HashiCorp Vault is built with security at its core, and nowhere is that more evident than in its approach to root tokens. A root token provides full administrative access to your Vault instance, the ability to read, write, and delete any secret, change any configuration, and even destroy or reset the system. Because of this power, root tokens are also a significant security risk if they fall into the wrong hands. For that reason, best practices dictate destroying the default root token after Vault’s initial setup is complete.
However, there are still scenarios where a root token is necessary. You might need to perform an administrative recovery, rotate internal keys, enable advanced settings, or reconfigure the Vault infrastructure itself. In these cases, you’ll need to securely create a new root token.
This article walks you through the official method of generating a new root token using your unseal keys. The process involves generating a one-time password (OTP), initializing a root token generation request, providing the necessary unseal keys, and decoding the final root token. While it involves several steps, it’s designed this way to prevent unauthorized access, and once you’re finished, you should destroy the token to maintain Vault’s strong security posture.
Getting ready (Prerequisites)
Before you begin the root token generation process, there are a few critical requirements to ensure everything works smoothly and securely:
✅ What You’ll Need:
- A running Vault instance
Make sure your Vault cluster is initialized, unsealed, and accessible from your terminal. - Access to unseal keys
Creating a new root token requires entering enough unseal keys to meet the Vault recovery threshold (typically 3 out of 5). If you don’t have the keys or quorum, you won’t be able to proceed. - Vault CLI installed
You’ll need to run several commands using the Vault CLI (vault). If you haven’t already installed it, you can download it from the official Vault downloads page. - Authentication to Vault
You should be authenticated to Vault as a user with sufficient privileges to initiate root token generation (this often means having access to an existing root or high-privilege token).
⚠️ Security Reminder:
The root token you create will not expire unless explicitly revoked. This makes it extremely powerful — and dangerous. Only generate a root token when absolutely necessary, and revoke it as soon as you’re done using it.
Generate a One-Time Password (OTP)
The first step in securely generating a new root token is to create a One-Time Password (OTP). This OTP is used to encrypt the new root token during the creation process, ensuring it remains secure even if intercepted.
Step-by-Step: Generate the OTP
Run the following command from your terminal:
vault operator generate-root -genotpThis command will output a base64-encoded OTP string, which you’ll use throughout the remaining steps of this process.
Example Output:
tXJxQcj01NoR3whDnt9OxQ==Save this value in a secure location temporarily — you’ll need it again when initializing the process and decoding the final root token.
Why Use an OTP?
Using an OTP provides a layer of protection in case the encoded root token is exposed. Since the token is encrypted with the OTP, an attacker would need both the encoded token and the OTP to misuse it.
Initialize the Root Generation Process
Once you’ve generated your One-Time Password (OTP), the next step is to begin the root token creation workflow. This process requires multiple unseal key holders to participate — a built-in safeguard to prevent any single person from generating high-privilege credentials alone.
Step-by-Step: Initialize the Root Creation
Run the following command to start the root token generation process:
vault operator generate-root -init -otp="<your-otp-here>"Example:
vault operator generate-root -init -otp="tXJxQcj01NoR3whDnt9OxQ=="This command initializes the multi-step process, preparing Vault to accept unseal key shares. It also returns an encoded nonce, which acts as a unique identifier for this root generation session.
Save the nonce value — you’ll need it during the next step when entering unseal keys.
Provide Unseal Keys
Now that the root generation process is initialized, Vault will prompt for unseal key shares. These are the same keys used during the Vault unsealing process and are required to authorize the creation of a new root token.
The number of keys required depends on the unseal threshold defined during Vault initialization (e.g., 3 of 5 key shares).
Step-by-Step: Enter Unseal Key Shares
Use the following command and enter each unseal key when prompted:
vault operator generate-rootYou’ll be prompted one at a time to input unseal key shares. After entering enough valid keys to meet the threshold, Vault will output an encoded root token.
Example Output:
Nonce: 94f53d2f-6f57-0021-989d-39546aa3d90e
Progress: 3/3 shares
Encoded Token: GYox3aZVAGXZfI9Gku1ohQ==Important: The encoded token is not yet usable. You must decode it in the next step using the OTP you generated earlier.
Decode the Root Token
Once you’ve provided the required number of unseal keys and received the encoded root token, the final step is to decode it using the same one-time password (OTP) you generated earlier. This ensures that only someone with both the OTP and the required unseal keys can create a root token.
Step-by-Step: Decode the Root Token
Run the following command:
vault operator generate-root -decode="<ENCODED_TOKEN>" -otp="<OTP_VALUE>"Example:
vault operator generate-root -decode="GYox3aZVAGXZfI9Gku1ohQ==" -otp="tXJxQcj01NoR3whDnt9OxQ=="If the values are correct and match the original session, Vault will output the new root token to your console.
✅ You now have a fully valid root token. This token has full administrative privileges and no expiration, so it should be used with extreme caution and destroyed once its intended task is completed.
Summary and Best Practices
You’ve now completed the full process of securely generating a new root token in HashiCorp Vault. This method ensures that high-privilege access is tightly controlled, auditable, and limited only to those who possess both the unseal keys and the one-time password (OTP).
What You Accomplished:
- Generated a one-time password (OTP) for root token generation
- Initialized the root token creation process
- Entered unseal keys to authorize the action
- Received and decoded the new root token
Best Practices:
- Destroy the root token immediately after use. Root tokens are permanent and do not expire unless explicitly revoked.
- Store unseal keys securely. These keys are critical to your Vault’s integrity. Use tools like Shamir’s Secret Sharing wisely, and consider secure key management solutions.
- Avoid day-to-day use of root tokens. Instead, rely on policies and identity-based access controls.
- Audit root token usage. If a root token must be used, ensure logging and auditing are in place to track who accessed it and why.
- Review Vault’s current version documentation. While this method is still valid, newer versions of Vault may introduce alternate or improved workflows.
By following this structured, multi-step process, you significantly reduce the risk of accidental privilege escalation or compromise.