HashiCorp Developer AI Private beta now available Sign up today
Vault
Ops fundamentals

PGP encrypted key shares

  • 42min
  • |
  • Vault

Vault encrypts data with an encryption key. That encryption key is further encrypted with a second key, known as the root key. At Vault initialization time, you can choose to split the root key into a number of key shares using Shamir's Secret Sharing algorithm. When using the Shamir seal, these key shares are called unseal keys, but when using an auto seal or HSM, they're known as recovery keys.

Diagram showing Vault encryption key, root key, and key shares

By default, Vault splits the root key into 5 key shares, and requires a quorum of 3 key shares for reconstruction of the root key to use in rekey or unseal operations. In the diagram, the key shares held by Alice, Carol, and Dan satisfy the quorum, and represent the users which participate in the examples for this tutorial.

Challenge

Diagram showing Vault encryption key, root key, and key share split

When you initialize Vault, it returns hexadecimal-encoded or base64-encoded representations of the key shares and initial root token value in plaintext, as shown in these examples.

Learn more about the init operation and its output using the Vault HTTP API, CLI, or web UI.

$ vault operator init

Example expected output:

Unseal Key 1: eUc0ff332w8rOLBMyvP2yWRZ+t8NlwZ+cMUDbAe4Zm+8
Unseal Key 2: w9uzo61xXcxu5hz9uzJwsvz5RQCXc0ff33tN44HjOWy0
Unseal Key 3: 5es3Q9ZPoEU4xldKKQ5bWb8c0ff33rk1gO/rZNZltfGD
Unseal Key 4: jm7s/xixDc0ff33cqKw+LLUWj2yqtH3I0LovL9jBYVb2
Unseal Key 5: ejfqbLS8wSfYcTfes3fjQNkkYoTcmqE9YMJwbfc0ff33

Initial Root Token: hvs.7wc0ff33iCtoMXiP7LoJOGjj

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Vault returns base64-encoded unseal keys, and a plaintext initial root token value when initialized through the vault CLI.

This is acceptable in certain circumstances, such as development or evaluation clusters, but you could require more protection of the key shares and initial root token when operating in production.

Solution

Diagram Vault encrypting key shares and root token

Vault can encrypt the key shares and initial root token value at initialization time with user-supplied public keys generated from any RFC 4880 compliant PGP software, such as GNU Privacy Guard (GPG).

Tip

Vault also directly supports encrypting key shares with GPG public keys from Keybase usernames, but that is not specifically covered in this tutorial.

When you initialize Vault with the pgp-keys and root-token-pgp-key options, it encrypts the unseal keys and root token value with the specified GPG public keys, base64 encodes the encrypted values, and outputs those values instead of plaintext values.

Scenario introduction

Your goal in this scenario is to explore using Vault with the Shamir seal, and to encrypt the unseal key shares with GPG at initialization time. You'll then learn how to use the GPG encrypted key shares to unseal and rekey Vault.

First, you'll use a terminal session to configure and start a simplified Vault server Docker container.

You'll then use GPG to generate 5 distinct sets of keys to use for encrypting and decrypting the Vault key shares.

Then, it's time to initialize Vault. Acting as all 5 personas, you'll pass in the GPG public key from each persona to initialize Vault with the API, CLI, or UI. Once Vault initializes, it returns the key shares, each one encrypted with the GPG public keys which you passed in at initialization time.

The 5 key shares are distributed to Alice, Bob, Carol, Dan, and Frank, which for the purpose of this tutorial just means that the encrypted key share value gets assigned to an environment variable after initialization.

You'll then act as 3 of the 5 personas (Alice, Carol, and Dan), and use their encrypted key shares to unseal Vault.

After you unseal Vault, you can then act as the 3 personas, and use their encrypted key shares to rekey Vault.

If you are unfamiliar with initialization, rekeying, seals and keys, you can review the operator init, operator rekey, operator unseal, and Seal/Unseal concepts documentation to learn more.

Personas

Diagram showing personas for this tutorial hands-on lab

The steps described in this tutorial are typically performed by a team of security engineers.

You'll assume 4 of these hypothetical named security engineer roles in the hands-on lab scenario:

  • Alice: Team lead; coordinates distribution of teams GPG public keys, starts the Vault initialization process, and takes part in unseal and rekeying operations.

  • Bob: Provides a GPG public key to Alice for use in initializing Vault, but does not take part in unseal or rekeying operations unless needed.

  • Carol: Provides a GPG public key to Alice for use in initializing Vault, and also takes part in unseal and rekeying operations.

  • Dan: Provides a GPG public key to Alice for use in initializing Vault, and also takes part in unseal and rekeying operations.

  • Frank: Provides a GPG public key to Alice for use in initializing Vault, but does not take part in unseal or rekeying operations unless needed.

  • Dave: Vault operator. Configure and start the Vault server.

Prerequisites

You need the following to perform the tasks described in this tutorial:

  • Docker Desktop installed (tutorial tested with Docker Desktop version 4.18.0 and Docker Engine version 20.10.24).

  • Working internet from the Docker host computer to download Docker images.

  • Familiarity with initializing, unsealing, and rekeying Vault is helpful, but not required to follow along with the hands-on lab. If you are unfamiliar with these concepts and their related tasks, reviewing the Seal/Unseal concepts documentation along with the operator init, operator unseal, and operator rekey can help you.

    Tip

    For a thorough understanding of the initialization, unseal, and rekey operations, you can also review the /sys/init, /sys/unseal, and /sys/rekey API documentation.

Lab setup

The lab for this scenario is a single Vault server Docker container with integrated storage.

You'll also deploy some community image based GPG Docker containers on which you generate 5 sets of GPG keys. You can then use these keys to encrypt and decrypt the Vault key shares for all operations in the hands-on lab.

Tip

The hands-on lab uses GPG Docker containers for ease of use, and to avoid conflicts with any GPG software already installed on your computer.

Create hands-on lab home

You can create a temporary directory to hold all the content needed for this hands-on lab, and then assign its path to an environment variable for later reference.

Open a terminal, and create the directory /tmp/learn-vault-pgp.

$ mkdir /tmp/learn-vault-pgp

Export the hands-on directory path as the value to the HC_LEARN_LAB environment variable.

$ export HC_LEARN_LAB=/tmp/learn-vault-pgp

Vault server setup

The goal of this section is to deploy a simple Vault server container that you'll use for the hands-on lab.

  1. Create directories for Vault configuration and data.

    $ mkdir -p "$HC_LEARN_LAB"/vault/{config,data}

  2. Pull the latest Vault Docker image.

    $ docker pull hashicorp/vault:latest

    Example abbreviated output:

    latest: Pulling from hashicorp/vault
...snip...
docker.io/hashicorp/vault:latest

  3. Create a Docker network named learn-vault.

    $ docker network create learn-vault
d6a8247e3f138344c4686a517834ec2e2af68be9d728afb08bcfe21aae616785

  4. Create the Vault server configuration file.

    $ cat > "$HC_LEARN_LAB"/vault/config/vault-server.hcl <<EOF
ui = true
listener "tcp" {
  tls_disable = 1
  address = "[::]:8200"
  cluster_address = "[::]:8201"
}

storage "raft" {
  path = "/vault/file"
}
EOF

    Note

    The listener stanza disables TLS (tls_disable = 1) just for this tutorial. Vault should always be used with TLS in production deployments. This configuration requires a certificate file and key file on each Vault host.

  5. Start Vault server container.

    $ docker run \
      --name=learn-vault \
      --hostname=learn-vault \
      --network=learn-vault \
      --publish 8200:8200 \
      --env VAULT_ADDR="http://localhost:8200" \
      --env VAULT_CLUSTER_ADDR="http://learn-vault:8201" \
      --env VAULT_API_ADDR="http://learn-vault:8200" \
      --env VAULT_RAFT_NODE_ID="learn-vault" \
      --volume "$HC_LEARN_LAB"/vault/config/:/vault/config \
      --volume "$HC_LEARN_LAB"/vault/data/:/vault/file:z \
      --cap-add=IPC_LOCK \
      --detach \
      --rm \
      hashicorp/vault vault server -config=/vault/config/vault-server.hcl

  6. Confirm that the Vault server container is up.

    $ docker ps -f name=learn-vault --format "table {{.Names}}\t{{.Status}}"

    Example expected output:

    NAMES         STATUS
learn-vault   Up 5 seconds

  7. Export an environment variable for the vault CLI to address the primary server.

    $ export VAULT_ADDR=http://127.0.0.1:8200

  8. Verify Vault server status

    $ vault status

    Example expected output:

    Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    0/3
Unseal Nonce       n/a
Version            1.13.2
Build Date         2023-04-25T13:02:50Z
Storage Type       raft
HA Enabled         true

The Vault server is now ready for you to initialize and unseal with unseal keys.

Prepare GPG key sets

Diagram showing GPG key generation workflow

Your goal in this section is to create 5 sets of simple GPG keys, which you use later for encrypting and decrypting Vault key shares. An example CLI workflow diagram is shown for the Alice persona, and the workflow is similar for each persona.

You can use a community GnuPG Docker container to generate keys for demonstrating the features in this tutorial.

Note

The example GPG configuration and runtime environment is just for this tutorial. You are encouraged to use a configuration and runtime environment that is compliant with your organization's security policies for actual use cases.

You do these tasks as each of the 5 main personas.

You'll non-interactively generate the 5 GPG keys with a configuration like this example for Alice:

%echo Generating a basic OpenPGP key for Alice
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: Alice
Name-Comment: Alice is a Vault PGP user
Name-Email: alice@example.com
Expire-Date: 1
Passphrase: recede-yard-unwilling-shrouded
%commit
%echo done

Each set of keys has these properties as defined in the configuration:

  • RSA key and subkey
  • 4096 bit key size for key and subkey
  • Persona name
  • Persona email
  • Expires in 1 day
  • Passphrase in configuration for tutorial simplicity

  1. Create directories for each of the personas.

    $ mkdir "$HC_LEARN_LAB"/{alice,bob,carol,dan,frank}

  2. Change modes on the persona directories. This increases security for access to the directories. If you omit this step, GPG warns you that the directory permissions are insecure whenever you execute it.

    $ chmod 0700 "$HC_LEARN_LAB"/{alice,bob,carol,dan,frank}

  3. Pull the community GnuPG Docker container image.

    $ docker pull vladgh/gpg:latest

    Example abbreviated output:

    latest: Pulling from vladgh/gpg
...snip...
docker.io/vladgh/gpg:latest

You're now prepared to use GPG containers to generate each persona's keys.

Note

When exporting the public key values, you do not need the common ASCII armored format (i.e., --armor) parameter. This is because Vault expects a plain base64-encoded version of the binary key output without any extra characters like those present in ASCII armored public key output. Instead, pipe the command output to base64 for encoding prior to writing the file.

Alice's GPG key

Complete these steps as the persona Alice.

  1. Define a shell alias gpg that interacts with the Docker GPG container for the Alice persona. The container is named, uses a volume mapping between the host and container for all GPG configuration and key material. The GPG console is specified with an environment variable, and the container removes itself after each execution.

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg"

  2. Create the GPG configuration for Alice.

    $ cat > "$HC_LEARN_LAB"/alice/alice_key.conf << EOF
%echo Generating a basic OpenPGP key for Alice
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: Alice
Name-Comment: Alice is a Vault PGP user
Name-Email: alice@example.com
Expire-Date: 1
Passphrase: recede-yard-unwilling-shrouded
%commit
%echo done
EOF

  3. Generate the key for Alice.

    $ gpg --full-gen-key --batch /root/.gnupg/alice_key.conf

    Example expected output:

    gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: Generating a basic OpenPGP key for Alice
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/848950117127B2BA8615ABE08930D1B13CA8F9BB.rev'
gpg: done

  4. Export the public key for Alice into the file $HC_LEARN_LAB/alice/alice_key.pub.

    $ gpg --output /root/.gnupg/alice_key.pub --export alice@example.com

    This command is expected to produce no output.

Bob's GPG key

Complete these steps as the persona Bob.

  1. Update the gpg alias so it interacts with the Docker GPG container for the Bob persona.

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-bob --volume $HC_LEARN_LAB/bob:/root/.gnupg vladgh/gpg"

  2. Create the GPG configuration for bob.

    $ cat > "$HC_LEARN_LAB"/bob/bob_key.conf << EOF
%echo Generating a basic OpenPGP key for Bob
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: bob
Name-Comment: Bob is a Vault PGP user
Name-Email: bob@example.com
Expire-Date: 1
Passphrase: giggle-suing-starring-sugar
%commit
%echo done
EOF

  3. Generate the key for bob.

    $ gpg --full-gen-key --batch /root/.gnupg/bob_key.conf

    Example expected output:

    gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: Generating a basic OpenPGP key for Bob
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/0F4AA2FB5D60A0ACB2B0736CBABA346598D87E72.rev'
gpg: done

  4. Export the public key for bob into the file $HC_LEARN_LAB/bob/bob_key.pub.

    $ gpg --output /root/.gnupg/bob_key.pub --export bob@example.com

    This command is expected to produce no output.

Carol's GPG key

Complete these steps as the persona Carol.

  1. Update the gpg alias so it interacts with the Docker GPG container for the Carol persona.

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg"

  2. Create the GPG configuration for Carol.

    $ cat > "$HC_LEARN_LAB"/carol/carol_key.conf << EOF
%echo Generating a basic OpenPGP key for Carol
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: Carol
Name-Comment: Carol is a Vault PGP user
Name-Email: carol@example.com
Expire-Date: 1
Passphrase: unnerving-appealing-primarily-overload
%commit
%echo done
EOF

  3. Generate the key for Carol.

    $ gpg --full-gen-key --batch /root/.gnupg/carol_key.conf

    Example expected output:

    gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: Generating a basic OpenPGP key for Carol
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/54D8C3DB5FA6B8E44B271778C81FB6D3D670977B.rev'
gpg: done

  4. Export the public key for Carol into the file $HC_LEARN_LAB/carol/carol_key.pub.

    $ gpg --output /root/.gnupg/carol_key.pub --export carol@example.com

    This command is expected to produce no output.

Dan' GPG key

Complete these steps as the persona Dan.

  1. Update the gpg alias so it interacts with the Docker GPG container for the Dan persona.

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg"

  2. Create the GPG configuration for Dan.

    $ cat > "$HC_LEARN_LAB"/dan/dan_key.conf << EOF
%echo Generating a basic OpenPGP key for Dan
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: Dan
Name-Comment: Dan is a Vault PGP user
Name-Email: dan@example.com
Expire-Date: 1
Passphrase: shawl-stem-elective-stoop
%commit
%echo done
EOF

  3. Generate the key for Dan.

    $ gpg --full-gen-key --batch /root/.gnupg/dan_key.conf

    Example expected output:

    gpg: Generating a basic OpenPGP key for Dan
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/A6047CE604B888DD04DEFCE28B973C1C27DA6FBE.rev'
gpg: done

  4. Export the public key for Dan into the file $HC_LEARN_LAB/dan/dan_key.pub.

    $ gpg --output /root/.gnupg/dan_key.pub --export dan@example.com

    This command is expected to produce no output.

Frank's GPG key

Complete these steps as the persona Frank.

  1. Update the gpg alias so it interacts with the Docker GPG container for the Frank persona.

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-frank --volume $HC_LEARN_LAB/frank:/root/.gnupg vladgh/gpg"

  2. Create the GPG configuration for Frank.

    $ cat > "$HC_LEARN_LAB"/frank/frank_key.conf << EOF
%echo Generating a basic OpenPGP key for Frank
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: Frank
Name-Comment: Frank is a Vault PGP user
Name-Email: frank@example.com
Expire-Date: 1
Passphrase: capitol-wasting-darwinism-surcharge
%commit
%echo done
EOF

  3. Generate the key for Frank.

    $ gpg --full-gen-key --batch /root/.gnupg/frank_key.conf

    Example expected output:

    gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: Generating a basic OpenPGP key for Frank
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/4B6324B4C2AE1ED061075BB56D3AEFA0E11E803D.rev'
gpg: done

  4. Export the public key for Frank into the file $HC_LEARN_LAB/frank/frank_key.pub.

    $ gpg --output /root/.gnupg/frank_key.pub --export frank@example.com

    This command is expected to produce no output.

Some of the steps later require base64-encoded versions of the persona's GPG public keys. Before proceeding, create a base64-encoded version of each persona's GPG public key.

You can complete this step as the Alice persona.

$ for persona in alice bob carol dan frank; do \
      cat "$HC_LEARN_LAB"/"$persona"/"$persona"_key.pub \
      | base64 > "$HC_LEARN_LAB"/"$persona"/"$persona"_key_base64.pub;
      done

Now that you've generated all of the GPG keys, you can use them to initialize, unseal, and rekey Vault.

Initialize Vault with public keys

Initialize Vault with the 5 GPG public keys specified to encrypt the key shares, and Carol's GPG public key to encrypt the initial root token value. Write the initialization output to the file "$HC_LEARN_LAB"/vault_init_output.txt.

$ vault operator init -pgp-keys "$HC_LEARN_LAB/alice/alice_key.pub,$HC_LEARN_LAB/bob/bob_key.pub,$HC_LEARN_LAB/carol/carol_key.pub,$HC_LEARN_LAB/dan/dan_key.pub,$HC_LEARN_LAB/frank/frank_key.pub" -root-token-pgp-key "$HC_LEARN_LAB/alice/alice_key.pub" > "$HC_LEARN_LAB"/vault_init_output.txt

This command is expected to produce no output, but you can list the file contents if you want to verify.

$ cat "$HC_LEARN_LAB"/vault_init_output.txt

Example expected output:

Unseal Key 1: wcFMA7NpuNG2vp+sARAAjP/ddU9tNliX32nLSqfGjFsoD0hVwIFPRyBZJIoREX1gb3vcmeosFHvT4sJjE63q0JB776epNjxevj3X3sqPV3h+0groThnzdSQhluwYOVY532I42B3ffKdAY4MMeH1izCLvBzP5ZT2plPlcHKhbem47/gnp9ndbhXntBYGSBvnCa50zPDZ60pnG6BQ6rV+VlM5lYLOc/kfnmthrC1UQm1tuBOpHdPsYfh/FwlraKnLl0XUkLNfWdw3Pd17bdCLYqU/AeYS+ae5Hbk5d1MTvUhxRsjearE7J/iDgjjNUpi8qMBjrrzd3Lj2lMyYb8iE+IUFi+y1ZyhfMDX7QTIVlkjq5cl3MTUfk6yckbsEngkeWKA4IjlUjlDFMqty9m9IDBVt6WUl7LF2S15duS9gAgBP3dSxYP/xXrJuSaiCv07IzLSP4r08VPueyemMBwo8ODTZk3Cz8GXQPB+TX21KcJ/nWRZPKTxrIIqKSJsVnaRkeAXd5dYXA0pvdPvf4EuPgq/f/SnJJUOvJ8x2dEtBlc8FiXWgkh+NERSdFFHZ78TtLciEd4+046CED6vj+LypFo2GBqCX99Iaw9lSo4dhXIa53QOllZJ58XQ0u0wOct75aaFjGDdFa/wcwSoOohu02zTz5i/pJ5rmp8AbbEN0GLmuuPZRZIdUxPPc4WpwQ7tXScwGAVMpRpu6oaLK7uaTQ3qA3+k9DqFT2uHw7u0qmTSQmTmexrC/JbtnAVdMmATItHsCCxLLIPd/R5xNHeMEFkw99neGSJ5K98k7o5BVZfvgJoaig3fGoW3uO5lNVaocO0UgCiXHRJTcwJix+S6Qie4jJCbg=
Unseal Key 2: wcFMAw4Dy3YtKW8nARAAnk1TvAJZ7Ve2N00c1krxxxXWXP/h7cbO66sfIBeBycCWhFK/kxzEMIOonlZwshCa9ZxL9LEITKuS7VdWoMWocNC0dz3pK/j8eb61cZii98STNbZJW8bKV1AQu5sKNd9FMyMcU8QUZ/dto+azemF2Ro82HI3pu4gHmK4bC2gWwaF01N7Xh9UcTOSOiuAXq1uP3B1UZpocfqIaxTgv7fZjoPasmcoPHX3wf5YiRpWy4FS9Yl+19tiYy+8TQ4pFmrR/18+y6CUhmwyS9MFCzMuw16M+7vnBvzeMsvvFYczq1/R3ygqz6BakT+noNp9XO2C0V37BE8rxatUb5dY7FwRrJ8IKCfR0IMxjUB9inI3HZL62gUEosC/tj9+RZhDcubTMN/pV3dIW6LF+C4HK4FzvKYPKyyEjIxRtjSXSQR3k+60MrM9Lq1DXmUR4vfNP1PWg9hlYUcypx+A//zCmVbZ9KEcIYqQ47F1dlS2sCk5Jefk8pB6+ZG1beT+sCNP7WhGU8v5Wj9GAglsi/PglQVIPQX6wvzgOhxj+MZxhF6bMwxHw6/k/K3rrWHqfaTN1lbfu58hkmhxTOT702PS7CSfDbtCHhhtji7yohwmmz0c01AFQJm5O53umOML99gHXUoZzegPkKYbj7o7AZ3SIvAvssevIoMZE1XG1/Qq0ffU2F4LScwGFN1JTmk11rLkqe8egWwxBQseZv8KxYArZRSMhp7xrISoAeUzBl1vAEHfddUqj0vdAUCKX7FePQVbnukS0qtaEKLtTMHkU5WfjKfVxb7Gtd//Hey2WBrD/UR7o5VY3GkzKkF35Dm25bpDLzD1CSlz5LY4=
Unseal Key 3: wcFMA8d6pxB9YmVGAQ/+N3RTigxf2cv0BP02qYgrztsA+ZaYLq/EIOgE3C6RvWwuhdkQ+qtuIr1i3bZbioWWCl8nHbLLWp49zTJsUpWYFCVyodeRywIWIhFG++JrZf2I4oX4NcKqSpk4404v2mpQUgFnI7WyccCgaWtrRFkT94s0ooiDp0cloX96YfRsC+s1tDOMJdOGCfQfzOSGCtjtpCRVplD0hOEd4+Mfyk16SspegQXGwikOQze/sQOgZlGvNMtV0rFZFTEXdFr98UQw4Hg13nrffydNc4Qa5Z6WQIs5AUewBHW8rmlw3bmnVuYrOvWgABE9/DbeW1K6Jl5y8Pxc8maGZQciYxv1jDyXCm188NS7RE+GwW879Fxub6F405W9sQJbB6b4Wphhk9oybWMSMZNBy95mfHTBaOCFsIPfF0Mb9O8khoTHd6DAw1mbeWByhjXGIF53FVs8H+ifEj80qipllZpqKWIg0bhJLw+qDhL4kYAFKV01N+cYzdeiEMqrNG0OiQ2LgJKquMplkuqT/B3mIRZt2daO5UU9smp6YdNk18phvOeJnInWe7plj205NlEXY5IR8CFXmhnNgKKyIbxl5ij6tCsa+DYcAmOfVGeHhbdhXzztuYN6FD1uncG1eo0jKgjmxPnZoNmTCDk2VTTW5MqUutabeLRAtAQUXLiqSvfGefvb2Y5iKXLScwG4Y2wkPP8rITaJMlifz5FXzXWLkD/xiDTthWGYRhmId6TYcV5AeG3koHmCcWhG/xxtatvsXsLT18Ki50SdL1wFr4sGw5Wu+OWv7EqtPmN5tUJDJqacS28sKD4eWhnkokgkEvQGWUG/4nRlmkb8N0kg8r0=
Unseal Key 4: wcFMA4lyDC6UCT1HAQ//b2ZUUBw8vlur3J++zxMVsKUtFpJy0xD0cY1X/6yDOlxHpnMexMKYazebPKxoulmZZ3eh7IghCvV2hOvhUPgh+BdlWnz/5w4bXF9G6An/7kG/ILvcZD4+pwr6CGf0LNr7pQWgdTzxd10XhvUgJdmd3O6i9GVAnc8gFscbjxt+vOrUvjfaMvqCnHHIEybChctryiDdDH+BMgE7mdIUHJMAWkqsl86xWoXBhOPruQEiQ13wI63rxxMaC6aXOAkJ5ezvtuyuQ1YohxnS7giTEw0vBjOwZSd8URmIaud0b6Q0RJOIkjjUkXXDOT7dMSUD7i8mwBnwrdFb//2DhjC6/JoOkrPbQzaMvoq8r66hM/eBD3SieDSyDrYtMzeV5aQhfPyZpv7Meg/yOcesP1Dy5vdhXROcAi08k0+Zl/vUvTs/gQIhrm//GJEzrx9QZSKi3yAJUCAzW/ResK4APhfjRzOxFwLFbqx1W7AvC73DUaVl0LY7jb4uiIM4791HqPefFaZRT9B9mrrb1rEMIW7HB+R1eX+/+ahxmX/2stfBfqSeIIFcWCLznfrpRqIVeL3og6fS9kmAn7ojCfBoF4hEBqqDaR942P9XkJ0okzv3Cc+hlP5OknV1wDXtUhJ8TbdBUDOhhpUf1a5azybdwa0T2J3tPeSHUqcnhjTmMWxiT2KggCTScwFRo1EIOVIPwgn8SN0mJ8PBeZgXTriU1NED3/xEs/zzUxv7K6uNeahdOcYXqZJAplPfFY/PeiGZqePdyICzApuuwbyXm1hM8yDXV2jXz1mSn33ycyJd4CrBcPEnNRvDjdQXnthyMtlwxwBNgrUOJxP6ELY=
Unseal Key 5: wcFMA0eb9Y4KFLbTARAAz8w8bePJ6D2txcwQ6Rse5rIss//tfsItTvQpVHCWZKjoYYt5ftLwnzEStIWC2mxI74tjujl7rNxJ+vuek7l/P6gGqF44yCmq7lRF35tNDPsLbf7lqGPnjqJgrQby56RYfm4qHYNB5XW4CkkUuXpHYtp850/1p6vhjHrgrIfJs0wwOIuEB+yJDlQiq5wOLe0+L2U0fM/zbUK9z9SnMrHROYXXXvUpMqe9stTpl8UQMZY1HNsOqo+ZRvF6YpaS5hAa/v9WnefRMzr/7ItrxgTKhMspuIjb9lTKImZdLXKjHWg9AP8CBRDLfqEibyAZLPd3xbV5kUwgpHsVvRZXc+H7DdR5fvBfKVO5+oft7PEhV7c74v6z9NFrRFwAiOp03mw14Gom40zdrDdmiVfc43I7nrPWGxbVrINkzUsesDCII1j/9rxw+XdHdVhTWKJ7UDsZFivdVHI/5qrEZvcEqB25AXHCYerAJ3jgOilv9ZH0Y1IxaUiw3EQxgZvsfUGUABE6NZY4j/p1yNxF5/utYUj4PpqP/AKaSuqfM+wuLaGZK3A0MpYfTxNbtqXqWbvK37NUH8JQpG5+h4KP7dK7SorhU9q1IaVmiAT72N6cE5tQcyt2Z1I1cxawB2w6BLOGV7vmHUH99V9OhgWMpI6YNL/EoxvvWXwj9FzkhN9PjjSMbiHScwE+ahzP6X+PUm4vIPzy2+Ph2e1/DewVT4s6/6nMlE6TNJHtV4LnCbPFF1rJUI/Nx4CoRUgyL9rmKUuj4GA+xvvNzkO7wVOFPp+YaLzVfCPX5e1fdf1B7b0CI7lKRQOSGv7AjeU4qw7I4GoFqcuiN8FYhRg=

Initial Root Token: wcFMA7NpuNG2vp+sAQ//c75x1o+Zqr/gDxvMhKsnI5+MH765KnlMN2wwPN9YkSAksb4jFll3Xshgo+J7hJ7BO2wxA1rHuWT0OVMkUlLhkCV8LJib3d//iC73c5s1DBFbJoQKXy/LlV4B3XZ+/QQ2vskDdhZNugU+Mml7s9poI/zMhKXlp7oaKgyC9lDVbelgJu5YDarm1cjGBO6RPTOKhsJ9e4zzEs+5uwlhDrczxIT36SMAq8uQjR/Vxqpl9WszVpwIPFVlWMWVqL5EN4DtugpKrLt/uoGaGXOYUgJ+HaguarCx/HbHY8bThKIGx1xYNgsF5tJlfrINfiNQh9h1zNOTQ77/P8uNOpfQM+EGNUQzEnY7PWTVTBODrNrqfKaWsZDhZgu0TqKeVwZoHHMF2ixciUKX8Z3BdX91ihJyh47LaXyhTbgrLMS9fIh17fW53vDoZFVnXa/EAkRgPuYj/Crsnv5GrEUsTBGTU4Cp0OP75YGfK7HLM4nut/Sq1c/ZppD/42ZbYGvPYywwVNdUHxASop8m1D5kiBV9Gcv0Fgg8/6sj2157UCMWoTDvAr7p5ZBCcMLz1DziZXmIf3r0nR5BQ1gz5VlgTLxqebx9PE5Kktggn1snPNpylViPVtGT83E5uON1f8lyO2j4p0w3dlR59vSEVm7viugbsdqLrOcgiTec13TwAyovJJe+MqPSTQE/fIBrsni0mHIMKdPV0jrfKp4jX0uAIROtFoLCPKXSf1OK2Mnodb0V0pFksH0GjSaceizcd0P4ZRv/fb7LKRStnBZMyclx7ixv2mGO

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

The initialization output shows base64-encoded and encrypted unseal key and initial root token values.

Unseal Vault with encrypted key shares

Diagram describing unsealing Vault with encrypted key shares using the CLI

You initialized Vault, and it output the GPG encrypted unseal key shares and initial root token value.

Now you can use the encrypted key shares for Alice, Carol, and Dan to unseal Vault.

Your workflow for each encrypted unseal key is to use Base64 for decoding the Vault output value, then GPG to decrypt that decoded value. The result is an unseal key share that you can pass to Vault for rekeying or unsealing.

Tip

For the examples in this tutorial, the following passphrases are used. You need these passphrases to decrypt each of the key shares used in the following examples.

  • Alice: recede-yard-unwilling-shrouded
  • Bob: giggle-suing-starring-sugar
  • Carol: unnerving-appealing-primarily-overload
  • Dan: shawl-stem-elective-stoop
  • Frank: capitol-wasting-darwinism-surcharge

  1. Vault returned Alice's encrypted key share as the value of Unseal Key 1: when you initialized it. To make the unseal key data available for decryption, you can base64 decode it and write it to the file $HC_LEARN_LAB/alice/alice_unseal_key.dat, which gets mapped to /root/.gnupg/alice_unseal_key.dat in the GPG Docker container.

    $ grep 'Unseal Key 1' "$HC_LEARN_LAB/vault_init_output.txt" \
    | awk '{print $NF}' \
    | base64 --decode > "$HC_LEARN_LAB"/alice/alice_unseal_key.dat

  1. Carol's encrypted key share is the value of Unseal Key 3:. Base64 decode it, and write it to the file $HC_LEARN_LAB/carol/carol_unseal_key.dat, which gets mapped to /root/.gnupg/carol_unseal_key.dat in the GPG Docker container.

    $ grep 'Unseal Key 3' "$HC_LEARN_LAB/vault_init_output.txt" \
    | awk '{print $NF}' \
    | base64 --decode > "$HC_LEARN_LAB"/carol/carol_unseal_key.dat

  2. Dan's encrypted key share is the value of Unseal Key 4:. Base64 decode it, and write it to the file $HC_LEARN_LAB/dan/dan_unseal_key.dat, which gets mapped to /root/.gnupg/dan_unseal_key.dat in the GPG Docker container.

    $ grep 'Unseal Key 4' "$HC_LEARN_LAB/vault_init_output.txt" \
    | awk '{print $NF}' \
    | base64 --decode > "$HC_LEARN_LAB"/dan/dan_unseal_key.dat

  3. Define a shell alias gpg that interacts with the Docker GPG container for the Alice persona. For the purpose of this tutorial, you can pass in Alice's GPG key passphrase with the --passphrase flag.

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"

  4. As the Alice persona, begin the unseal operation by decrypting the encrypted unseal key with GPG, and then passing it to Vault.

    $ vault operator unseal $(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)

    Example expected output:

    gpg: encrypted with 4096-bit RSA key, ID 91002A8F909C6714, created 2023-04-17
      "Alice (Alice is a Vault PGP user) <alice@example.com>"
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       fd60be59-ccb0-7789-8f11-a7d52cff410d
Version            1.13.2
Build Date         2023-04-25T13:02:50Z
Storage Type       raft
HA Enabled         true

  5. Update the gpg alias so that it interacts with the Docker GPG container for the Carol persona. For the purpose of this tutorial, you can pass in Carol's GPG key passphrase with the --passphrase flag.

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"

  6. As the Carol persona, continue the unseal workflow by decrypting the encrypted unseal key with GPG, and then passing it to Vault.

    $ vault operator unseal $(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)

    Example expected output:

    gpg: encrypted with 4096-bit RSA key, ID C8DFC373E8AC8E61, created 2023-04-17
      "Carol (Carol is a Vault PGP user) <carol@example.com>"
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    2/3
Unseal Nonce       fd60be59-ccb0-7789-8f11-a7d52cff410d
Version            1.13.2
Build Date         2023-04-25T13:02:50Z
Storage Type       raft
HA Enabled         true

  7. Update the gpg alias so that it interacts with the Docker GPG container for the Dan persona. For the purpose of this tutorial, you can pass in Dan's GPG key passphrase with the --passphrase flag.

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"

  8. As the Dan persona, continue the unseal workflow by decrypting the encrypted unseal key with GPG, and then passing it to Vault.

    $ vault operator unseal $(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)

    Example expected output:

    gpg: encrypted with 4096-bit RSA key, ID 6ED85F446B6FAA27, created 2023-04-17
      "Dan (Dan is a Vault PGP user) <dan@example.com>"
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.13.2
Build Date              2023-04-25T13:02:50Z
Storage Type            raft
Cluster Name            vault-cluster-ae243d4d
Cluster ID              51ae1a01-6ebd-1f6e-ade0-312c644278a1
HA Enabled              true
HA Cluster              n/a
HA Mode                 standby
Active Node Address     <none>
Raft Committed Index    31
Raft Applied Index      31

You've unsealed the Vault server with GPG encrypted unseal key shares. You also decrypted the encrypted initial root token value and used it to sin into the Vault UI.

In the next section, you'll learn how to rekey Vault with encrypted key shares.

Rekey Vault with encrypted key shares

Now that you've experienced unsealing Vault with encrypted key shares, you're ready to try rekeying Vault with those same encrypted key shares.

Rekeying Vault requires a token with capabilities to POST against the /sys/rekey/ API endpoints. In this tutorial, you'll use the initial root token value for this token.

Perform these steps as the Alice persona.

  1. Update the gpg alias so that it interacts with the Docker GPG container for the Alice persona. 

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"

  2. Base64 decode the initial root token value, and write it to the file $HC_LEARN_LAB/alice/initial_root_token.dat, which gets mapped to /root/.gnupg/initial_root_token.dat in the GPG Docker container.

    $ grep 'Initial Root Token' "$HC_LEARN_LAB/vault_init_output.txt" \
    | awk '{print $NF}' \
    | base64 --decode > "$HC_LEARN_LAB"/alice/initial_root_token.dat

  3. Decrypt the encrypted initial root token value and export the result as the VAULT_TOKEN environment variable.

    $ export VAULT_TOKEN=$(gpg --decrypt /root/.gnupg/initial_root_token.dat)

    Expected example output:

    gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03
   "Alice (Alice is a Vault PGP user) <alice@example.com>"

  4. Start the rekey workflow. Use the -backup option to save the encrypted keys in Vault's core so if they are lost, you can still recover.

    $ vault operator rekey \
    -init \
    -backup \
    -key-shares=5 \
    -key-threshold=3 \
    -pgp-keys "$HC_LEARN_LAB/alice/alice_key_base64.pub,$HC_LEARN_LAB/bob/bob_key_base64.pub,$HC_LEARN_LAB/carol/carol_key_base64.pub,$HC_LEARN_LAB/dan/dan_key_base64.pub,$HC_LEARN_LAB/frank/frank_key_base64.pub"

    Example expected output:

    Key                      Value
---                      -----
Nonce                    216100bc-fa97-6ce6-dacd-e774a2635175
Started                  true
Rekey Progress           0/3
New Shares               5
New Threshold            3
Verification Required    false
PGP Fingerprints         [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f]
Backup                   true

  5. Store the returned nonce value in an environment variable.

    Example:

    $ export REKEY_NONCE="216100bc-fa97-6ce6-dacd-e774a2635175"

    Where 216100bc-fa97-6ce6-dacd-e774a2635175 is the nonce value returned to you.

  6. Each of the 3 personas holding a quorum of key shares must now submit their decrypted key share. As the Alice persona, execute the rekey command to submit Alice's unseal key share.

    $ vault operator rekey \
    -nonce $REKEY_NONCE \
    $(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)

    Example expected output:

    gpg: encrypted with 4096-bit RSA key, ID 4819B20CE84021D4, created 2023-05-04
      "Alice (Alice is a Vault PGP user) <alice@example.com>"
Key                      Value
---                      -----
Nonce                    216100bc-fa97-6ce6-dacd-e774a2635175
Started                  true
Rekey Progress           1/3
New Shares               5
New Threshold            3
Verification Required    false
PGP Fingerprints         [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f]
Backup                   true

    The Rekey Progress now shows 1/3.

Perform these steps as the Carol persona.

  1. Update the gpg alias so that it interacts with the Docker GPG container for the Carol persona. 

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"

  2. Execute the rekey command to submit Alice's unseal key share.

    $ vault operator rekey \
      -nonce $REKEY_NONCE \
      $(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)

    Example expected output:

    gpg: encrypted with 4096-bit RSA key, ID 01BE679ED28EE728, created 2023-05-04
      "Carol (Carol is a Vault PGP user) <carol@example.com>"
Key                      Value
---                      -----
Nonce                    216100bc-fa97-6ce6-dacd-e774a2635175
Started                  true
Rekey Progress           2/3
New Shares               5
New Threshold            3
Verification Required    false
PGP Fingerprints         [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f]
Backup                   true

    The Rekey Progress now shows 2/3.

Perform these steps as the Dan persona.

  1. Update the gpg alias so that it interacts with the Docker GPG container for the Dan persona.

    $ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"

  2. Execute the rekey command to submit Alice's unseal key share.

    $ vault operator rekey \
      -nonce $REKEY_NONCE \
      $(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)

    Example expected output:

    gpg: encrypted with 4096-bit RSA key, ID CBA9F148AAEB2F20, created 2023-05-04
      "Dan (Dan is a Vault PGP user) <dan@example.com>"

Key 1 fingerprint: 4f00b90c33fc6a47de9a4285fc43d002393b1f85; value: wcFMA0gZsgzoQCHUARAAmOv3d8GxgPdgZllTa+KT9NTmcvWf8omNkRcJDwHoEiB21qqFMKy6273JyUlGdomygWTpLfTHOfCLGF7IXDaPuTdwurw/mXkMpiS9xBUNjkvXJ2EyIEACh7rRIaTq3+IGSrae5MeaOmmQl9FEx9J0RvCajfuIY6hrtUn9FoIFD7Okq3Jq0QJJftHuLovxzOQEOjw6Qtk7M4eTg8dQDgWljti2LLBDCCDY9YRTzv1Zf7ptfuGc3LVOldt/HaE9JvUsRgnWzNDlGLvLWGG37SFCRNJTuDuoEs7ki9mJYLPx1LxL+wHta+s4d9mpYxOS+XdQn1ETRhbHhDFJD8bYaH+f0U47MjnCWGhHQmbLlhZrDegXlQK4mKePBY6BHz2a3Vc4jSRLtNq4XcZb1KTKT5HekclsqffggNHQakGYC/u9/aHVGIffYvEKGTTXng3TpYrEVC9YlaNBo6gXYxW+bYygieOxrg+X1sEKOjemtIvurIBjomTU5Z5qZgI10XsL3IuuTAR7fIuPBK/m/vtleuFdKvCQgfmjAxWtxlK18FF5ovORO3A5878WjR8KYQnUWTt1AahSTXyW+4f84cFXs4C8gi6zaet9NILyD7zXYIxfSdpj4PC8oVGkdjLOz58CfAg1f0T16AdNNW4oquNS4E0ewen27V7Bp5NybcK9tOuGXR3ScwH0D3yiFiwJPga8gQvtFq+fAhVMwCKCr0xYP3X3+/O+mbEAQMeLuxD8bEMEIVZ7DGtmP66FOg378pKiBhjTX7S3VOcjbUAaLzf2JqaG4b7PMtmPSHKALtapN77VG2SguEKjd6xOtaCEtWiRGRJs4+DqipU=
Key 2 fingerprint: 257fc6c27bdb928f101761cca5a489753448f1bd; value: wcFMA8T3p2AFsDorAQ//TyzgY8dcvG6YgZ9H7uolN7SuTnS4p7jBcIkP3XU0N7dfqU9dcwYI9YZ0F6Dxg4HH4Sd24ZZ4H1xcFaJ4AF8AXgnwdXPeuqugn6x0xZH3paTwABwyexYddQxhbe62pVb60TbgVurNjPpOwz/jU39SBsToWtql2LVDyZ4yM5cNmWfzPs6qpgcNuVmuDoUojXwzZjmg46UOhxIcrgG/+dnG84kB5YL4j9UBEemC8NTWXoY0HD5k4MkuaLuuOdBrQGozn5m4M5h0BLP+D2XUchLcvs50GjgCbbaE9MMoU6l4NMmMA1fGl63UhyJb9miv4PWSs7NfX2K/qm/lbyLvSDEq+ZEFqkuSsreNvxQ5ktFp0STEf0xwO36C+eOCJz6DC1MI1SAQX4jMCOBV8xU9XBDvnjXNpn0eXZQx0fIvu/3CzxjWx1uVf1i9FZpd+J2DVa8EIZF8idrlPQ+cl7QSCboi0q1tp1f6XYLoPK+9GvaWruUGPCSMN1qBXr4lWvNFv9txPC8gsnxSyDcTTNF1vg35ZiXie04OuUQqMy3GJYp8D9B22szX7O23jb8KOZF5DtmO1od3GXClVx7K7t01yYCir/TTX+zl7WfB6YNqky3xVb0rQHx8eru0duUOmoW5B532mZ3ul/AlGJOhuY0Ip3lAj/nhcvcVNPfrQoTRYgiaTSvScwGm02X0FVO+naJniuYZY0f5UATHaScP9D6IyiUrdTUuzoUcMfqM9jLCKoT4SA33lV5xbgCrYZbx5pz2D6/pJk+XtbsJGDHkqO5QXH4vGQCLdbqLSG+rm2iQnC3OB2NwiyWgAAR6KzDr//hefYt9FXn482k=
Key 3 fingerprint: 3215732ef11181a20a742dfd8864f87b373ebdc0; value: wcFMAwG+Z57SjucoAQ/+J18Dnjx7s5GU9Ft2EOFBV7CsxSP7obsyltP3Q12EVTDcDmHhvTW4yUqP6l6Jccb7R5LFWwTc9YDxlDFXGGEPocI1IP8K0Bg4DjXztHdeV7gZU+RWisaCryNbXB2H2drIORRr0/Q75P3P0c0hg8ceBCJjyxiDLaCMXjlLhpqTH+ototkOBoMWRzoOsyzPv2DPIdJlyZ+JsmAjGwnL3AOjt9uTgLBtnICioWOZVIduX28rutDpPxn3a6XNn6uk4dTjf2tQ43QXpAp8KaisnvyYoKiscerD89gm0NjXMd1K8Ap1v676AtJsSTZgOCzfv6av1h5iLV4/gEP3RgHQm2g+z+IoIphiRnrCzbN+QFKzud5gZtuJJyj0YxCGsgl5p/toM71jIqrw+V8CQ4ciOOMa6H3BetjqDTnddvTdG2QT3IJQOaim3eVVqWTDAu7xKLvtTmFP9pvAI96vB9OVAx5yl3CHLV18olmM9SD5Ji5VGF5rTr8RBBKJwjlrtIei2lUgHvkiw/1jxTYkIc3X8LqJidtUd/ULfsQx3v58KdwNy2iT/GrGUiiKHcZijjQnBRzI/27gV1utQCOwucSygBdCb6pI1mx/F9MaDioW3pKwMhz0SbCbc1EMycOsIj1oaKQ4NnYcq6Apm5eJ12cgqfKZuawIdnZFkD0dZ5xj02JKWpbScwHPbCYLRKRyTS+XIvj8B1RQkXU7m8p+erYukix+wDI0YGZiAnNxo+qp7s7KxUPpVdGCmepCA5/CcUuGMUshIXafJZ1PpBq9A73rJt0J3YmCgl4UlLUDdY43RIUhqYQ3N4BypPd+VYhV4Nt3hJjQmgpgwwc=
Key 4 fingerprint: 93a9c4a954ae96b116696378f113d94f46774c5b; value: wcFMA8up8Uiq6y8gARAAs5FUHgZ4dDsMrnQFclNGel/krwYd8H3cm/sbpGKZrc264tMOJdlDhVXmpJ43nvM7tWDwm9OfR3QFhGZeme0vBbCSm7QAn61yvTKo27XgJR5tmJYsjqdM+W2wjwFvrlmelvlb2f3qvl3JMexaNp1hL8l9O/c0ojnDq2v51ZHC4bJsDdq9ffsYx2C0fWRpz5ETLEDKkbTmPMITMKp0Heuf2pOfNoAVwb67TRT+hot6bTUByS1yA/8RetuTt5c/HhcvxVD+BORofamq0NVXZsydr2KOxhGqE8J+K8orL/fFQ1h/j8DeED1ma+pykVtac4zziuXLHtjpoBK/1WChZ2PX2CiJt4nw4GQL6rls1lk7k+ysntXU6LmoRMw6huryiFqCCLxGe9RzZSsagJIMBo59WeFrPH6kA/TvzmJiOTA+n2q4q2i4TnVVX+0ijBLEvr7ockIb/mctEAsMd60comdh1EB8uRlpfBYdzf8LKcyei+0vDZ3hstTHQxgG4Nt516T4TlaDeFukNU4O1yXVUximf9lBMDDdJAbckaU5d/990MOJDqSlJnkBMWoGW2kVpUFOKjOSvAhbFPAFvf4VEtVX7l61ybKNatiZiHzaKyJRllEcturJcuZDhkJ1h3w9WrPI+N198cfFnS1Jce3XuiQrjZJb46w7KdDfpvT+/6/4ehXScwGfRX5hfLzBpumOLLtQ3xqPi5d0nRpua6XDOGm6rEeSrj5E6pTm5VYHiU67hLi3Za97U0L6rfMFNtyMhUgg0xU8Qcev4CbD54bVWG6uiyEfnspieRLGspIo/FtpCD5sB/z3bEZX3Uh1v6RXXQEUeP7Xa8s=
Key 5 fingerprint: eed03eb4be75d8657d2abb710aaa36867906299f; value: wcFMAxlo+iLMDjOcARAAm1TXdjvDIxJvQAI+fdNMfU9Y5129KB4rRMmZfNls19L4nbzOZ4Mhwpx6ezaUREcXJAGW2cIxonjPBA3n928vfrr+VzKrVB+g6WswERvgm62FFIXBpGkkDCZV5aCvQRJktBAXGlXXaq3rbPeNgLoh0DGHRUpk93Z9SVypQF3iWMVyI1Zuk7HR3RxYz0/0ByOsrnKcvyMD7CgDnjMCIhPTh0+aaND9C7jb6svLtPPZEAsnXcXWUS8eV4OlcjB6tSpPoddg+8GIia2X/ghqXYbAKPB3ZVGlDgo05isFBUPkt6U6IsXqTzPmq0pBDLMXzG9YM/JoKIxWye9vk5YG6TbxfMvKNHOryQUqjC0uG2PbsUGnBxYx7ABAyJ7WLVib3oqiSMeKzTiJlQ9e+Slwupvclaf0JwtAEWyLGO3EsWh5VbAT85JhhuXbNsIlJuMUHDl5GjImcBmtJdd0G2hePuP08UfxmbU4vH1bsIs9EsafxyfJfTZRjVKFjSsb46el+/4WgyuowuUH40bGwHie0v36DA1stFR6Q1B8ewbnMEO/IFvarfKwt8evShRn/Io/UxjNf9EoP4//Sf1eonETw/1TnxWvxJMUKAA04FkmolVvFlpVN84V47wHaKjPX0wFoz2SCiYPiXMV1epVqbyfSLxMcBSeJx0hFKJhMLCcEi6a7l/ScwG2yGo9FSeC+uMykiEeHm65wHSdjxTc7k2Dh0KVjYp5rqJTUSCSkBfM7oMpPpZezZLN1P2CmQ+WrMNHoV622M39P/PmI1jpMLcp8DDPXaGjdeJKVvA5J42ELlanWhrbLDxLEZHWkZ19F/12xTpMACWnNwE=

Operation nonce: 216100bc-fa97-6ce6-dacd-e774a2635175

The encrypted unseal keys are backed up to "core/unseal-keys-backup" in the
storage backend. Remove these keys at any time using "vault operator rekey
-backup-delete". Vault does not automatically remove these keys.

Vault unseal keys rekeyed with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above. When Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

You have rekeyed Vault with encrypted key shares using the CLI. Vault returns the new base64-encoded and encrypted key shares. It also makes a backup of the keys, and stores them in Vault storage.

Next steps

You can learn more about Vault seals in the Vault Architecture and Seal/Unseal documentation.

If you'd like to learn about automatically unsealing Vault with cloud based seals, a hardware security module (HSM), or the Vault Transit secrets engine, review the Vault seal configuration documentation.

Cleanup

  1. Stop the Vault Docker container (Docker removes it automatically).

    $ docker stop learn-vault

  2. Remove the Docker network.

    $ docker network rm learn-vault

  3. Remove the hands-on lab directory.

    $ rm -rf "$HC_LEARN_LAB"

  4. Unset the gpg alias.

    $ unalias gpg

  5. Unset the environment variables.

    $ unset HC_LEARN_LAB VAULT_TOKEN VAULT_ADDR REKEY_NONCE

Help and reference

Previous

Production hardening

 Next

Rekeying & rotating Vault