Unable to use TOTP codes generated by google-authenticator cli

When attempting to put in keys generated by google-authenticator cli I get the error below, an example of a key is ‘NN4UYFOCKUK2PEF6MU3TZ3YM6Y’. This key works fine in the google-authenticator android app as well as the linux package ‘oathtool’

vault write totp/keys/test key=NN4UYFOCKUK2PEF6MU3TZ3YM6Y

Error writing data to totp/keys/test: Error making API request.

URL: PUT https://vault.local/v1/totp/keys/test
Code: 400. Errors:

  • invalid key value: illegal base32 data at input byte 24


That key doesn’t seem to be a valid base32 value.

maybe the value returned by echo NN4UYFOCKUK2PEF6MU3TZ3YM6Y|base32 will work.

But the docs don’t explicitly mention that base32 encoding is required, but the error you got indicates that this is the case…

Because this is the top result for this problem on google I will put an answer here for future generations:

As per the google-authenticator Key-Uri-Format seen here: Key Uri Format · google/google-authenticator Wiki · GitHub

They define ‘Secret’ as:

REQUIRED: The secret parameter is an arbitrary key value encoded in Base32 according to RFC 3548. The padding specified in RFC 3548 section 2.2 is not required and should be omitted.

Because google strip off the padding you need to add it back in by appending ====== to your TOTP secret string when adding it to Vault before it will work. The code google uses is technically nearly-valid base32, however it is missing the = padding on the end.

So when entering the code you’ve provided into vault you must use NN4UYFOCKUK2PEF6MU3TZ3YM6Y====== for example so Vault can successfully decode the base32 and output valid 6-digit codes.

That “equals” padding is missing and Google Authenticator is OK with that. Adding it back for Vault does the trick.