This article will clarify how to generate a root token on a secondary performance replication cluster when using Vault+ent.hsm.
You must be using:
- Vault ent.hsm
- Performance replication
This assumes that you have already set up Performance Replication and that the secondary is unsealed.
Generating Secondary’s Root Token
When you activate a secondary for replication, its storage is wiped clear including its unseal key and recovery keys. During bootstrapping, it auto-unseals using the primary cluster’s original unseal key.
If you want to generate a root token on a secondary replication cluster, you need to use the generate-root command:
For an HSM setup, the generate-root command will require the recovery keys from the primary cluster that were returned during the primary cluster’s initialization. Like the unseal key, these are replicated from the primary to the secondary.