Vault rekey procedure not getting new master token

tru64gurus · March 2, 2023, 6:27pm

I followed rekey procedure and got new unseal keys and got no new master token. I did restart vault service on the 5 nodes cluster and old token still work.

I ran the commands on cluster leader , Not sure what I missed. I am using auto unseal with azure keyvault.

Appreciate any help.

Thanks


vault01:~/# vault operator rekey -init -key-shares=5 -key-threshold=3 -target=recovery
{
  "nonce": "xxxxxxxxxxxxxxxxxxxxxxx",
  "started": true,
  "t": 3,
  "n": 5,
  "progress": 0,
  "required": 3,
  "pgp_fingerprints": null,
  "backup": false,
  "verification_required": false,
  "verification_nonce": ""
}
vault01:~/# vault operator rekey -target=recovery
Rekey operation nonce: xxxxxxxxxxxxxxxxxxxxxxx
Unseal Key (will be hidden):
{
  "nonce": "xxxxxxxxxxxxxxxxxxxxxxx",
  "started": true,
  "t": 3,
  "n": 5,
  "progress": 1,
  "required": 3,
  "pgp_fingerprints": null,
  "backup": false,
  "verification_required": false,
  "verification_nonce": ""
}
vault01:~/# vault operator rekey -target=recovery
Rekey operation nonce: xxxxxxxxxxxxxxxxxxxxxxx
Unseal Key (will be hidden):
{
  "nonce": "xxxxxxxxxxxxxxxxxxxxxxx",
  "started": true,
  "t": 3,
  "n": 5,
  "progress": 2,
  "required": 3,
  "pgp_fingerprints": null,
  "backup": false,
  "verification_required": false,
  "verification_nonce": ""
}


vault01:~/# vault operator rekey -target=recovery
Rekey operation nonce: xxxxxxxxxxxxxxxxxxxxxxx
Unseal Key (will be hidden):
{
  "nonce": "xxxxxxxxxxxxxxxxxxxxxxx",
  "complete": true,
  "keys": [
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  ],
  "keys_base64": [
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  ],
  "pgp_fingerprints": null,
  "backup": false,
  "verification_required": false
}

vault01:~/# vault operator rekey -target=recovery -status
{
  "nonce": "",
  "started": false,
  "t": 0,
  "n": 0,
  "progress": 0,
  "required": 3,
  "pgp_fingerprints": null,
  "backup": false,
  "verification_required": false,
  "verification_nonce": ""
}

maxb · March 3, 2023, 6:59am

That’s normal.

The rekey procedure does not generate a root token.

Topic		Replies	Views
Vault rekeying asking for new threshold number of unseal keys instead of using current threshold Vault	0	8	October 18, 2024
Vault rekey not enough team members to recover it Vault	8	145	February 22, 2024
Vault rekey not revoke previous unseal keys Vault	1	381	September 20, 2019
Azure autounseal, recover from master key loss Vault	0	316	February 26, 2020
Cannot unseal after first installation using Keys Vault	7	1926	January 17, 2022

Vault rekey procedure not getting new master token

Related topics