Introduction
The process for generating a new master key and applying Shamir's algorithm is called "rekeying".
Rekeying the Vault is a fully online operation and Vault will continue to service requests uninterrupted during this process.
For seals that support recovery keys, the recovery keys can be rekeyed by following the below steps.
Expected Outcome
Once the recovery keys are rekeyed one at a time, after meeting the threshold number of unseal keys, you will be provided with the requested number of new unseal keys.
Prerequisites (if applicable)
- This feature is available only for seals that support recovery keys.
- Rekeying the Vault requires a threshold number of unseal keys. Before continuing, you should ensure enough unseal key holders are available to assist with the rekeying to match the threshold configured when the keys were issued.
Use Case
In some cases, you may want to re-generate the master key and key shares. Here are a few examples:
- Someone joins or leaves the organization
- Security wants to change the number of shares or threshold of shares
- Compliance mandates the master key be rotated at a regular interval
Procedure
-
Initialize the rekeying operation. The flags represent the newly desired number of keys and threshold.
$ vault operator rekey -target=recovery -init -key-shares=3 -key-threshold=2
-
This will generate a nonce value and start the rekeying process. All other unseal keys must also provide this nonce value. This nonce value is not a secret, so it is safe to distribute over insecure channels like chat, email, or carrier pigeon.
Key Value
--- -----
Nonce 3e6e2a84-eae4-9841-b68d-29edceb39036
Started true
Rekey Progress 0/3
New Shares 3
New Threshold 2
Verification Required false
-
Each key holder runs the following command and enters their unseal key.
$ vault operator rekey -target=recovery
Rekey operation nonce: 3e6e2a84-eae4-9841-b68d-29edceb39036
Key (will be hidden):
-
Example output:.
Key Value
--- -----
Nonce 3e6e2a84-eae4-9841-b68d-29edceb39036
Started true
Rekey Progress 1/3
New Shares 3
New Threshold 2
Verification Required false
-
Repeat the step to complete the rekey operation. When the final unseal key holder enters their key, Vault will output the new unseal keys.
Key 1: EDj4NZK6z5Y9rpr+TtihTulfdHvFzXtBYQk36dmBczuQ
Key 2: sCkM1i5BGGNDFk5GsqtVolWRPyd5mWn2eZG0gUySiCF7
Key 3: e5DUvDIH0cPU8Q+hh1KNVkkMc9lliliPVe9u3Fzbzv38
Operation nonce: dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
Vault rekeyed with 3 keys and a key threshold of 2. Please securely distribute the above keys. When the vault is re-sealed, restarted, or stopped, you must provide at least 2 of these keys to unseal it again. Vault does not store the master key. Without at least 2 keys, your vault will remain permanently sealed.
Additional Information and resources: