operator init command initializes a Vault server. Initialization is the
process by which Vault's storage backend is prepared to receive data. Since
Vault servers share the same storage backend in HA mode, you only need to
initialize one Vault to initialize the storage backend.
During initialization, Vault generates an in-memory master key and applies Shamir's secret sharing algorithm to disassemble that master key into a configuration number of key shares such that a configurable subset of those key shares must come together to regenerate the master key. These keys are often called "unseal keys" in Vault's documentation.
This command cannot be run against already-initialized Vault cluster.
For more information on sealing and unsealing, please the seal concepts page.
Start initialization with the default options:
$ vault operator init
Initialize, but encrypt the unseal keys with pgp keys:
$ vault operator init \ -key-shares=3 \ -key-threshold=2 \ -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
Initialize Auto Unseal with a non-default threshold and number of recovery keys, and encrypt the recovery keys with pgp keys:
$ vault operator init \ -recovery-shares=7 \ -recovery-threshold=4 \ -recovery-pgp-keys="keybase:jeff,keybase:chris,keybase:brian,keybase:calvin,keybase:matthew,keybase:vishal,keybase:nick"
Encrypt the initial root token using a pgp key:
$ vault operator init -root-token-pgp-key="keybase:hashicorp"
The following flags are available in addition to the standard set of flags included on all commands.
(string: "")- Print the output in the given format. Valid formats are "table", "json", or "yaml". The default is table. This can also be specified via the
(int: 5)- Number of key shares to split the generated master key into. This is the number of "unseal keys" to generate. This is aliased as
(int: 3)- Number of key shares required to reconstruct the master key. This must be less than or equal to -key-shares. This is aliased as
(string: "...")- Comma-separated list of paths to files on disk containing public PGP keys OR a comma-separated list of Keybase usernames using the format
keybase:<username>. When supplied, the generated unseal keys will be encrypted and base64-encoded in the order specified in this list. The number of entries must match -key-shares, unless -stored-shares are used.
(string: "")- Path to a file on disk containing a binary or base64-encoded public PGP key. This can also be specified as a Keybase username using the format
keybase:<username>. When supplied, the generated root token will be encrypted and base64-encoded with the given public key.
(bool": false)- Print the current initialization status. An exit code of 0 means the Vault is already initialized. An exit code of 1 means an error occurred. An exit code of 2 means the Vault is not initialized.
(bool: false)- Perform automatic service discovery using Consul in HA mode. When all nodes in a Vault HA cluster are registered with Consul, enabling this option will trigger automatic service discovery based on the provided -consul-service value. When Consul is Vault's HA backend, this functionality is automatically enabled. Ensure the proper Consul environment variables are set (CONSUL_HTTP_ADDR, etc). When only one Vault server is discovered, it will be initialized automatically. When more than one Vault server is discovered, they will each be output for selection. The default is false.
(string: "vault")- Name of the service in Consul under which the Vault servers are registered.
»HSM and KMS Options
(string: "...")- Behaves like
-pgp-keys, but for the recovery key shares. This is only used with Auto Unseal seals (HSM, KMS and Transit seals).
(int: 5)- Number of key shares to split the recovery key into. This is only used Auto Unseal seals (HSM, KMS and Transit seals).
(int: 3)- Number of key shares required to reconstruct the recovery key. This is only used Auto Unseal seals (HSM, KMS and Transit seals).
(int: 0)- Number of unseal keys to store on an HSM. This must be equal to