Vault UI to accept unseal keys when generating root token

When the Vault is sealed, launching the Vault UI will prompt to enter the unseal keys where the participants holding the unseal keys can supply the unseal keys for unsealing the Vault.

The question is, When generating the root-token (vault operator generate-root -init -pgp-key=./pubkeys/xyz.asc), is there an UI available natively within Vault where the unseal keys can be submitted, like the process in which the unseal vault operation allows?

Best regrds

I don’t think I have ever seen that, in fact our internal documentation tells the key owners that they must have Vault installed locally on their machine so that they can enter the key when needed. Although a web UI form would be a very nice to have in this situation – you could supply the nonce and the key.

@aram, Thanks for your response and appreciate you taking time in responding.

In normal circumstances, I agree on having Vault installed locally on key holders (/Operators) machines .

For our use-case, non-technical individuals may be nominated as trusted key-holders (for unseal keys) and hence need to keep their participation during vault unseal and/or generate-root operations to be as simple and non technical as possible.

Its okie to assume the operator initiating the unseal and generate-root operation to be technical and have access to vault install

It’s normal to have non-technical individuals as part of the key ring, however they have to be able to be trusted enough to run a single command, at least that’s our base requirement.

If you really don’t want to have them enter their own key, then you have to have everyone on-line on a webex or zoom call, where people share their key, have it entered, then immediate rotate and distribute a new set right there on the share as the keys have been exposed.