Delete trial license from Vault Enterprise 1.8.0 or earlier

Avatar
Owen Zhang
  • Updated

In some cases, operators need to remove the trial license before moving forward with the enterprise setup. Using the delete methods via: vault delete sys/license or API curl DELETE will result in an output with * unsupported operation.

To workaround this issue start vault in recovery mode, then generate and use the recovery mode token to delete the license file from sys/raw/core, then restart the vault normally.

Versions

  • Impacts: Vault Enterprise 1.8.0 or earlier

Procedure

Stop all Vault instance and restart in recovery mode so as to remove vault trial license and thereafter once successful Vault may be relaunched in the regular manner (using SystemD or else) without the recovery parameter.

  • Use the existing HCL configuration to start Vault in recovery mode
    vault server -recovery -config=config.hcl
    ==> Vault server configuration:

               Seal Type: shamir
         Cluster Address: <https://127.0.0.1:8201>
              Go Version: go1.15.13
               Log Level: info
           Recovery Mode: true
                 Storage: raft
                 Version: Vault v1.7.3+ent
             Version Sha: 38b0180a77893a6551e0c9d4485f1fb8725734bc
  • Open a new terminal, export VAULT_ADDR 
    export VAULT_ADDR=http://127.0.0.1:8200
  • Next, generate a temporary one-time password OTP. 
    vault operator generate-root -generate-otp -recovery-token
    uTuFle5gRSqKPxnPkhXAqcKlyF
  • Next, start the generation of the recovery token with the OTP. 
    vault operator generate-root -init \
      -otp=uTuFle5gRSqKPxnPkhXAqcKlyF -recovery-token
    Nonce         6ea30625-98a4-c36e-8d70-d08c3e96aed8
    Started       true
    Progress      0/3
    Complete      false
    OTP Length    26
  • Next, create an encoded token, enter vault unseal key, repeat this process until the progress is completed; for this example, it's repeated  3 times for 3 with different unseal keys
    vault operator generate-root -recovery-token
    Operation nonce: 6ea30625-98a4-c36e-8d70-d08c3e96aed8
    Unseal Key (will be hidden):
  • After unseal, output with Encoded Token: 
    Nonce 6ea30625-98a4-c36e-8d70-d08c3e96aed8
    Started true
    Progress 3/3
    Complete true
    Encoded Token B3o4AT8xRAsZNgcENQhePVgjbhc3Gh5bSDQ
  • Finally create a recovery token by decoding the encoded token and adding otp 
    vault operator generate-root \
      -decode=B3o4AT8xRAsZNgcENQhePVgjbhc3Gh5bSDQ \
      -otp=uTuFle5gRSqKPxnPkhXAqcKlyF \
      -recovery-token
    r.MGSTqlKevOep0m3K6VFyU71r
  • Use recovery token to delete vault license from sys/raw/core/license 
    VAULT_TOKEN=r.MGSTqlKevOep0m3K6VFyU71r vault delete sys/raw/core/license
    Success! Data deleted (if it existed) at: sys/raw/core/license
  • Exit from recovery mode, login vault, and verify license status 
    vault read sys/license/status
    The trial license is now successfully removed: 
    No value found at sys/license/status

Articles in this section

See more

Related articles