted unseal key with GPG, and then passing it to Vault.
$ vault operator unseal $(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 91002A8F909C6714, created 2023-04-17 "Alice (Alice is a Vault PGP user) <alice@example.com>" Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce fd60be59-ccb0-7789-8f11-a7d52cff410d Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft HA Enabled true
Update the
gpg
alias so that it interacts with the Docker GPG container for the Carol persona. For the purpose of this tutorial, you can pass in Carol's GPG key passphrase with the--passphrase
flag.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
As the Carol persona, continue the unseal workflow by decrypting the encrypted unseal key with GPG, and then passing it to Vault.
$ vault operator unseal $(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID C8DFC373E8AC8E61, created 2023-04-17 "Carol (Carol is a Vault PGP user) <carol@example.com>" Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce fd60be59-ccb0-7789-8f11-a7d52cff410d Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft HA Enabled true
Update the
gpg
alias so that it interacts with the Docker GPG container for the Dan persona. For the purpose of this tutorial, you can pass in Dan's GPG key passphrase with the--passphrase
flag.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
As the Dan persona, continue the unseal workflow by decrypting the encrypted unseal key with GPG, and then passing it to Vault.
$ vault operator unseal $(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 6ED85F446B6FAA27, created 2023-04-17 "Dan (Dan is a Vault PGP user) <dan@example.com>" Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft Cluster Name vault-cluster-ae243d4d Cluster ID 51ae1a01-6ebd-1f6e-ade0-312c644278a1 HA Enabled true HA Cluster n/a HA Mode standby Active Node Address <none> Raft Committed Index 31 Raft Applied Index 31
You've unsealed the Vault server with GPG encrypted unseal key shares. You also decrypted the encrypted initial root token value and used it to sin into the Vault UI.
In the next section, you'll learn how to rekey Vault with encrypted key shares.
Rekey Vault with encrypted key shares
Now that you've experienced unsealing Vault with encrypted key shares, you're ready to try rekeying Vault with those same encrypted key shares.
Rekeying Vault requires a token with capabilities to POST against the /sys/rekey/
API endpoints. In this tutorial, you'll use the initial root token value for this token.
Perform these steps as the Alice persona.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Alice persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
Base64 decode the initial root token value, and write it to the file
$HC_LEARN_LAB/alice/initial_root_token.dat
, which gets mapped to/root/.gnupg/initial_root_token.dat
in the GPG Docker container.$ grep 'Initial Root Token' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/alice/initial_root_token.dat
Decrypt the encrypted initial root token value and export the result as the
VAULT_TOKEN
environment variable.$ export VAULT_TOKEN=$(gpg --decrypt /root/.gnupg/initial_root_token.dat)
Expected example output:
gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03 "Alice (Alice is a Vault PGP user) <alice@example.com>"
Start the rekey workflow. Use the
-backup
option to save the encrypted keys in Vault's core so if they are lost, you can still recover.$ vault operator rekey \ -init \ -backup \ -key-shares=5 \ -key-threshold=3 \ -pgp-keys "$HC_LEARN_LAB/alice/alice_key_base64.pub,$HC_LEARN_LAB/bob/bob_key_base64.pub,$HC_LEARN_LAB/carol/carol_key_base64.pub,$HC_LEARN_LAB/dan/dan_key_base64.pub,$HC_LEARN_LAB/frank/frank_key_base64.pub"
Example expected output:
Key Value --- ----- Nonce 216100bc-fa97-6ce6-dacd-e774a2635175 Started true Rekey Progress 0/3 New Shares 5 New Threshold 3 Verification Required false PGP Fingerprints [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f] Backup true
Store the returned nonce value in an environment variable.
Example:
$ export REKEY_NONCE="216100bc-fa97-6ce6-dacd-e774a2635175"
Where
216100bc-fa97-6ce6-dacd-e774a2635175
is the nonce value returned to you.Each of the 3 personas holding a quorum of key shares must now submit their decrypted key share. As the Alice persona, execute the rekey command to submit Alice's unseal key share.
$ vault operator rekey \ -nonce $REKEY_NONCE \ $(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 4819B20CE84021D4, created 2023-05-04 "Alice (Alice is a Vault PGP user) <alice@example.com>" Key Value --- ----- Nonce 216100bc-fa97-6ce6-dacd-e774a2635175 Started true Rekey Progress 1/3 New Shares 5 New Threshold 3 Verification Required false PGP Fingerprints [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f] Backup true
The Rekey Progress now shows 1/3.
Perform these steps as the Carol persona.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Carol persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
Execute the rekey command to submit Alice's unseal key share.
$ vault operator rekey \ -nonce $REKEY_NONCE \ $(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 01BE679ED28EE728, created 2023-05-04 "Carol (Carol is a Vault PGP user) <carol@example.com>" Key Value --- ----- Nonce 216100bc-fa97-6ce6-dacd-e774a2635175 Started true Rekey Progress 2/3 New Shares 5 New Threshold 3 Verification Required false PGP Fingerprints [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f] Backup true
The Rekey Progress now shows 2/3.
Perform these steps as the Dan persona.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Dan persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
Execute the rekey command to submit Alice's unseal key share.
$ vault operator rekey \ -nonce $REKEY_NONCE \ $(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID CBA9F148AAEB2F20, created 2023-05-04 "Dan (Dan is a Vault PGP user) <dan@example.com>" Key 1 fingerprint: 4f00b90c33fc6a47de9a4285fc43d002393b1f85; value: wcFMA0gZsgzoQCHUARAAmOv3d8GxgPdgZllTa+KT9NTmcvWf8omNkRcJDwHoEiB21qqFMKy6273JyUlGdomygWTpLfTHOfCLGF7IXDaPuTdwurw/mXkMpiS9xBUNjkvXJ2EyIEACh7rRIaTq3+IGSrae5MeaOmmQl9FEx9J0RvCajfuIY6hrtUn9FoIFD7Okq3Jq0QJJftHuLovxzOQEOjw6Qtk7M4eTg8dQDgWljti2LLBDCCDY9YRTzv1Zf7ptfuGc3LVOldt/HaE9JvUsRgnWzNDlGLvLWGG37SFCRNJTuDuoEs7ki9mJYLPx1LxL+wHta+s4d9mpYxOS+XdQn1ETRhbHhDFJD8bYaH+f0U47MjnCWGhHQmbLlhZrDegXlQK4mKePBY6BHz2a3Vc4jSRLtNq4XcZb1KTKT5HekclsqffggNHQakGYC/u9/aHVGIffYvEKGTTXng3TpYrEVC9YlaNBo6gXYxW+bYygieOxrg+X1sEKOjemtIvurIBjomTU5Z5qZgI10XsL3IuuTAR7fIuPBK/m/vtleuFdKvCQgfmjAxWtxlK18FF5ovORO3A5878WjR8KYQnUWTt1AahSTXyW+4f84cFXs4C8gi6zaet9NILyD7zXYIxfSdpj4PC8oVGkdjLOz58CfAg1f0T16AdNNW4oquNS4E0ewen27V7Bp5NybcK9tOuGXR3ScwH0D3yiFiwJPga8gQvtFq+fAhVMwCKCr0xYP3X3+/O+mbEAQMeLuxD8bEMEIVZ7DGtmP66FOg378pKiBhjTX7S3VOcjbUAaLzf2JqaG4b7PMtmPSHKALtapN77VG2SguEKjd6xOtaCEtWiRGRJs4+DqipU= Key 2 fingerprint: 257fc6c27bdb928f101761cca5a489753448f1bd; value: wcFMA8T3p2AFsDorAQ//TyzgY8dcvG6YgZ9H7uolN7SuTnS4p7jBcIkP3XU0N7dfqU9dcwYI9YZ0F6Dxg4HH4Sd24ZZ4H1xcFaJ4AF8AXgnwdXPeuqugn6x0xZH3paTwABwyexYddQxhbe62pVb60TbgVurNjPpOwz/jU39SBsToWtql2LVDyZ4yM5cNmWfzPs6qpgcNuVmuDoUojXwzZjmg46UOhxIcrgG/+dnG84kB5YL4j9UBEemC8NTWXoY0HD5k4MkuaLuuOdBrQGozn5m4M5h0BLP+D2XUchLcvs50GjgCbbaE9MMoU6l4NMmMA1fGl63UhyJb9miv4PWSs7NfX2K/qm/lbyLvSDEq+ZEFqkuSsreNvxQ5ktFp0STEf0xwO36C+eOCJz6DC1MI1SAQX4jMCOBV8xU9XBDvnjXNpn0eXZQx0fIvu/3CzxjWx1uVf1i9FZpd+J2DVa8EIZF8idrlPQ+cl7QSCboi0q1tp1f6XYLoPK+9GvaWruUGPCSMN1qBXr4lWvNFv9txPC8gsnxSyDcTTNF1vg35ZiXie04OuUQqMy3GJYp8D9B22szX7O23jb8KOZF5DtmO1od3GXClVx7K7t01yYCir/TTX+zl7WfB6YNqky3xVb0rQHx8eru0duUOmoW5B532mZ3ul/AlGJOhuY0Ip3lAj/nhcvcVNPfrQoTRYgiaTSvScwGm02X0FVO+naJniuYZY0f5UATHaScP9D6IyiUrdTUuzoUcMfqM9jLCKoT4SA33lV5xbgCrYZbx5pz2D6/pJk+XtbsJGDHkqO5QXH4vGQCLdbqLSG+rm2iQnC3OB2NwiyWgAAR6KzDr//hefYt9FXn482k= Key 3 fingerprint: 3215732ef11181a20a742dfd8864f87b373ebdc0; value: wcFMAwG+Z57SjucoAQ/+J18Dnjx7s5GU9Ft2EOFBV7CsxSP7obsyltP3Q12EVTDcDmHhvTW4yUqP6l6Jccb7R5LFWwTc9YDxlDFXGGEPocI1IP8K0Bg4DjXztHdeV7gZU+RWisaCryNbXB2H2drIORRr0/Q75P3P0c0hg8ceBCJjyxiDLaCMXjlLhpqTH+ototkOBoMWRzoOsyzPv2DPIdJlyZ+JsmAjGwnL3AOjt9uTgLBtnICioWOZVIduX28rutDpPxn3a6XNn6uk4dTjf2tQ43QXpAp8KaisnvyYoKiscerD89gm0NjXMd1K8Ap1v676AtJsSTZgOCzfv6av1h5iLV4/gEP3RgHQm2g+z+IoIphiRnrCzbN+QFKzud5gZtuJJyj0YxCGsgl5p/toM71jIqrw+V8CQ4ciOOMa6H3BetjqDTnddvTdG2QT3IJQOaim3eVVqWTDAu7xKLvtTmFP9pvAI96vB9OVAx5yl3CHLV18olmM9SD5Ji5VGF5rTr8RBBKJwjlrtIei2lUgHvkiw/1jxTYkIc3X8LqJidtUd/ULfsQx3v58KdwNy2iT/GrGUiiKHcZijjQnBRzI/27gV1utQCOwucSygBdCb6pI1mx/F9MaDioW3pKwMhz0SbCbc1EMycOsIj1oaKQ4NnYcq6Apm5eJ12cgqfKZuawIdnZFkD0dZ5xj02JKWpbScwHPbCYLRKRyTS+XIvj8B1RQkXU7m8p+erYukix+wDI0YGZiAnNxo+qp7s7KxUPpVdGCmepCA5/CcUuGMUshIXafJZ1PpBq9A73rJt0J3YmCgl4UlLUDdY43RIUhqYQ3N4BypPd+VYhV4Nt3hJjQmgpgwwc= Key 4 fingerprint: 93a9c4a954ae96b116696378f113d94f46774c5b; value: wcFMA8up8Uiq6y8gARAAs5FUHgZ4dDsMrnQFclNGel/krwYd8H3cm/sbpGKZrc264tMOJdlDhVXmpJ43nvM7tWDwm9OfR3QFhGZeme0vBbCSm7QAn61yvTKo27XgJR5tmJYsjqdM+W2wjwFvrlmelvlb2f3qvl3JMexaNp1hL8l9O/c0ojnDq2v51ZHC4bJsDdq9ffsYx2C0fWRpz5ETLEDKkbTmPMITMKp0Heuf2pOfNoAVwb67TRT+hot6bTUByS1yA/8RetuTt5c/HhcvxVD+BORofamq0NVXZsydr2KOxhGqE8J+K8orL/fFQ1h/j8DeED1ma+pykVtac4zziuXLHtjpoBK/1WChZ2PX2CiJt4nw4GQL6rls1lk7k+ysntXU6LmoRMw6huryiFqCCLxGe9RzZSsagJIMBo59WeFrPH6kA/TvzmJiOTA+n2q4q2i4TnVVX+0ijBLEvr7ockIb/mctEAsMd60comdh1EB8uRlpfBYdzf8LKcyei+0vDZ3hstTHQxgG4Nt516T4TlaDeFukNU4O1yXVUximf9lBMDDdJAbckaU5d/990MOJDqSlJnkBMWoGW2kVpUFOKjOSvAhbFPAFvf4VEtVX7l61ybKNatiZiHzaKyJRllEcturJcuZDhkJ1h3w9WrPI+N198cfFnS1Jce3XuiQrjZJb46w7KdDfpvT+/6/4ehXScwGfRX5hfLzBpumOLLtQ3xqPi5d0nRpua6XDOGm6rEeSrj5E6pTm5VYHiU67hLi3Za97U0L6rfMFNtyMhUgg0xU8Qcev4CbD54bVWG6uiyEfnspieRLGspIo/FtpCD5sB/z3bEZX3Uh1v6RXXQEUeP7Xa8s= Key 5 fingerprint: eed03eb4be75d8657d2abb710aaa36867906299f; value: wcFMAxlo+iLMDjOcARAAm1TXdjvDIxJvQAI+fdNMfU9Y5129KB4rRMmZfNls19L4nbzOZ4Mhwpx6ezaUREcXJAGW2cIxonjPBA3n928vfrr+VzKrVB+g6WswERvgm62FFIXBpGkkDCZV5aCvQRJktBAXGlXXaq3rbPeNgLoh0DGHRUpk93Z9SVypQF3iWMVyI1Zuk7HR3RxYz0/0ByOsrnKcvyMD7CgDnjMCIhPTh0+aaND9C7jb6svLtPPZEAsnXcXWUS8eV4OlcjB6tSpPoddg+8GIia2X/ghqXYbAKPB3ZVGlDgo05isFBUPkt6U6IsXqTzPmq0pBDLMXzG9YM/JoKIxWye9vk5YG6TbxfMvKNHOryQUqjC0uG2PbsUGnBxYx7ABAyJ7WLVib3oqiSMeKzTiJlQ9e+Slwupvclaf0JwtAEWyLGO3EsWh5VbAT85JhhuXbNsIlJuMUHDl5GjImcBmtJdd0G2hePuP08UfxmbU4vH1bsIs9EsafxyfJfTZRjVKFjSsb46el+/4WgyuowuUH40bGwHie0v36DA1stFR6Q1B8ewbnMEO/IFvarfKwt8evShRn/Io/UxjNf9EoP4//Sf1eonETw/1TnxWvxJMUKAA04FkmolVvFlpVN84V47wHaKjPX0wFoz2SCiYPiXMV1epVqbyfSLxMcBSeJx0hFKJhMLCcEi6a7l/ScwG2yGo9FSeC+uMykiEeHm65wHSdjxTc7k2Dh0KVjYp5rqJTUSCSkBfM7oMpPpZezZLN1P2CmQ+WrMNHoV622M39P/PmI1jpMLcp8DDPXaGjdeJKVvA5J42ELlanWhrbLDxLEZHWkZ19F/12xTpMACWnNwE= Operation nonce: 216100bc-fa97-6ce6-dacd-e774a2635175 The encrypted unseal keys are backed up to "core/unseal-keys-backup" in the storage backend. Remove these keys at any time using "vault operator rekey -backup-delete". Vault does not automatically remove these keys. Vault unseal keys rekeyed with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests.
You have rekeyed Vault with encrypted key shares using the CLI. Vault returns the new base64-encoded and encrypted key shares. It also makes a backup of the keys, and stores them in Vault storage.
Next steps
You can learn more about Vault seals in the Vault Architecture and Seal/Unseal documentation.
If you'd like to learn about automatically unsealing Vault with cloud based seals, a hardware security module (HSM), or the Vault Transit secrets engine, review the Vault seal configuration documentation.
Cleanup
Stop the Vault Docker container (Docker removes it automatically).
$ docker stop learn-vault
Remove the Docker network.
$ docker network rm learn-vault
Remove the hands-on lab directory.
$ rm -rf "$HC_LEARN_LAB"
Unset the
gpg
alias.$ unalias gpg
Unset the environment variables.
$ unset HC_LEARN_LAB VAULT_TOKEN VAULT_ADDR REKEY_NONCE