Use PGP encrypted key shares to unseal Vault
- 42min
- |
- VaultVault
Vault encrypts data with an encryption key. That encryption key is further encrypted with a second key, known as the root key. At Vault initialization time, you can choose to split the root key into a number of key shares using Shamir's Secret Sharing algorithm. When using the Shamir seal, these key shares are called unseal keys, but when using an auto seal or HSM, they're known as recovery keys.
By default, Vault splits the root key into 5 key shares, and requires a quorum of 3 key shares for reconstruction of the root key to use in rekey or unseal operations. In the diagram, the key shares held by Alice, Carol, and Dan satisfy the quorum, and represent the users which participate in the examples for this tutorial.
Challenge
When you initialize Vault, it returns hexadecimal-encoded or base64-encoded representations of the key shares and initial root token value in plaintext, as shown in these examples.
Learn more about the init operation and its output using the Vault HTTP API, CLI, or web UI.
$ vault operator init
$ vault operator init
Example expected output:
Unseal Key 1: eUc0ff332w8rOLBMyvP2yWRZ+t8NlwZ+cMUDbAe4Zm+8 Unseal Key 2: w9uzo61xXcxu5hz9uzJwsvz5RQCXc0ff33tN44HjOWy0 Unseal Key 3: 5es3Q9ZPoEU4xldKKQ5bWb8c0ff33rk1gO/rZNZltfGD Unseal Key 4: jm7s/xixDc0ff33cqKw+LLUWj2yqtH3I0LovL9jBYVb2 Unseal Key 5: ejfqbLS8wSfYcTfes3fjQNkkYoTcmqE9YMJwbfc0ff33 Initial Root Token: hvs.7wc0ff33iCtoMXiP7LoJOGjj Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated root key. Without at least 3 keys to reconstruct the root key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.
Unseal Key 1: eUc0ff332w8rOLBMyvP2yWRZ+t8NlwZ+cMUDbAe4Zm+8
Unseal Key 2: w9uzo61xXcxu5hz9uzJwsvz5RQCXc0ff33tN44HjOWy0
Unseal Key 3: 5es3Q9ZPoEU4xldKKQ5bWb8c0ff33rk1gO/rZNZltfGD
Unseal Key 4: jm7s/xixDc0ff33cqKw+LLUWj2yqtH3I0LovL9jBYVb2
Unseal Key 5: ejfqbLS8wSfYcTfes3fjQNkkYoTcmqE9YMJwbfc0ff33
Initial Root Token: hvs.7wc0ff33iCtoMXiP7LoJOGjj
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Vault returns base64-encoded unseal keys, and a plaintext initial root token value when initialized through the vault
CLI.
$ curl \ --silent \ --request POST \ --data '{"secret_shares": 5,"secret_threshold": 3}' \ $VAULT_ADDR/v1/sys/init | \ jq
$ curl \
--silent \
--request POST \
--data '{"secret_shares": 5,"secret_threshold": 3}' \
$VAULT_ADDR/v1/sys/init | \
jq
Example expected output:
{ "keys": [ "e43bc2cadd0c4bb9e140e7733b5aa9147ed5426d0fabee0085a41f3fc0ff3319c4", "7a5796fb07da797a070e8eca6e8174676a7b2446ce2157cb91f04e9dc362c5c098", "fcda75cd7ee77f0182760d8838d8d6a931c93fec0ff33a65a11725786005fa19d7", "a739364703310103f75d832f10b49e5e2d51fdf4ca55c0ff334fdde7cf3856b13e", "1245b9c0ff33c6461e47f4a8633590b13a0dfee4af7c0cdca498d85af1d8604a50" ], "keys_base64": [ "5DvCyt0MS7nhQOdzOc0ff33VQm0Pq+4AhaQfP2GZsRnE", "eleW+wfaeXoHDo7c0ff332p7JEbOIVfLkfBOncNixcCY", "/Np1zXc0ff33dg2IONjWqTHJP+DxlyploRcleGAF+hnX", "pzk2RwMxAQP3XYMc0ff33i1R/fTKVdSkOE/d5884VrE+", "EkW5SL4sxkYeR/SoYzWQsToN/uSvfAc0ff33WvHYYEpQ" ], "root_token": "hvs.MwpZ5tAyeuKFheTBcc0ff33Q" }
{
"keys": [
"e43bc2cadd0c4bb9e140e7733b5aa9147ed5426d0fabee0085a41f3fc0ff3319c4",
"7a5796fb07da797a070e8eca6e8174676a7b2446ce2157cb91f04e9dc362c5c098",
"fcda75cd7ee77f0182760d8838d8d6a931c93fec0ff33a65a11725786005fa19d7",
"a739364703310103f75d832f10b49e5e2d51fdf4ca55c0ff334fdde7cf3856b13e",
"1245b9c0ff33c6461e47f4a8633590b13a0dfee4af7c0cdca498d85af1d8604a50"
],
"keys_base64": [
"5DvCyt0MS7nhQOdzOc0ff33VQm0Pq+4AhaQfP2GZsRnE",
"eleW+wfaeXoHDo7c0ff332p7JEbOIVfLkfBOncNixcCY",
"/Np1zXc0ff33dg2IONjWqTHJP+DxlyploRcleGAF+hnX",
"pzk2RwMxAQP3XYMc0ff33i1R/fTKVdSkOE/d5884VrE+",
"EkW5SL4sxkYeR/SoYzWQsToN/uSvfAc0ff33WvHYYEpQ"
],
"root_token": "hvs.MwpZ5tAyeuKFheTBcc0ff33Q"
}
Vault returns both hexadecimal-encoded and base64-encoded unseal keys, and a plaintext initial root token value when you initialize it with the HTTP API.
After you choose cluster details and proceed, Vault presents the initialization dialog.
Once you have entered the number of key shares and key threshold, you can initialize Vault.
Vault returns the initial root token value and key shares obscured by squares. You can click an eye icon to view the information or a clipboard icon to copy the information to your system clipboard.
You can scroll to view all key shares.
If you click the eye icons, the plaintext values are viewable.
You can scroll to view all key shares.
This is acceptable in certain circumstances, such as development or evaluation clusters, but you could require more protection of the key shares and initial root token when operating in production.
Solution
Vault can encrypt the key shares and initial root token value at initialization time with user-supplied public keys generated from any RFC 4880 compliant PGP software, such as GNU Privacy Guard (GPG).
Tip
Vault also directly supports encrypting key shares with GPG public keys from Keybase usernames, but that is not specifically covered in this tutorial.
When you initialize Vault with the pgp-keys and root-token-pgp-key options, it encrypts the unseal keys and root token value with the specified GPG public keys, base64 encodes the encrypted values, and outputs those values instead of plaintext values.
Scenario introduction
Your goal in this scenario is to explore using Vault with the Shamir seal, and to encrypt the unseal key shares with GPG at initialization time. You'll then learn how to use the GPG encrypted key shares to unseal and rekey Vault.
First, you'll use a terminal session to configure and start a simplified Vault server Docker container.
You'll then use GPG to generate 5 distinct sets of keys to use for encrypting and decrypting the Vault key shares.
Then, it's time to initialize Vault. Acting as all 5 personas, you'll pass in the GPG public key from each persona to initialize Vault with the API, CLI, or UI. Once Vault initializes, it returns the key shares, each one encrypted with the GPG public keys which you passed in at initialization time.
The 5 key shares are distributed to Alice, Bob, Carol, Dan, and Frank, which for the purpose of this tutorial just means that the encrypted key share value gets assigned to an environment variable after initialization.
You'll then act as 3 of the 5 personas (Alice, Carol, and Dan), and use their encrypted key shares to unseal Vault.
After you unseal Vault, you can then act as the 3 personas, and use their encrypted key shares to rekey Vault.
If you are unfamiliar with initialization, rekeying, seals and keys, you can review the operator init, operator rekey, operator unseal, and Seal/Unseal concepts documentation to learn more.
Personas
The steps described in this tutorial are typically performed by a team of security engineers.
You'll assume 4 of these hypothetical named security engineer roles in the hands-on lab scenario:
Alice: Team lead; coordinates distribution of teams GPG public keys, starts the Vault initialization process, and takes part in unseal and rekeying operations.
Bob: Provides a GPG public key to Alice for use in initializing Vault, but does not take part in unseal or rekeying operations unless needed.
Carol: Provides a GPG public key to Alice for use in initializing Vault, and also takes part in unseal and rekeying operations.
Dan: Provides a GPG public key to Alice for use in initializing Vault, and also takes part in unseal and rekeying operations.
Frank: Provides a GPG public key to Alice for use in initializing Vault, but does not take part in unseal or rekeying operations unless needed.
Dave: Vault operator. Configure and start the Vault server.
Prerequisites
You need the following to perform the tasks described in this tutorial:
Docker Desktop installed (tutorial tested with Docker Desktop version 4.18.0 and Docker Engine version 20.10.24).
Working internet from the Docker host computer to download Docker images.
Familiarity with initializing, unsealing, and rekeying Vault is helpful, but not required to follow along with the hands-on lab. If you are unfamiliar with these concepts and their related tasks, reviewing the Seal/Unseal concepts documentation along with the operator init, operator unseal, and operator rekey can help you.
Tip
For a thorough understanding of the initialization, unseal, and rekey operations, you can also review the /sys/init, /sys/unseal, and /sys/rekey API documentation.
Lab setup
The lab for this scenario is a single Vault server Docker container with integrated storage.
You'll also deploy some community image based GPG Docker containers on which you generate 5 sets of GPG keys. You can then use these keys to encrypt and decrypt the Vault key shares for all operations in the hands-on lab.
Tip
The hands-on lab uses GPG Docker containers for ease of use, and to avoid conflicts with any GPG software already installed on your computer.
Create hands-on lab home
You can create a temporary directory to hold all the content needed for this hands-on lab, and then assign its path to an environment variable for later reference.
Open a terminal, and create the directory /tmp/learn-vault-pgp
.
$ mkdir /tmp/learn-vault-pgp
$ mkdir /tmp/learn-vault-pgp
Export the hands-on directory path as the value to the HC_LEARN_LAB
environment variable.
$ export HC_LEARN_LAB=/tmp/learn-vault-pgp
$ export HC_LEARN_LAB=/tmp/learn-vault-pgp
Vault server setup
The goal of this section is to deploy a simple Vault server container that you'll use for the hands-on lab.
Create directories for Vault configuration and data.
$ mkdir -p "$HC_LEARN_LAB"/vault/{config,data}
$ mkdir -p "$HC_LEARN_LAB"/vault/{config,data}
Pull the latest Vault Docker image.
$ docker pull hashicorp/vault:latest
$ docker pull hashicorp/vault:latest
Example abbreviated output:
latest: Pulling from hashicorp/vault ...snip... docker.io/hashicorp/vault:latest
latest: Pulling from hashicorp/vault ...snip... docker.io/hashicorp/vault:latest
Create a Docker network named
learn-vault
.$ docker network create learn-vault d6a8247e3f138344c4686a517834ec2e2af68be9d728afb08bcfe21aae616785
$ docker network create learn-vault d6a8247e3f138344c4686a517834ec2e2af68be9d728afb08bcfe21aae616785
Create the Vault server configuration file.
$ cat > "$HC_LEARN_LAB"/vault/config/vault-server.hcl <<EOF ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } storage "raft" { path = "/vault/file" } EOF
$ cat > "$HC_LEARN_LAB"/vault/config/vault-server.hcl <<EOF ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } storage "raft" { path = "/vault/file" } EOF
Note
The listener stanza disables TLS (
tls_disable = 1
) just for this tutorial. Vault should always be used with TLS in production deployments. This configuration requires a certificate file and key file on each Vault host.Start Vault server container.
$ docker run \ --name=learn-vault \ --hostname=learn-vault \ --network=learn-vault \ --publish 8200:8200 \ --env VAULT_ADDR="http://localhost:8200" \ --env VAULT_CLUSTER_ADDR="http://learn-vault:8201" \ --env VAULT_API_ADDR="http://learn-vault:8200" \ --env VAULT_RAFT_NODE_ID="learn-vault" \ --volume "$HC_LEARN_LAB"/vault/config/:/vault/config \ --volume "$HC_LEARN_LAB"/vault/data/:/vault/file:z \ --cap-add=IPC_LOCK \ --detach \ --rm \ hashicorp/vault vault server -config=/vault/config/vault-server.hcl
$ docker run \ --name=learn-vault \ --hostname=learn-vault \ --network=learn-vault \ --publish 8200:8200 \ --env VAULT_ADDR="http://localhost:8200" \ --env VAULT_CLUSTER_ADDR="http://learn-vault:8201" \ --env VAULT_API_ADDR="http://learn-vault:8200" \ --env VAULT_RAFT_NODE_ID="learn-vault" \ --volume "$HC_LEARN_LAB"/vault/config/:/vault/config \ --volume "$HC_LEARN_LAB"/vault/data/:/vault/file:z \ --cap-add=IPC_LOCK \ --detach \ --rm \ hashicorp/vault vault server -config=/vault/config/vault-server.hcl
Confirm that the Vault server container is up.
$ docker ps -f name=learn-vault --format "table {{.Names}}\t{{.Status}}"
$ docker ps -f name=learn-vault --format "table {{.Names}}\t{{.Status}}"
Example expected output:
NAMES STATUS learn-vault Up 5 seconds
NAMES STATUS learn-vault Up 5 seconds
Export an environment variable for the
vault
CLI to address the primary server.$ export VAULT_ADDR=http://127.0.0.1:8200
$ export VAULT_ADDR=http://127.0.0.1:8200
Verify Vault server status
$ vault status
$ vault status
Example expected output:
Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 0/3 Unseal Nonce n/a Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft HA Enabled true
Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 0/3 Unseal Nonce n/a Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft HA Enabled true
The Vault server is now ready for you to initialize and unseal with unseal keys.
Prepare GPG key sets
Your goal in this section is to create 5 sets of simple GPG keys, which you use later for encrypting and decrypting Vault key shares. An example CLI workflow diagram is shown for the Alice persona, and the workflow is similar for each persona.
You can use a community GnuPG Docker container to generate keys for demonstrating the features in this tutorial.
Note
The example GPG configuration and runtime environment is just for this tutorial. You are encouraged to use a configuration and runtime environment that is compliant with your organization's security policies for actual use cases.
You do these tasks as each of the 5 main personas.
You'll non-interactively generate the 5 GPG keys with a configuration like this example for Alice:
%echo Generating a basic OpenPGP key for Alice Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Alice Name-Comment: Alice is a Vault PGP user Name-Email: alice@example.com Expire-Date: 1 Passphrase: recede-yard-unwilling-shrouded %commit %echo done
%echo Generating a basic OpenPGP key for Alice
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: Alice
Name-Comment: Alice is a Vault PGP user
Name-Email: alice@example.com
Expire-Date: 1
Passphrase: recede-yard-unwilling-shrouded
%commit
%echo done
Each set of keys has these properties as defined in the configuration:
- RSA key and subkey
- 4096 bit key size for key and subkey
- Persona name
- Persona email
- Expires in 1 day
- Passphrase in configuration for tutorial simplicity
Create directories for each of the personas.
$ mkdir "$HC_LEARN_LAB"/{alice,bob,carol,dan,frank}
$ mkdir "$HC_LEARN_LAB"/{alice,bob,carol,dan,frank}
Change modes on the persona directories. This increases security for access to the directories. If you omit this step, GPG warns you that the directory permissions are insecure whenever you execute it.
$ chmod 0700 "$HC_LEARN_LAB"/{alice,bob,carol,dan,frank}
$ chmod 0700 "$HC_LEARN_LAB"/{alice,bob,carol,dan,frank}
Pull the community GnuPG Docker container image.
$ docker pull vladgh/gpg:latest
$ docker pull vladgh/gpg:latest
Example abbreviated output:
latest: Pulling from vladgh/gpg ...snip... docker.io/vladgh/gpg:latest
latest: Pulling from vladgh/gpg ...snip... docker.io/vladgh/gpg:latest
You're now prepared to use GPG containers to generate each persona's keys.
Note
When exporting the public key values, you do not need the common ASCII armored format (i.e., --armor
) parameter. This is because Vault expects a plain base64-encoded version of the binary key output without any extra characters like those present in ASCII armored public key output. Instead, pipe the command output to base64
for encoding prior to writing the file.
Alice's GPG key
Complete these steps as the persona Alice.
Define a shell alias
gpg
that interacts with the Docker GPG container for the Alice persona. The container is named, uses a volume mapping between the host and container for all GPG configuration and key material. The GPG console is specified with an environment variable, and the container removes itself after each execution.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg"
Create the GPG configuration for Alice.
$ cat > "$HC_LEARN_LAB"/alice/alice_key.conf << EOF %echo Generating a basic OpenPGP key for Alice Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Alice Name-Comment: Alice is a Vault PGP user Name-Email: alice@example.com Expire-Date: 1 Passphrase: recede-yard-unwilling-shrouded %commit %echo done EOF
$ cat > "$HC_LEARN_LAB"/alice/alice_key.conf << EOF %echo Generating a basic OpenPGP key for Alice Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Alice Name-Comment: Alice is a Vault PGP user Name-Email: alice@example.com Expire-Date: 1 Passphrase: recede-yard-unwilling-shrouded %commit %echo done EOF
Generate the key for Alice.
$ gpg --full-gen-key --batch /root/.gnupg/alice_key.conf
$ gpg --full-gen-key --batch /root/.gnupg/alice_key.conf
Example expected output:
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Alice gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/848950117127B2BA8615ABE08930D1B13CA8F9BB.rev' gpg: done
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Alice gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/848950117127B2BA8615ABE08930D1B13CA8F9BB.rev' gpg: done
Export the public key for Alice into the file
$HC_LEARN_LAB/alice/alice_key.pub
.$ gpg --output /root/.gnupg/alice_key.pub --export alice@example.com
$ gpg --output /root/.gnupg/alice_key.pub --export alice@example.com
This command is expected to produce no output.
Bob's GPG key
Complete these steps as the persona Bob.
Update the
gpg
alias so it interacts with the Docker GPG container for the Bob persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-bob --volume $HC_LEARN_LAB/bob:/root/.gnupg vladgh/gpg"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-bob --volume $HC_LEARN_LAB/bob:/root/.gnupg vladgh/gpg"
Create the GPG configuration for bob.
$ cat > "$HC_LEARN_LAB"/bob/bob_key.conf << EOF %echo Generating a basic OpenPGP key for Bob Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: bob Name-Comment: Bob is a Vault PGP user Name-Email: bob@example.com Expire-Date: 1 Passphrase: giggle-suing-starring-sugar %commit %echo done EOF
$ cat > "$HC_LEARN_LAB"/bob/bob_key.conf << EOF %echo Generating a basic OpenPGP key for Bob Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: bob Name-Comment: Bob is a Vault PGP user Name-Email: bob@example.com Expire-Date: 1 Passphrase: giggle-suing-starring-sugar %commit %echo done EOF
Generate the key for bob.
$ gpg --full-gen-key --batch /root/.gnupg/bob_key.conf
$ gpg --full-gen-key --batch /root/.gnupg/bob_key.conf
Example expected output:
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Bob gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/0F4AA2FB5D60A0ACB2B0736CBABA346598D87E72.rev' gpg: done
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Bob gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/0F4AA2FB5D60A0ACB2B0736CBABA346598D87E72.rev' gpg: done
Export the public key for bob into the file
$HC_LEARN_LAB/bob/bob_key.pub
.$ gpg --output /root/.gnupg/bob_key.pub --export bob@example.com
$ gpg --output /root/.gnupg/bob_key.pub --export bob@example.com
This command is expected to produce no output.
Carol's GPG key
Complete these steps as the persona Carol.
Update the
gpg
alias so it interacts with the Docker GPG container for the Carol persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg"
Create the GPG configuration for Carol.
$ cat > "$HC_LEARN_LAB"/carol/carol_key.conf << EOF %echo Generating a basic OpenPGP key for Carol Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Carol Name-Comment: Carol is a Vault PGP user Name-Email: carol@example.com Expire-Date: 1 Passphrase: unnerving-appealing-primarily-overload %commit %echo done EOF
$ cat > "$HC_LEARN_LAB"/carol/carol_key.conf << EOF %echo Generating a basic OpenPGP key for Carol Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Carol Name-Comment: Carol is a Vault PGP user Name-Email: carol@example.com Expire-Date: 1 Passphrase: unnerving-appealing-primarily-overload %commit %echo done EOF
Generate the key for Carol.
$ gpg --full-gen-key --batch /root/.gnupg/carol_key.conf
$ gpg --full-gen-key --batch /root/.gnupg/carol_key.conf
Example expected output:
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Carol gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/54D8C3DB5FA6B8E44B271778C81FB6D3D670977B.rev' gpg: done
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Carol gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/54D8C3DB5FA6B8E44B271778C81FB6D3D670977B.rev' gpg: done
Export the public key for Carol into the file
$HC_LEARN_LAB/carol/carol_key.pub
.$ gpg --output /root/.gnupg/carol_key.pub --export carol@example.com
$ gpg --output /root/.gnupg/carol_key.pub --export carol@example.com
This command is expected to produce no output.
Dan' GPG key
Complete these steps as the persona Dan.
Update the
gpg
alias so it interacts with the Docker GPG container for the Dan persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg"
Create the GPG configuration for Dan.
$ cat > "$HC_LEARN_LAB"/dan/dan_key.conf << EOF %echo Generating a basic OpenPGP key for Dan Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Dan Name-Comment: Dan is a Vault PGP user Name-Email: dan@example.com Expire-Date: 1 Passphrase: shawl-stem-elective-stoop %commit %echo done EOF
$ cat > "$HC_LEARN_LAB"/dan/dan_key.conf << EOF %echo Generating a basic OpenPGP key for Dan Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Dan Name-Comment: Dan is a Vault PGP user Name-Email: dan@example.com Expire-Date: 1 Passphrase: shawl-stem-elective-stoop %commit %echo done EOF
Generate the key for Dan.
$ gpg --full-gen-key --batch /root/.gnupg/dan_key.conf
$ gpg --full-gen-key --batch /root/.gnupg/dan_key.conf
Example expected output:
gpg: Generating a basic OpenPGP key for Dan gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/A6047CE604B888DD04DEFCE28B973C1C27DA6FBE.rev' gpg: done
gpg: Generating a basic OpenPGP key for Dan gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/A6047CE604B888DD04DEFCE28B973C1C27DA6FBE.rev' gpg: done
Export the public key for Dan into the file
$HC_LEARN_LAB/dan/dan_key.pub
.$ gpg --output /root/.gnupg/dan_key.pub --export dan@example.com
$ gpg --output /root/.gnupg/dan_key.pub --export dan@example.com
This command is expected to produce no output.
Frank's GPG key
Complete these steps as the persona Frank.
Update the
gpg
alias so it interacts with the Docker GPG container for the Frank persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-frank --volume $HC_LEARN_LAB/frank:/root/.gnupg vladgh/gpg"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-frank --volume $HC_LEARN_LAB/frank:/root/.gnupg vladgh/gpg"
Create the GPG configuration for Frank.
$ cat > "$HC_LEARN_LAB"/frank/frank_key.conf << EOF %echo Generating a basic OpenPGP key for Frank Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Frank Name-Comment: Frank is a Vault PGP user Name-Email: frank@example.com Expire-Date: 1 Passphrase: capitol-wasting-darwinism-surcharge %commit %echo done EOF
$ cat > "$HC_LEARN_LAB"/frank/frank_key.conf << EOF %echo Generating a basic OpenPGP key for Frank Key-Type: 1 Key-Length: 4096 Subkey-Type: 1 Subkey-Length: 4096 Name-Real: Frank Name-Comment: Frank is a Vault PGP user Name-Email: frank@example.com Expire-Date: 1 Passphrase: capitol-wasting-darwinism-surcharge %commit %echo done EOF
Generate the key for Frank.
$ gpg --full-gen-key --batch /root/.gnupg/frank_key.conf
$ gpg --full-gen-key --batch /root/.gnupg/frank_key.conf
Example expected output:
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Frank gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/4B6324B4C2AE1ED061075BB56D3AEFA0E11E803D.rev' gpg: done
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: Generating a basic OpenPGP key for Frank gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/4B6324B4C2AE1ED061075BB56D3AEFA0E11E803D.rev' gpg: done
Export the public key for Frank into the file
$HC_LEARN_LAB/frank/frank_key.pub
.$ gpg --output /root/.gnupg/frank_key.pub --export frank@example.com
$ gpg --output /root/.gnupg/frank_key.pub --export frank@example.com
This command is expected to produce no output.
Some of the steps later require base64-encoded versions of the persona's GPG public keys. Before proceeding, create a base64-encoded version of each persona's GPG public key.
You can complete this step as the Alice persona.
$ for persona in alice bob carol dan frank; do \ cat "$HC_LEARN_LAB"/"$persona"/"$persona"_key.pub \ | base64 > "$HC_LEARN_LAB"/"$persona"/"$persona"_key_base64.pub; done
$ for persona in alice bob carol dan frank; do \
cat "$HC_LEARN_LAB"/"$persona"/"$persona"_key.pub \
| base64 > "$HC_LEARN_LAB"/"$persona"/"$persona"_key_base64.pub;
done
Now that you've generated all of the GPG keys, you can use them to initialize, unseal, and rekey Vault.
Initialize Vault with public keys
Initialize Vault with the 5 GPG public keys specified to encrypt the key shares, and Carol's GPG public key to encrypt the initial root token value. Write the initialization output to the file "$HC_LEARN_LAB"/vault_init_output.txt
.
$ vault operator init -pgp-keys "$HC_LEARN_LAB/alice/alice_key.pub,$HC_LEARN_LAB/bob/bob_key.pub,$HC_LEARN_LAB/carol/carol_key.pub,$HC_LEARN_LAB/dan/dan_key.pub,$HC_LEARN_LAB/frank/frank_key.pub" -root-token-pgp-key "$HC_LEARN_LAB/alice/alice_key.pub" > "$HC_LEARN_LAB"/vault_init_output.txt
$ vault operator init -pgp-keys "$HC_LEARN_LAB/alice/alice_key.pub,$HC_LEARN_LAB/bob/bob_key.pub,$HC_LEARN_LAB/carol/carol_key.pub,$HC_LEARN_LAB/dan/dan_key.pub,$HC_LEARN_LAB/frank/frank_key.pub" -root-token-pgp-key "$HC_LEARN_LAB/alice/alice_key.pub" > "$HC_LEARN_LAB"/vault_init_output.txt
This command is expected to produce no output, but you can list the file contents if you want to verify.
$ cat "$HC_LEARN_LAB"/vault_init_output.txt
$ cat "$HC_LEARN_LAB"/vault_init_output.txt
Example expected output:
Unseal Key 1: wcFMA7NpuNG2vp+sARAAjP/ddU9tNliX32nLSqfGjFsoD0hVwIFPRyBZJIoREX1gb3vcmeosFHvT4sJjE63q0JB776epNjxevj3X3sqPV3h+0groThnzdSQhluwYOVY532I42B3ffKdAY4MMeH1izCLvBzP5ZT2plPlcHKhbem47/gnp9ndbhXntBYGSBvnCa50zPDZ60pnG6BQ6rV+VlM5lYLOc/kfnmthrC1UQm1tuBOpHdPsYfh/FwlraKnLl0XUkLNfWdw3Pd17bdCLYqU/AeYS+ae5Hbk5d1MTvUhxRsjearE7J/iDgjjNUpi8qMBjrrzd3Lj2lMyYb8iE+IUFi+y1ZyhfMDX7QTIVlkjq5cl3MTUfk6yckbsEngkeWKA4IjlUjlDFMqty9m9IDBVt6WUl7LF2S15duS9gAgBP3dSxYP/xXrJuSaiCv07IzLSP4r08VPueyemMBwo8ODTZk3Cz8GXQPB+TX21KcJ/nWRZPKTxrIIqKSJsVnaRkeAXd5dYXA0pvdPvf4EuPgq/f/SnJJUOvJ8x2dEtBlc8FiXWgkh+NERSdFFHZ78TtLciEd4+046CED6vj+LypFo2GBqCX99Iaw9lSo4dhXIa53QOllZJ58XQ0u0wOct75aaFjGDdFa/wcwSoOohu02zTz5i/pJ5rmp8AbbEN0GLmuuPZRZIdUxPPc4WpwQ7tXScwGAVMpRpu6oaLK7uaTQ3qA3+k9DqFT2uHw7u0qmTSQmTmexrC/JbtnAVdMmATItHsCCxLLIPd/R5xNHeMEFkw99neGSJ5K98k7o5BVZfvgJoaig3fGoW3uO5lNVaocO0UgCiXHRJTcwJix+S6Qie4jJCbg= Unseal Key 2: wcFMAw4Dy3YtKW8nARAAnk1TvAJZ7Ve2N00c1krxxxXWXP/h7cbO66sfIBeBycCWhFK/kxzEMIOonlZwshCa9ZxL9LEITKuS7VdWoMWocNC0dz3pK/j8eb61cZii98STNbZJW8bKV1AQu5sKNd9FMyMcU8QUZ/dto+azemF2Ro82HI3pu4gHmK4bC2gWwaF01N7Xh9UcTOSOiuAXq1uP3B1UZpocfqIaxTgv7fZjoPasmcoPHX3wf5YiRpWy4FS9Yl+19tiYy+8TQ4pFmrR/18+y6CUhmwyS9MFCzMuw16M+7vnBvzeMsvvFYczq1/R3ygqz6BakT+noNp9XO2C0V37BE8rxatUb5dY7FwRrJ8IKCfR0IMxjUB9inI3HZL62gUEosC/tj9+RZhDcubTMN/pV3dIW6LF+C4HK4FzvKYPKyyEjIxRtjSXSQR3k+60MrM9Lq1DXmUR4vfNP1PWg9hlYUcypx+A//zCmVbZ9KEcIYqQ47F1dlS2sCk5Jefk8pB6+ZG1beT+sCNP7WhGU8v5Wj9GAglsi/PglQVIPQX6wvzgOhxj+MZxhF6bMwxHw6/k/K3rrWHqfaTN1lbfu58hkmhxTOT702PS7CSfDbtCHhhtji7yohwmmz0c01AFQJm5O53umOML99gHXUoZzegPkKYbj7o7AZ3SIvAvssevIoMZE1XG1/Qq0ffU2F4LScwGFN1JTmk11rLkqe8egWwxBQseZv8KxYArZRSMhp7xrISoAeUzBl1vAEHfddUqj0vdAUCKX7FePQVbnukS0qtaEKLtTMHkU5WfjKfVxb7Gtd//Hey2WBrD/UR7o5VY3GkzKkF35Dm25bpDLzD1CSlz5LY4= Unseal Key 3: wcFMA8d6pxB9YmVGAQ/+N3RTigxf2cv0BP02qYgrztsA+ZaYLq/EIOgE3C6RvWwuhdkQ+qtuIr1i3bZbioWWCl8nHbLLWp49zTJsUpWYFCVyodeRywIWIhFG++JrZf2I4oX4NcKqSpk4404v2mpQUgFnI7WyccCgaWtrRFkT94s0ooiDp0cloX96YfRsC+s1tDOMJdOGCfQfzOSGCtjtpCRVplD0hOEd4+Mfyk16SspegQXGwikOQze/sQOgZlGvNMtV0rFZFTEXdFr98UQw4Hg13nrffydNc4Qa5Z6WQIs5AUewBHW8rmlw3bmnVuYrOvWgABE9/DbeW1K6Jl5y8Pxc8maGZQciYxv1jDyXCm188NS7RE+GwW879Fxub6F405W9sQJbB6b4Wphhk9oybWMSMZNBy95mfHTBaOCFsIPfF0Mb9O8khoTHd6DAw1mbeWByhjXGIF53FVs8H+ifEj80qipllZpqKWIg0bhJLw+qDhL4kYAFKV01N+cYzdeiEMqrNG0OiQ2LgJKquMplkuqT/B3mIRZt2daO5UU9smp6YdNk18phvOeJnInWe7plj205NlEXY5IR8CFXmhnNgKKyIbxl5ij6tCsa+DYcAmOfVGeHhbdhXzztuYN6FD1uncG1eo0jKgjmxPnZoNmTCDk2VTTW5MqUutabeLRAtAQUXLiqSvfGefvb2Y5iKXLScwG4Y2wkPP8rITaJMlifz5FXzXWLkD/xiDTthWGYRhmId6TYcV5AeG3koHmCcWhG/xxtatvsXsLT18Ki50SdL1wFr4sGw5Wu+OWv7EqtPmN5tUJDJqacS28sKD4eWhnkokgkEvQGWUG/4nRlmkb8N0kg8r0= Unseal Key 4: wcFMA4lyDC6UCT1HAQ//b2ZUUBw8vlur3J++zxMVsKUtFpJy0xD0cY1X/6yDOlxHpnMexMKYazebPKxoulmZZ3eh7IghCvV2hOvhUPgh+BdlWnz/5w4bXF9G6An/7kG/ILvcZD4+pwr6CGf0LNr7pQWgdTzxd10XhvUgJdmd3O6i9GVAnc8gFscbjxt+vOrUvjfaMvqCnHHIEybChctryiDdDH+BMgE7mdIUHJMAWkqsl86xWoXBhOPruQEiQ13wI63rxxMaC6aXOAkJ5ezvtuyuQ1YohxnS7giTEw0vBjOwZSd8URmIaud0b6Q0RJOIkjjUkXXDOT7dMSUD7i8mwBnwrdFb//2DhjC6/JoOkrPbQzaMvoq8r66hM/eBD3SieDSyDrYtMzeV5aQhfPyZpv7Meg/yOcesP1Dy5vdhXROcAi08k0+Zl/vUvTs/gQIhrm//GJEzrx9QZSKi3yAJUCAzW/ResK4APhfjRzOxFwLFbqx1W7AvC73DUaVl0LY7jb4uiIM4791HqPefFaZRT9B9mrrb1rEMIW7HB+R1eX+/+ahxmX/2stfBfqSeIIFcWCLznfrpRqIVeL3og6fS9kmAn7ojCfBoF4hEBqqDaR942P9XkJ0okzv3Cc+hlP5OknV1wDXtUhJ8TbdBUDOhhpUf1a5azybdwa0T2J3tPeSHUqcnhjTmMWxiT2KggCTScwFRo1EIOVIPwgn8SN0mJ8PBeZgXTriU1NED3/xEs/zzUxv7K6uNeahdOcYXqZJAplPfFY/PeiGZqePdyICzApuuwbyXm1hM8yDXV2jXz1mSn33ycyJd4CrBcPEnNRvDjdQXnthyMtlwxwBNgrUOJxP6ELY= Unseal Key 5: wcFMA0eb9Y4KFLbTARAAz8w8bePJ6D2txcwQ6Rse5rIss//tfsItTvQpVHCWZKjoYYt5ftLwnzEStIWC2mxI74tjujl7rNxJ+vuek7l/P6gGqF44yCmq7lRF35tNDPsLbf7lqGPnjqJgrQby56RYfm4qHYNB5XW4CkkUuXpHYtp850/1p6vhjHrgrIfJs0wwOIuEB+yJDlQiq5wOLe0+L2U0fM/zbUK9z9SnMrHROYXXXvUpMqe9stTpl8UQMZY1HNsOqo+ZRvF6YpaS5hAa/v9WnefRMzr/7ItrxgTKhMspuIjb9lTKImZdLXKjHWg9AP8CBRDLfqEibyAZLPd3xbV5kUwgpHsVvRZXc+H7DdR5fvBfKVO5+oft7PEhV7c74v6z9NFrRFwAiOp03mw14Gom40zdrDdmiVfc43I7nrPWGxbVrINkzUsesDCII1j/9rxw+XdHdVhTWKJ7UDsZFivdVHI/5qrEZvcEqB25AXHCYerAJ3jgOilv9ZH0Y1IxaUiw3EQxgZvsfUGUABE6NZY4j/p1yNxF5/utYUj4PpqP/AKaSuqfM+wuLaGZK3A0MpYfTxNbtqXqWbvK37NUH8JQpG5+h4KP7dK7SorhU9q1IaVmiAT72N6cE5tQcyt2Z1I1cxawB2w6BLOGV7vmHUH99V9OhgWMpI6YNL/EoxvvWXwj9FzkhN9PjjSMbiHScwE+ahzP6X+PUm4vIPzy2+Ph2e1/DewVT4s6/6nMlE6TNJHtV4LnCbPFF1rJUI/Nx4CoRUgyL9rmKUuj4GA+xvvNzkO7wVOFPp+YaLzVfCPX5e1fdf1B7b0CI7lKRQOSGv7AjeU4qw7I4GoFqcuiN8FYhRg= Initial Root Token: wcFMA7NpuNG2vp+sAQ//c75x1o+Zqr/gDxvMhKsnI5+MH765KnlMN2wwPN9YkSAksb4jFll3Xshgo+J7hJ7BO2wxA1rHuWT0OVMkUlLhkCV8LJib3d//iC73c5s1DBFbJoQKXy/LlV4B3XZ+/QQ2vskDdhZNugU+Mml7s9poI/zMhKXlp7oaKgyC9lDVbelgJu5YDarm1cjGBO6RPTOKhsJ9e4zzEs+5uwlhDrczxIT36SMAq8uQjR/Vxqpl9WszVpwIPFVlWMWVqL5EN4DtugpKrLt/uoGaGXOYUgJ+HaguarCx/HbHY8bThKIGx1xYNgsF5tJlfrINfiNQh9h1zNOTQ77/P8uNOpfQM+EGNUQzEnY7PWTVTBODrNrqfKaWsZDhZgu0TqKeVwZoHHMF2ixciUKX8Z3BdX91ihJyh47LaXyhTbgrLMS9fIh17fW53vDoZFVnXa/EAkRgPuYj/Crsnv5GrEUsTBGTU4Cp0OP75YGfK7HLM4nut/Sq1c/ZppD/42ZbYGvPYywwVNdUHxASop8m1D5kiBV9Gcv0Fgg8/6sj2157UCMWoTDvAr7p5ZBCcMLz1DziZXmIf3r0nR5BQ1gz5VlgTLxqebx9PE5Kktggn1snPNpylViPVtGT83E5uON1f8lyO2j4p0w3dlR59vSEVm7viugbsdqLrOcgiTec13TwAyovJJe+MqPSTQE/fIBrsni0mHIMKdPV0jrfKp4jX0uAIROtFoLCPKXSf1OK2Mnodb0V0pFksH0GjSaceizcd0P4ZRv/fb7LKRStnBZMyclx7ixv2mGO Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated root key. Without at least 3 keys to reconstruct the root key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.
Unseal Key 1: wcFMA7NpuNG2vp+sARAAjP/ddU9tNliX32nLSqfGjFsoD0hVwIFPRyBZJIoREX1gb3vcmeosFHvT4sJjE63q0JB776epNjxevj3X3sqPV3h+0groThnzdSQhluwYOVY532I42B3ffKdAY4MMeH1izCLvBzP5ZT2plPlcHKhbem47/gnp9ndbhXntBYGSBvnCa50zPDZ60pnG6BQ6rV+VlM5lYLOc/kfnmthrC1UQm1tuBOpHdPsYfh/FwlraKnLl0XUkLNfWdw3Pd17bdCLYqU/AeYS+ae5Hbk5d1MTvUhxRsjearE7J/iDgjjNUpi8qMBjrrzd3Lj2lMyYb8iE+IUFi+y1ZyhfMDX7QTIVlkjq5cl3MTUfk6yckbsEngkeWKA4IjlUjlDFMqty9m9IDBVt6WUl7LF2S15duS9gAgBP3dSxYP/xXrJuSaiCv07IzLSP4r08VPueyemMBwo8ODTZk3Cz8GXQPB+TX21KcJ/nWRZPKTxrIIqKSJsVnaRkeAXd5dYXA0pvdPvf4EuPgq/f/SnJJUOvJ8x2dEtBlc8FiXWgkh+NERSdFFHZ78TtLciEd4+046CED6vj+LypFo2GBqCX99Iaw9lSo4dhXIa53QOllZJ58XQ0u0wOct75aaFjGDdFa/wcwSoOohu02zTz5i/pJ5rmp8AbbEN0GLmuuPZRZIdUxPPc4WpwQ7tXScwGAVMpRpu6oaLK7uaTQ3qA3+k9DqFT2uHw7u0qmTSQmTmexrC/JbtnAVdMmATItHsCCxLLIPd/R5xNHeMEFkw99neGSJ5K98k7o5BVZfvgJoaig3fGoW3uO5lNVaocO0UgCiXHRJTcwJix+S6Qie4jJCbg=
Unseal Key 2: wcFMAw4Dy3YtKW8nARAAnk1TvAJZ7Ve2N00c1krxxxXWXP/h7cbO66sfIBeBycCWhFK/kxzEMIOonlZwshCa9ZxL9LEITKuS7VdWoMWocNC0dz3pK/j8eb61cZii98STNbZJW8bKV1AQu5sKNd9FMyMcU8QUZ/dto+azemF2Ro82HI3pu4gHmK4bC2gWwaF01N7Xh9UcTOSOiuAXq1uP3B1UZpocfqIaxTgv7fZjoPasmcoPHX3wf5YiRpWy4FS9Yl+19tiYy+8TQ4pFmrR/18+y6CUhmwyS9MFCzMuw16M+7vnBvzeMsvvFYczq1/R3ygqz6BakT+noNp9XO2C0V37BE8rxatUb5dY7FwRrJ8IKCfR0IMxjUB9inI3HZL62gUEosC/tj9+RZhDcubTMN/pV3dIW6LF+C4HK4FzvKYPKyyEjIxRtjSXSQR3k+60MrM9Lq1DXmUR4vfNP1PWg9hlYUcypx+A//zCmVbZ9KEcIYqQ47F1dlS2sCk5Jefk8pB6+ZG1beT+sCNP7WhGU8v5Wj9GAglsi/PglQVIPQX6wvzgOhxj+MZxhF6bMwxHw6/k/K3rrWHqfaTN1lbfu58hkmhxTOT702PS7CSfDbtCHhhtji7yohwmmz0c01AFQJm5O53umOML99gHXUoZzegPkKYbj7o7AZ3SIvAvssevIoMZE1XG1/Qq0ffU2F4LScwGFN1JTmk11rLkqe8egWwxBQseZv8KxYArZRSMhp7xrISoAeUzBl1vAEHfddUqj0vdAUCKX7FePQVbnukS0qtaEKLtTMHkU5WfjKfVxb7Gtd//Hey2WBrD/UR7o5VY3GkzKkF35Dm25bpDLzD1CSlz5LY4=
Unseal Key 3: wcFMA8d6pxB9YmVGAQ/+N3RTigxf2cv0BP02qYgrztsA+ZaYLq/EIOgE3C6RvWwuhdkQ+qtuIr1i3bZbioWWCl8nHbLLWp49zTJsUpWYFCVyodeRywIWIhFG++JrZf2I4oX4NcKqSpk4404v2mpQUgFnI7WyccCgaWtrRFkT94s0ooiDp0cloX96YfRsC+s1tDOMJdOGCfQfzOSGCtjtpCRVplD0hOEd4+Mfyk16SspegQXGwikOQze/sQOgZlGvNMtV0rFZFTEXdFr98UQw4Hg13nrffydNc4Qa5Z6WQIs5AUewBHW8rmlw3bmnVuYrOvWgABE9/DbeW1K6Jl5y8Pxc8maGZQciYxv1jDyXCm188NS7RE+GwW879Fxub6F405W9sQJbB6b4Wphhk9oybWMSMZNBy95mfHTBaOCFsIPfF0Mb9O8khoTHd6DAw1mbeWByhjXGIF53FVs8H+ifEj80qipllZpqKWIg0bhJLw+qDhL4kYAFKV01N+cYzdeiEMqrNG0OiQ2LgJKquMplkuqT/B3mIRZt2daO5UU9smp6YdNk18phvOeJnInWe7plj205NlEXY5IR8CFXmhnNgKKyIbxl5ij6tCsa+DYcAmOfVGeHhbdhXzztuYN6FD1uncG1eo0jKgjmxPnZoNmTCDk2VTTW5MqUutabeLRAtAQUXLiqSvfGefvb2Y5iKXLScwG4Y2wkPP8rITaJMlifz5FXzXWLkD/xiDTthWGYRhmId6TYcV5AeG3koHmCcWhG/xxtatvsXsLT18Ki50SdL1wFr4sGw5Wu+OWv7EqtPmN5tUJDJqacS28sKD4eWhnkokgkEvQGWUG/4nRlmkb8N0kg8r0=
Unseal Key 4: wcFMA4lyDC6UCT1HAQ//b2ZUUBw8vlur3J++zxMVsKUtFpJy0xD0cY1X/6yDOlxHpnMexMKYazebPKxoulmZZ3eh7IghCvV2hOvhUPgh+BdlWnz/5w4bXF9G6An/7kG/ILvcZD4+pwr6CGf0LNr7pQWgdTzxd10XhvUgJdmd3O6i9GVAnc8gFscbjxt+vOrUvjfaMvqCnHHIEybChctryiDdDH+BMgE7mdIUHJMAWkqsl86xWoXBhOPruQEiQ13wI63rxxMaC6aXOAkJ5ezvtuyuQ1YohxnS7giTEw0vBjOwZSd8URmIaud0b6Q0RJOIkjjUkXXDOT7dMSUD7i8mwBnwrdFb//2DhjC6/JoOkrPbQzaMvoq8r66hM/eBD3SieDSyDrYtMzeV5aQhfPyZpv7Meg/yOcesP1Dy5vdhXROcAi08k0+Zl/vUvTs/gQIhrm//GJEzrx9QZSKi3yAJUCAzW/ResK4APhfjRzOxFwLFbqx1W7AvC73DUaVl0LY7jb4uiIM4791HqPefFaZRT9B9mrrb1rEMIW7HB+R1eX+/+ahxmX/2stfBfqSeIIFcWCLznfrpRqIVeL3og6fS9kmAn7ojCfBoF4hEBqqDaR942P9XkJ0okzv3Cc+hlP5OknV1wDXtUhJ8TbdBUDOhhpUf1a5azybdwa0T2J3tPeSHUqcnhjTmMWxiT2KggCTScwFRo1EIOVIPwgn8SN0mJ8PBeZgXTriU1NED3/xEs/zzUxv7K6uNeahdOcYXqZJAplPfFY/PeiGZqePdyICzApuuwbyXm1hM8yDXV2jXz1mSn33ycyJd4CrBcPEnNRvDjdQXnthyMtlwxwBNgrUOJxP6ELY=
Unseal Key 5: wcFMA0eb9Y4KFLbTARAAz8w8bePJ6D2txcwQ6Rse5rIss//tfsItTvQpVHCWZKjoYYt5ftLwnzEStIWC2mxI74tjujl7rNxJ+vuek7l/P6gGqF44yCmq7lRF35tNDPsLbf7lqGPnjqJgrQby56RYfm4qHYNB5XW4CkkUuXpHYtp850/1p6vhjHrgrIfJs0wwOIuEB+yJDlQiq5wOLe0+L2U0fM/zbUK9z9SnMrHROYXXXvUpMqe9stTpl8UQMZY1HNsOqo+ZRvF6YpaS5hAa/v9WnefRMzr/7ItrxgTKhMspuIjb9lTKImZdLXKjHWg9AP8CBRDLfqEibyAZLPd3xbV5kUwgpHsVvRZXc+H7DdR5fvBfKVO5+oft7PEhV7c74v6z9NFrRFwAiOp03mw14Gom40zdrDdmiVfc43I7nrPWGxbVrINkzUsesDCII1j/9rxw+XdHdVhTWKJ7UDsZFivdVHI/5qrEZvcEqB25AXHCYerAJ3jgOilv9ZH0Y1IxaUiw3EQxgZvsfUGUABE6NZY4j/p1yNxF5/utYUj4PpqP/AKaSuqfM+wuLaGZK3A0MpYfTxNbtqXqWbvK37NUH8JQpG5+h4KP7dK7SorhU9q1IaVmiAT72N6cE5tQcyt2Z1I1cxawB2w6BLOGV7vmHUH99V9OhgWMpI6YNL/EoxvvWXwj9FzkhN9PjjSMbiHScwE+ahzP6X+PUm4vIPzy2+Ph2e1/DewVT4s6/6nMlE6TNJHtV4LnCbPFF1rJUI/Nx4CoRUgyL9rmKUuj4GA+xvvNzkO7wVOFPp+YaLzVfCPX5e1fdf1B7b0CI7lKRQOSGv7AjeU4qw7I4GoFqcuiN8FYhRg=
Initial Root Token: wcFMA7NpuNG2vp+sAQ//c75x1o+Zqr/gDxvMhKsnI5+MH765KnlMN2wwPN9YkSAksb4jFll3Xshgo+J7hJ7BO2wxA1rHuWT0OVMkUlLhkCV8LJib3d//iC73c5s1DBFbJoQKXy/LlV4B3XZ+/QQ2vskDdhZNugU+Mml7s9poI/zMhKXlp7oaKgyC9lDVbelgJu5YDarm1cjGBO6RPTOKhsJ9e4zzEs+5uwlhDrczxIT36SMAq8uQjR/Vxqpl9WszVpwIPFVlWMWVqL5EN4DtugpKrLt/uoGaGXOYUgJ+HaguarCx/HbHY8bThKIGx1xYNgsF5tJlfrINfiNQh9h1zNOTQ77/P8uNOpfQM+EGNUQzEnY7PWTVTBODrNrqfKaWsZDhZgu0TqKeVwZoHHMF2ixciUKX8Z3BdX91ihJyh47LaXyhTbgrLMS9fIh17fW53vDoZFVnXa/EAkRgPuYj/Crsnv5GrEUsTBGTU4Cp0OP75YGfK7HLM4nut/Sq1c/ZppD/42ZbYGvPYywwVNdUHxASop8m1D5kiBV9Gcv0Fgg8/6sj2157UCMWoTDvAr7p5ZBCcMLz1DziZXmIf3r0nR5BQ1gz5VlgTLxqebx9PE5Kktggn1snPNpylViPVtGT83E5uON1f8lyO2j4p0w3dlR59vSEVm7viugbsdqLrOcgiTec13TwAyovJJe+MqPSTQE/fIBrsni0mHIMKdPV0jrfKp4jX0uAIROtFoLCPKXSf1OK2Mnodb0V0pFksH0GjSaceizcd0P4ZRv/fb7LKRStnBZMyclx7ixv2mGO
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
The initialization output shows base64-encoded and encrypted unseal key and initial root token values.
Warning
The Vault API expects base64-encoded PGP public keys without beginning or ending identifier text. If you try to use ASCII armored versions, they won't work.
Generate a JSON payload for the API call. It holds each of the base64-encoded encrypted key shares, the key share count, and key share threshold.
$ cat > "$HC_LEARN_LAB"/init_payload.json << EOF { "pgp_keys": ["$(cat $HC_LEARN_LAB/alice/alice_key_base64.pub)","$(cat $HC_LEARN_LAB/bob/bob_key_base64.pub)","$(cat $HC_LEARN_LAB/carol/carol_key_base64.pub)","$(cat $HC_LEARN_LAB/dan/dan_key_base64.pub)","$(cat $HC_LEARN_LAB/frank/frank_key_base64.pub)"], "root_token_pgp_key": "$(cat $HC_LEARN_LAB/alice/alice_key_base64.pub)", "secret_shares": 5, "secret_threshold": 3 } EOF
$ cat > "$HC_LEARN_LAB"/init_payload.json << EOF { "pgp_keys": ["$(cat $HC_LEARN_LAB/alice/alice_key_base64.pub)","$(cat $HC_LEARN_LAB/bob/bob_key_base64.pub)","$(cat $HC_LEARN_LAB/carol/carol_key_base64.pub)","$(cat $HC_LEARN_LAB/dan/dan_key_base64.pub)","$(cat $HC_LEARN_LAB/frank/frank_key_base64.pub)"], "root_token_pgp_key": "$(cat $HC_LEARN_LAB/alice/alice_key_base64.pub)", "secret_shares": 5, "secret_threshold": 3 } EOF
Initialize Vault, and save the output in
"$HC_LEARN_LAB"/vault_init_output.json
.$ curl --silent --request POST --data @"$HC_LEARN_LAB"/init_payload.json \ $VAULT_ADDR/v1/sys/init \ | jq > "$HC_LEARN_LAB"/vault_init_output.json
$ curl --silent --request POST --data @"$HC_LEARN_LAB"/init_payload.json \ $VAULT_ADDR/v1/sys/init \ | jq > "$HC_LEARN_LAB"/vault_init_output.json
This command is expected to produce no output, but you can list the file contents if you want to verify.
$ cat "$HC_LEARN_LAB"/vault_init_output.json | jq
$ cat "$HC_LEARN_LAB"/vault_init_output.json | jq
Example expected output:
{ "keys": [ "c1c14c03c814fa5a4887b4bc010fff457094bd16a0b93f20074ba5d285f81042e83ee5928f8254996ac5637a1b06f6817003358a6c189ed6c74b6d69c9d55a6683fbcfd517031b77cb9872269a5a1d52d092f31c6e4fb9628b5f362a1413c0c2eebefb315e9bf5980fc7efaff028cc2657d4fc7a00e217b5b44b5a26037b9f43419eedcee76364bcb78d34292e41d557ae9ff60367bd163ad04c58f9c37e55eaf66124d8f3e5834e29853163e9c5b030b9f39905bc00b2706d101b5596d2d70c60fbbe2c9f7cb51c31452ca7ebc8dbae17d48cbf982c3a5d0ac733f6c9f09a9f1e152339489a15774c47a635d0aeb9b79ce6dc54a80ebb2c5a8a94553e8e73830742bc1b207921a444d4b5a477819b7ee28b7d49f536b8ac604e9afe5f57eed9ec53016b0bda132bd6779877439f2133b4c87d2c181d73f1d2449fc9ecf31ac97c93b6384f84a96a563fa66bb7f85c415df22d9ea7551cf5c4a0c5dec40d1a5aec4746ed7931b43a1795c3d8b0082ffe780dd441bbf992b445d15724d71fe00f405fef085abff1ecb8756bd8dd0adc3d891803331cf029e590cc0658a30cccb37e2122f2f0876e1da4b5f856659166b197d40fc6c444d40b0244ec8ccbc671b775c6ba8fbcb87f31f761abf207e93fa3d886cbabc84206d08415bbad4d6b2f2d3e49020f438a44243d7fb69fd05a35411be211fee0637fedaf47bad4d622f2a7e7d1cb39b1b22879425246283910ead27301476c3428cd7fff277ef6bf85d52563eb88d895aafe67c8749a14c01e4a13e9cf101bf6d030309febfde0b06cb55131b95c42c777911ec24250c2499b36076a832c8225176f6bc764f70a4a93b1a777ae480b930b8a6fb19941f7845e7076edb0afe6a9228ec74ab7e26655db80530d5533d0", "c1c14c036242df3d7793ba36010fff47c5304e9ad7b862bf02264d850491cd878b6b3263251b3da49d755ed378b83e6021027b68cfe687a695151f7bb80587c1e6c59fd3eac149d949a8b3f7365b24ba60e1b9f9011abf66cb512841efead974330c529fb2dae2d53ab69e8b7b6205b19da048dd9f08e4c1e78e883bee4ec2661e1b97a5e9e94d2067346c080c2ebb7330ce26b4996aa9a5e6ed2829366765b7437e3b3f05336085fcac8bd60e07f0acb0681a8f28057079513a9a5369608f296e2a5c95d4e62ccf4eb1c64686b2e5e0d5a561c6552609a5fbf160d84278fdbe449f02d841df942d1b77f2e00d1d01f0fe2b683b1b46b2a0fd315a0fa4aa3f78f9705f5b77c455bc0bc216f5e8b8b13b4f9b8c79dff3f6e932535c1ec6a6aca825ef3021d5c8abd71973992b0a5dec6c8a37feb9c2676134918e1c729a5084e6b5baee8c1e3b7b5548aa06343d46f58e7873b561e92a8832ae8e04ba6aed5879accf0cfa2dc649c734b9a886534bd748471fa4c881338bd2d9bef9ac355dce8d10b36a9f6d3c9c2dfd60c06b88f0b751ec0266eb7cf594462898031ea559f9b78d3177c0c3c49a09c20bd2d4af85971a73b36fc96863f87d87328e479c4732bf31de79bab173f9acde2116f0f7b48a62f7d678d6c7e6cc0c04e23434aa3da80c8479bb9c75811c27c7f28197d8be628715854bf77221cfde9b01d095c9ad421cc723d8a34ee0d2ab03f0c1e9cac428d27301d002168b536c1819ce291c154c19e0c5b92ea5014230fb63090750fe36d3b653716461be5e28ff246b7d2a509fd5eea37c1aa27f2a40bb1f3562547f672703490244c443381a5c94de90a86d9dfc3e31e6816813fbe68889c1795235c7536a1bf166563c59adb384122a2a6ceb6b1f226401", "c1c14c03c969ba5593c0c6de011000c38c9b2e2db4379ac8e3546601ac4e5f3391f73503f44d93f8d2b05ca97b7089443923ca0df550eb3fb880ae6c8bdfd307d2fcb335f54658ba4b397b81bd2c43ca0961c2a3ca77dda1968894764fc8683e05132022bbbbc8effb7e5f0f7b3a0d93ccc4389529659f9313ded8208d7407370f40de38dac026e51e50f476133e68a6d9baa431d2545a51acf6e4989f7487fbf6c40c80699496051be2016a5d49e1b78b7e2695ba1384dc475faddb846a569fc37327f4cb5f7fe5d64f7263db1d6e69611081475966944555e31c9114cebed6ff368f3194e43e0fa944d6d36b41018087ab1c8408eb69e1ea88fa7ef5d56b54a498ccbd76a0621c3b9312da076a46740229f2da648a49793a80b7f1f0acbdbd5b264e6ede6b0181810fb1662b4c5f2d3f2b2712785b7c2ea9ce65b9a0c835f87202acc7c2cf70bc2381a30b18fa0af921ae235b59028d64b34dab3105298b14c51aa2c6e5d1d38d4458d7daf7314517410fd4e934570582ed15bcd44807357dea9f40db32df5ef44a1b06239aa5cb514c22e7e6e93927380328fc9a38ca0318f612e1dd68507afbcbca1b7b389d62ec5c2c4112c738dfcaaf98390604bca62365dd8cd2059253c0ab50b6e3604bf956452df9c627919e3646d306521d3dd53eda2dd15ee07a6313f6d4a8de16b21e8e40b3dec4301db168c4b898deb1012089117a6e901e7e8fab4c5e7330b736b2d27301584bd0720cbb94c5ddf86a9d7af2669f545246b860fc997ee339c2c52af75131a94686b815441deae381c15e39d4c01640eb260b9a1004a99c11829169a5725ac93b40e4f9a44dbfda845bf7befef6618ea6ff4e41336c60e3e733835bdbd584c1325fe5e80acaa03ffa7359232d9976cf00", "c1c14c0361d5d07e586f8dfb011000cca376f354d6859bc670fb7f86a5774b5d9af8b749129ba862c2d8afcd5f6fd71619bd05f5390cb0837237e455eadd90434d1cab8ab032507b540212084e4e35ccfd0c00d6d86481cdba58832f403810cc0fedc7d9b8dee89b2daef400506e1a43482ce7e27172374ad1408dc820d7819d3490c4e307213e70987b8489bc86ab19e318c73b9e3d92fb5bb4e0a172ce93630420625241fd2b465bee6b8daddfab529176ee8e95e1dab8effbc2b76f0ba8ec7aee17d3fe584be54b5b295846a4545afe53c0045b02d54c6ae1db4591af7d5905fdf9526b066520ad509a0b0af7410db744fab2c5a339cd4f353ef27f08899dade5df1aad58fa0a3c929eca14e5724393da72312f6190d510dfe70273a9893f817129417dceaa607b227e796325ba2b3dd95155a1002d3a71ef9bbe7934481aace7ba9eda7fe6389009f988bafae1cdfeb66b824af439103d69624f86f0dcbe9cf55e1c20c0870693fcc749c4dfc605c7526df40bd75577f703320e5d075c1ae642ba236f73f4641e187940f1ec26e37ef08fded0d411009c833773db9bb839db2db40010ee890ac19941b8359d4e78385df8768d40baa3433f938503a4cf817e6bf0f24bd4734267a4e9de1f292504984b9e0381c616216263e6bd8a3cab0dd59ff6fb78d37043592a7b771cf5dff935256c131b3b8db2e1b0bec7453fd6483fbbe0b0945a530b88530e64e3a0b2d27301f2e3f9965e3c879536136f02d023ed19592f62f1bbda23265c4057bbe634075cc07e04de6eb9f52393f5c8b00a19afcaa67b5fb71132fe85512f53c7105145fba04fb310d7fc282b560a721f0bc42fd2e582dbbc41532ecab42f8aaa335a8d1cdf708445f0eecf47b81e3161657533bf7158", "c1c14c03b2f384f3a3f05413011000a17d343d309acd13a32d37322cbc4769fcfd4a081f0192d3289b20da17cff9d67d80fc07f7a5c756ddfb4c5bdcec1232e34391f4a63fc51bd3f4974692c62cfcd4bcab7535a09688644c1c3b1cda631d96fabcc5431f823b7f624cc7df37da2808ab523ea32d4e6186bac2bec1df111892caedb283949c6c69f19324773e5ecb10236377755292a6635f0c0783742c2cc49e6aeb609ee934f2603e23227bda0225dfe96b9baa7df37ba71f176782f798d71272f76fffafbe3fff6c58e9c7a30393b3f7b35a03ba10d6b5f82f277216a6e1753fb4b126ea34d0bf193f7deb90fb3c39b880b1223edfd186f465329021f3e85b31abcaf0e7b42cdbb27898bc2becde4666cea543cd8d170ff7b9dad281f7d2c91de0fd4a97efe821435f33d93d7d6d8727919c6140a45bd0097133dd9968d95a1ec256938e6ba128949f08f7dc1471fab5b748bb665c682cd1adc00436da090971ee0a2a428fe25caf6e6d312a90e0e0f3d837772a78211e2f2df1c0107236c4ec4f7a18e0c78888bdbb304da97d8f852d202d22ab7dfb68b99a8645984ccd172b440074ed515bf5299c5cf36deb0414b532781bf719a184736f116af95d558459b0611ef81c75fe7836f2e9d48aa713a6cea11d2382a6cb8df0b3b547f2d268847be457681e452e86444f62b1f38e072ade5e912d8895f698f6485c317240e2177ca0b085e514a0c0117daf009ed27301be0cc97abbd57ccd17d33fc521ce36cb6acbcfc687cdd2884d2ef8a731eb914202f8e2d594acdb7abeb10e232e4a6e08d6f47a4729beb990d7e392ac58e28d55dca122ce8450c55a224d19d6b578b0a0837bc059dbfcf795ee29fd201108183319cb98f38ec3f77dcd173070095312e6ecbb" ], "keys_base64": [ "wcFMA8gU+lpIh7S8AQ//RXCUvRaguT8gB0ul0oX4EELoPuWSj4JUmWrFY3obBvaBcAM1imwYntbHS21pydVaZoP7z9UXAxt3y5hyJppaHVLQkvMcbk+5YotfNioUE8DC7r77MV6b9ZgPx++v8CjMJlfU/HoA4he1tEtaJgN7n0NBnu3O52NkvLeNNCkuQdVXrp/2A2e9FjrQTFj5w35V6vZhJNjz5YNOKYUxY+nFsDC585kFvACycG0QG1WW0tcMYPu+LJ98tRwxRSyn68jbrhfUjL+YLDpdCscz9snwmp8eFSM5SJoVd0xHpjXQrrm3nObcVKgOuyxaipRVPo5zgwdCvBsgeSGkRNS1pHeBm37ii31J9Ta4rGBOmv5fV+7Z7FMBawvaEyvWd5h3Q58hM7TIfSwYHXPx0kSfyezzGsl8k7Y4T4SpalY/pmu3+FxBXfItnqdVHPXEoMXexA0aWuxHRu15MbQ6F5XD2LAIL/54DdRBu/mStEXRVyTXH+APQF/vCFq/8ey4dWvY3QrcPYkYAzMc8CnlkMwGWKMMzLN+ISLy8IduHaS1+FZlkWaxl9QPxsRE1AsCROyMy8Zxt3XGuo+8uH8x92Gr8gfpP6PYhsuryEIG0IQVu61Nay8tPkkCD0OKRCQ9f7af0Fo1QRviEf7gY3/tr0e61NYi8qfn0cs5sbIoeUJSRig5EOrScwFHbDQozX//J372v4XVJWPriNiVqv5nyHSaFMAeShPpzxAb9tAwMJ/r/eCwbLVRMblcQsd3kR7CQlDCSZs2B2qDLIIlF29rx2T3CkqTsad3rkgLkwuKb7GZQfeEXnB27bCv5qkijsdKt+JmVduAUw1VM9A=", "wcFMA2JC3z13k7o2AQ//R8UwTprXuGK/AiZNhQSRzYeLazJjJRs9pJ11XtN4uD5gIQJ7aM/mh6aVFR97uAWHwebFn9PqwUnZSaiz9zZbJLpg4bn5ARq/ZstRKEHv6tl0MwxSn7La4tU6tp6Le2IFsZ2gSN2fCOTB546IO+5OwmYeG5el6elNIGc0bAgMLrtzMM4mtJlqqaXm7SgpNmdlt0N+Oz8FM2CF/KyL1g4H8KywaBqPKAVweVE6mlNpYI8pbipcldTmLM9OscZGhrLl4NWlYcZVJgml+/Fg2EJ4/b5EnwLYQd+ULRt38uANHQHw/itoOxtGsqD9MVoPpKo/ePlwX1t3xFW8C8IW9ei4sTtPm4x53/P26TJTXB7GpqyoJe8wIdXIq9cZc5krCl3sbIo3/rnCZ2E0kY4ccppQhOa1uu6MHjt7VUiqBjQ9RvWOeHO1YekqiDKujgS6au1YeazPDPotxknHNLmohlNL10hHH6TIgTOL0tm++aw1Xc6NELNqn208nC39YMBriPC3UewCZut89ZRGKJgDHqVZ+beNMXfAw8SaCcIL0tSvhZcac7NvyWhj+H2HMo5HnEcyvzHeebqxc/ms3iEW8Pe0imL31njWx+bMDATiNDSqPagMhHm7nHWBHCfH8oGX2L5ihxWFS/dyIc/emwHQlcmtQhzHI9ijTuDSqwPwwenKxCjScwHQAhaLU2wYGc4pHBVMGeDFuS6lAUIw+2MJB1D+NtO2U3FkYb5eKP8ka30qUJ/V7qN8GqJ/KkC7HzViVH9nJwNJAkTEQzgaXJTekKhtnfw+MeaBaBP75oiJwXlSNcdTahvxZlY8Wa2zhBIqKmzrax8iZAE=", "wcFMA8lpulWTwMbeARAAw4ybLi20N5rI41RmAaxOXzOR9zUD9E2T+NKwXKl7cIlEOSPKDfVQ6z+4gK5si9/TB9L8szX1Rli6Szl7gb0sQ8oJYcKjynfdoZaIlHZPyGg+BRMgIru7yO/7fl8PezoNk8zEOJUpZZ+TE97YII10BzcPQN442sAm5R5Q9HYTPmim2bqkMdJUWlGs9uSYn3SH+/bEDIBplJYFG+IBal1J4beLfiaVuhOE3EdfrduEalafw3Mn9Mtff+XWT3Jj2x1uaWEQgUdZZpRFVeMckRTOvtb/No8xlOQ+D6lE1tNrQQGAh6schAjraeHqiPp+9dVrVKSYzL12oGIcO5MS2gdqRnQCKfLaZIpJeTqAt/HwrL29WyZObt5rAYGBD7FmK0xfLT8rJxJ4W3wuqc5luaDINfhyAqzHws9wvCOBowsY+gr5Ia4jW1kCjWSzTasxBSmLFMUaosbl0dONRFjX2vcxRRdBD9TpNFcFgu0VvNRIBzV96p9A2zLfXvRKGwYjmqXLUUwi5+bpOSc4Ayj8mjjKAxj2EuHdaFB6+8vKG3s4nWLsXCxBEsc438qvmDkGBLymI2XdjNIFklPAq1C242BL+VZFLfnGJ5GeNkbTBlIdPdU+2i3RXuB6YxP21KjeFrIejkCz3sQwHbFoxLiY3rEBIIkRem6QHn6Pq0xeczC3NrLScwFYS9ByDLuUxd34ap168mafVFJGuGD8mX7jOcLFKvdRMalGhrgVRB3q44HBXjnUwBZA6yYLmhAEqZwRgpFppXJayTtA5PmkTb/ahFv3vv72YY6m/05BM2xg4+czg1vb1YTBMl/l6ArKoD/6c1kjLZl2zwA=", "wcFMA2HV0H5Yb437ARAAzKN281TWhZvGcPt/hqV3S12a+LdJEpuoYsLYr81fb9cWGb0F9TkMsINyN+RV6t2QQ00cq4qwMlB7VAISCE5ONcz9DADW2GSBzbpYgy9AOBDMD+3H2bje6JstrvQAUG4aQ0gs5+JxcjdK0UCNyCDXgZ00kMTjByE+cJh7hIm8hqsZ4xjHO549kvtbtOChcs6TYwQgYlJB/StGW+5rja3fq1KRdu6OleHauO/7wrdvC6jseu4X0/5YS+VLWylYRqRUWv5TwARbAtVMauHbRZGvfVkF/flSawZlIK1QmgsK90ENt0T6ssWjOc1PNT7yfwiJna3l3xqtWPoKPJKeyhTlckOT2nIxL2GQ1RDf5wJzqYk/gXEpQX3OqmB7In55YyW6Kz3ZUVWhAC06ce+bvnk0SBqs57qe2n/mOJAJ+Yi6+uHN/rZrgkr0ORA9aWJPhvDcvpz1XhwgwIcGk/zHScTfxgXHUm30C9dVd/cDMg5dB1wa5kK6I29z9GQeGHlA8ewm437wj97Q1BEAnIM3c9ubuDnbLbQAEO6JCsGZQbg1nU54OF34do1AuqNDP5OFA6TPgX5r8PJL1HNCZ6Tp3h8pJQSYS54DgcYWIWJj5r2KPKsN1Z/2+3jTcENZKnt3HPXf+TUlbBMbO42y4bC+x0U/1kg/u+CwlFpTC4hTDmTjoLLScwHy4/mWXjyHlTYTbwLQI+0ZWS9i8bvaIyZcQFe75jQHXMB+BN5uufUjk/XIsAoZr8qme1+3ETL+hVEvU8cQUUX7oE+zENf8KCtWCnIfC8Qv0uWC27xBUy7KtC+KqjNajRzfcIRF8O7PR7geMWFldTO/cVg=", "wcFMA7LzhPOj8FQTARAAoX00PTCazROjLTcyLLxHafz9SggfAZLTKJsg2hfP+dZ9gPwH96XHVt37TFvc7BIy40OR9KY/xRvT9JdGksYs/NS8q3U1oJaIZEwcOxzaYx2W+rzFQx+CO39iTMffN9ooCKtSPqMtTmGGusK+wd8RGJLK7bKDlJxsafGTJHc+XssQI2N3dVKSpmNfDAeDdCwsxJ5q62Ce6TTyYD4jInvaAiXf6Wubqn3ze6cfF2eC95jXEnL3b/+vvj//bFjpx6MDk7P3s1oDuhDWtfgvJ3IWpuF1P7SxJuo00L8ZP33rkPs8ObiAsSI+39GG9GUykCHz6Fsxq8rw57Qs27J4mLwr7N5GZs6lQ82NFw/3udrSgffSyR3g/UqX7+ghQ18z2T19bYcnkZxhQKRb0AlxM92ZaNlaHsJWk45roSiUnwj33BRx+rW3SLtmXGgs0a3ABDbaCQlx7goqQo/iXK9ubTEqkODg89g3dyp4IR4vLfHAEHI2xOxPehjgx4iIvbswTal9j4UtIC0iq337aLmahkWYTM0XK0QAdO1RW/UpnFzzbesEFLUyeBv3GaGEc28RavldVYRZsGEe+Bx1/ng28unUiqcTps6hHSOCpsuN8LO1R/LSaIR75FdoHkUuhkRPYrHzjgcq3l6RLYiV9pj2SFwxckDiF3ygsIXlFKDAEX2vAJ7ScwG+DMl6u9V8zRfTP8UhzjbLasvPxofN0ohNLvinMeuRQgL44tWUrNt6vrEOIy5KbgjW9HpHKb65kNfjkqxY4o1V3KEizoRQxVoiTRnWtXiwoIN7wFnb/PeV7in9IBEIGDMZy5jzjsP3fc0XMHAJUxLm7Ls=" ], "root_token": "wcFMA8gU+lpIh7S8ARAAixxHUKqzCtJ6cv44m2YDdPOTAORhQKuyX0Q5+21x1ESZPSpy4zBzytlzsU/XtthzKnPjDX2bowuRDb0wo2nCyjd5OYUyNKOcZOtYp8jKjwZ+0WaFx9C2FlGm5qv9e4faep51jeW0JpVI9SrbL+17bR9+ZF7+lZc2lE5n9JhY2oKOJWL/npr0fBStLyxHLz7JeNXZiwZKH49JEc+kbfbISiYswRwy2AS6B3eWkYYBO7V2OMEVq3FrqKFy/GPlfhNIzEsDSYQ1rkLGaJBeUwN4hY32MmquRiV60gXZDhrYTslTXd32c9Pgg/mzDfEXYPiGWIsqzmoLP6pRWJjvO6aldBQhlhbTim8eME/YwLkhZffPL7tE7WtULPF5NUOt7rWU0bEOdT7fpqu0eBwZb8+9c+hchzcYJ2iPcSOx0WX1nJA56m/27N+Afl+wNoYJfjvMaE3hMSvlL/c9Ff0fMnPCa/ydzHODuT8p5xNjjt1VMPlgJYMEHmENWxWtzEyc8XUNh/q0q6xMEr7OttwWoEGnOs4gIX3qgfuk6iTt1C2CeFhnZaggBU+iCfB6WIwLDqDg+Bhl3NeeGyFaIwvb47ntnrZS6cdye4gsdCtY8rfP2jdlCRHjyByLNvonXfCHqulm3e7zqis605lJDHMgyVpA6351W/DvQ5qM5lWxXfMlyGrSTQGmqwj3fXFNBsdpmYk4TbLUNy5LglcN8AX2LaeiqVaTPf8vs6KgsYBh2WVsAU7fo5Mi6JBijv50IrF4ANmseqtINwYShHUMfE1dpZYf" }
{ "keys": [ "c1c14c03c814fa5a4887b4bc010fff457094bd16a0b93f20074ba5d285f81042e83ee5928f8254996ac5637a1b06f6817003358a6c189ed6c74b6d69c9d55a6683fbcfd517031b77cb9872269a5a1d52d092f31c6e4fb9628b5f362a1413c0c2eebefb315e9bf5980fc7efaff028cc2657d4fc7a00e217b5b44b5a26037b9f43419eedcee76364bcb78d34292e41d557ae9ff60367bd163ad04c58f9c37e55eaf66124d8f3e5834e29853163e9c5b030b9f39905bc00b2706d101b5596d2d70c60fbbe2c9f7cb51c31452ca7ebc8dbae17d48cbf982c3a5d0ac733f6c9f09a9f1e152339489a15774c47a635d0aeb9b79ce6dc54a80ebb2c5a8a94553e8e73830742bc1b207921a444d4b5a477819b7ee28b7d49f536b8ac604e9afe5f57eed9ec53016b0bda132bd6779877439f2133b4c87d2c181d73f1d2449fc9ecf31ac97c93b6384f84a96a563fa66bb7f85c415df22d9ea7551cf5c4a0c5dec40d1a5aec4746ed7931b43a1795c3d8b0082ffe780dd441bbf992b445d15724d71fe00f405fef085abff1ecb8756bd8dd0adc3d891803331cf029e590cc0658a30cccb37e2122f2f0876e1da4b5f856659166b197d40fc6c444d40b0244ec8ccbc671b775c6ba8fbcb87f31f761abf207e93fa3d886cbabc84206d08415bbad4d6b2f2d3e49020f438a44243d7fb69fd05a35411be211fee0637fedaf47bad4d622f2a7e7d1cb39b1b22879425246283910ead27301476c3428cd7fff277ef6bf85d52563eb88d895aafe67c8749a14c01e4a13e9cf101bf6d030309febfde0b06cb55131b95c42c777911ec24250c2499b36076a832c8225176f6bc764f70a4a93b1a777ae480b930b8a6fb19941f7845e7076edb0afe6a9228ec74ab7e26655db80530d5533d0", "c1c14c036242df3d7793ba36010fff47c5304e9ad7b862bf02264d850491cd878b6b3263251b3da49d755ed378b83e6021027b68cfe687a695151f7bb80587c1e6c59fd3eac149d949a8b3f7365b24ba60e1b9f9011abf66cb512841efead974330c529fb2dae2d53ab69e8b7b6205b19da048dd9f08e4c1e78e883bee4ec2661e1b97a5e9e94d2067346c080c2ebb7330ce26b4996aa9a5e6ed2829366765b7437e3b3f05336085fcac8bd60e07f0acb0681a8f28057079513a9a5369608f296e2a5c95d4e62ccf4eb1c64686b2e5e0d5a561c6552609a5fbf160d84278fdbe449f02d841df942d1b77f2e00d1d01f0fe2b683b1b46b2a0fd315a0fa4aa3f78f9705f5b77c455bc0bc216f5e8b8b13b4f9b8c79dff3f6e932535c1ec6a6aca825ef3021d5c8abd71973992b0a5dec6c8a37feb9c2676134918e1c729a5084e6b5baee8c1e3b7b5548aa06343d46f58e7873b561e92a8832ae8e04ba6aed5879accf0cfa2dc649c734b9a886534bd748471fa4c881338bd2d9bef9ac355dce8d10b36a9f6d3c9c2dfd60c06b88f0b751ec0266eb7cf594462898031ea559f9b78d3177c0c3c49a09c20bd2d4af85971a73b36fc96863f87d87328e479c4732bf31de79bab173f9acde2116f0f7b48a62f7d678d6c7e6cc0c04e23434aa3da80c8479bb9c75811c27c7f28197d8be628715854bf77221cfde9b01d095c9ad421cc723d8a34ee0d2ab03f0c1e9cac428d27301d002168b536c1819ce291c154c19e0c5b92ea5014230fb63090750fe36d3b653716461be5e28ff246b7d2a509fd5eea37c1aa27f2a40bb1f3562547f672703490244c443381a5c94de90a86d9dfc3e31e6816813fbe68889c1795235c7536a1bf166563c59adb384122a2a6ceb6b1f226401", "c1c14c03c969ba5593c0c6de011000c38c9b2e2db4379ac8e3546601ac4e5f3391f73503f44d93f8d2b05ca97b7089443923ca0df550eb3fb880ae6c8bdfd307d2fcb335f54658ba4b397b81bd2c43ca0961c2a3ca77dda1968894764fc8683e05132022bbbbc8effb7e5f0f7b3a0d93ccc4389529659f9313ded8208d7407370f40de38dac026e51e50f476133e68a6d9baa431d2545a51acf6e4989f7487fbf6c40c80699496051be2016a5d49e1b78b7e2695ba1384dc475faddb846a569fc37327f4cb5f7fe5d64f7263db1d6e69611081475966944555e31c9114cebed6ff368f3194e43e0fa944d6d36b41018087ab1c8408eb69e1ea88fa7ef5d56b54a498ccbd76a0621c3b9312da076a46740229f2da648a49793a80b7f1f0acbdbd5b264e6ede6b0181810fb1662b4c5f2d3f2b2712785b7c2ea9ce65b9a0c835f87202acc7c2cf70bc2381a30b18fa0af921ae235b59028d64b34dab3105298b14c51aa2c6e5d1d38d4458d7daf7314517410fd4e934570582ed15bcd44807357dea9f40db32df5ef44a1b06239aa5cb514c22e7e6e93927380328fc9a38ca0318f612e1dd68507afbcbca1b7b389d62ec5c2c4112c738dfcaaf98390604bca62365dd8cd2059253c0ab50b6e3604bf956452df9c627919e3646d306521d3dd53eda2dd15ee07a6313f6d4a8de16b21e8e40b3dec4301db168c4b898deb1012089117a6e901e7e8fab4c5e7330b736b2d27301584bd0720cbb94c5ddf86a9d7af2669f545246b860fc997ee339c2c52af75131a94686b815441deae381c15e39d4c01640eb260b9a1004a99c11829169a5725ac93b40e4f9a44dbfda845bf7befef6618ea6ff4e41336c60e3e733835bdbd584c1325fe5e80acaa03ffa7359232d9976cf00", "c1c14c0361d5d07e586f8dfb011000cca376f354d6859bc670fb7f86a5774b5d9af8b749129ba862c2d8afcd5f6fd71619bd05f5390cb0837237e455eadd90434d1cab8ab032507b540212084e4e35ccfd0c00d6d86481cdba58832f403810cc0fedc7d9b8dee89b2daef400506e1a43482ce7e27172374ad1408dc820d7819d3490c4e307213e70987b8489bc86ab19e318c73b9e3d92fb5bb4e0a172ce93630420625241fd2b465bee6b8daddfab529176ee8e95e1dab8effbc2b76f0ba8ec7aee17d3fe584be54b5b295846a4545afe53c0045b02d54c6ae1db4591af7d5905fdf9526b066520ad509a0b0af7410db744fab2c5a339cd4f353ef27f08899dade5df1aad58fa0a3c929eca14e5724393da72312f6190d510dfe70273a9893f817129417dceaa607b227e796325ba2b3dd95155a1002d3a71ef9bbe7934481aace7ba9eda7fe6389009f988bafae1cdfeb66b824af439103d69624f86f0dcbe9cf55e1c20c0870693fcc749c4dfc605c7526df40bd75577f703320e5d075c1ae642ba236f73f4641e187940f1ec26e37ef08fded0d411009c833773db9bb839db2db40010ee890ac19941b8359d4e78385df8768d40baa3433f938503a4cf817e6bf0f24bd4734267a4e9de1f292504984b9e0381c616216263e6bd8a3cab0dd59ff6fb78d37043592a7b771cf5dff935256c131b3b8db2e1b0bec7453fd6483fbbe0b0945a530b88530e64e3a0b2d27301f2e3f9965e3c879536136f02d023ed19592f62f1bbda23265c4057bbe634075cc07e04de6eb9f52393f5c8b00a19afcaa67b5fb71132fe85512f53c7105145fba04fb310d7fc282b560a721f0bc42fd2e582dbbc41532ecab42f8aaa335a8d1cdf708445f0eecf47b81e3161657533bf7158", "c1c14c03b2f384f3a3f05413011000a17d343d309acd13a32d37322cbc4769fcfd4a081f0192d3289b20da17cff9d67d80fc07f7a5c756ddfb4c5bdcec1232e34391f4a63fc51bd3f4974692c62cfcd4bcab7535a09688644c1c3b1cda631d96fabcc5431f823b7f624cc7df37da2808ab523ea32d4e6186bac2bec1df111892caedb283949c6c69f19324773e5ecb10236377755292a6635f0c0783742c2cc49e6aeb609ee934f2603e23227bda0225dfe96b9baa7df37ba71f176782f798d71272f76fffafbe3fff6c58e9c7a30393b3f7b35a03ba10d6b5f82f277216a6e1753fb4b126ea34d0bf193f7deb90fb3c39b880b1223edfd186f465329021f3e85b31abcaf0e7b42cdbb27898bc2becde4666cea543cd8d170ff7b9dad281f7d2c91de0fd4a97efe821435f33d93d7d6d8727919c6140a45bd0097133dd9968d95a1ec256938e6ba128949f08f7dc1471fab5b748bb665c682cd1adc00436da090971ee0a2a428fe25caf6e6d312a90e0e0f3d837772a78211e2f2df1c0107236c4ec4f7a18e0c78888bdbb304da97d8f852d202d22ab7dfb68b99a8645984ccd172b440074ed515bf5299c5cf36deb0414b532781bf719a184736f116af95d558459b0611ef81c75fe7836f2e9d48aa713a6cea11d2382a6cb8df0b3b547f2d268847be457681e452e86444f62b1f38e072ade5e912d8895f698f6485c317240e2177ca0b085e514a0c0117daf009ed27301be0cc97abbd57ccd17d33fc521ce36cb6acbcfc687cdd2884d2ef8a731eb914202f8e2d594acdb7abeb10e232e4a6e08d6f47a4729beb990d7e392ac58e28d55dca122ce8450c55a224d19d6b578b0a0837bc059dbfcf795ee29fd201108183319cb98f38ec3f77dcd173070095312e6ecbb" ], "keys_base64": [ "wcFMA8gU+lpIh7S8AQ//RXCUvRaguT8gB0ul0oX4EELoPuWSj4JUmWrFY3obBvaBcAM1imwYntbHS21pydVaZoP7z9UXAxt3y5hyJppaHVLQkvMcbk+5YotfNioUE8DC7r77MV6b9ZgPx++v8CjMJlfU/HoA4he1tEtaJgN7n0NBnu3O52NkvLeNNCkuQdVXrp/2A2e9FjrQTFj5w35V6vZhJNjz5YNOKYUxY+nFsDC585kFvACycG0QG1WW0tcMYPu+LJ98tRwxRSyn68jbrhfUjL+YLDpdCscz9snwmp8eFSM5SJoVd0xHpjXQrrm3nObcVKgOuyxaipRVPo5zgwdCvBsgeSGkRNS1pHeBm37ii31J9Ta4rGBOmv5fV+7Z7FMBawvaEyvWd5h3Q58hM7TIfSwYHXPx0kSfyezzGsl8k7Y4T4SpalY/pmu3+FxBXfItnqdVHPXEoMXexA0aWuxHRu15MbQ6F5XD2LAIL/54DdRBu/mStEXRVyTXH+APQF/vCFq/8ey4dWvY3QrcPYkYAzMc8CnlkMwGWKMMzLN+ISLy8IduHaS1+FZlkWaxl9QPxsRE1AsCROyMy8Zxt3XGuo+8uH8x92Gr8gfpP6PYhsuryEIG0IQVu61Nay8tPkkCD0OKRCQ9f7af0Fo1QRviEf7gY3/tr0e61NYi8qfn0cs5sbIoeUJSRig5EOrScwFHbDQozX//J372v4XVJWPriNiVqv5nyHSaFMAeShPpzxAb9tAwMJ/r/eCwbLVRMblcQsd3kR7CQlDCSZs2B2qDLIIlF29rx2T3CkqTsad3rkgLkwuKb7GZQfeEXnB27bCv5qkijsdKt+JmVduAUw1VM9A=", "wcFMA2JC3z13k7o2AQ//R8UwTprXuGK/AiZNhQSRzYeLazJjJRs9pJ11XtN4uD5gIQJ7aM/mh6aVFR97uAWHwebFn9PqwUnZSaiz9zZbJLpg4bn5ARq/ZstRKEHv6tl0MwxSn7La4tU6tp6Le2IFsZ2gSN2fCOTB546IO+5OwmYeG5el6elNIGc0bAgMLrtzMM4mtJlqqaXm7SgpNmdlt0N+Oz8FM2CF/KyL1g4H8KywaBqPKAVweVE6mlNpYI8pbipcldTmLM9OscZGhrLl4NWlYcZVJgml+/Fg2EJ4/b5EnwLYQd+ULRt38uANHQHw/itoOxtGsqD9MVoPpKo/ePlwX1t3xFW8C8IW9ei4sTtPm4x53/P26TJTXB7GpqyoJe8wIdXIq9cZc5krCl3sbIo3/rnCZ2E0kY4ccppQhOa1uu6MHjt7VUiqBjQ9RvWOeHO1YekqiDKujgS6au1YeazPDPotxknHNLmohlNL10hHH6TIgTOL0tm++aw1Xc6NELNqn208nC39YMBriPC3UewCZut89ZRGKJgDHqVZ+beNMXfAw8SaCcIL0tSvhZcac7NvyWhj+H2HMo5HnEcyvzHeebqxc/ms3iEW8Pe0imL31njWx+bMDATiNDSqPagMhHm7nHWBHCfH8oGX2L5ihxWFS/dyIc/emwHQlcmtQhzHI9ijTuDSqwPwwenKxCjScwHQAhaLU2wYGc4pHBVMGeDFuS6lAUIw+2MJB1D+NtO2U3FkYb5eKP8ka30qUJ/V7qN8GqJ/KkC7HzViVH9nJwNJAkTEQzgaXJTekKhtnfw+MeaBaBP75oiJwXlSNcdTahvxZlY8Wa2zhBIqKmzrax8iZAE=", "wcFMA8lpulWTwMbeARAAw4ybLi20N5rI41RmAaxOXzOR9zUD9E2T+NKwXKl7cIlEOSPKDfVQ6z+4gK5si9/TB9L8szX1Rli6Szl7gb0sQ8oJYcKjynfdoZaIlHZPyGg+BRMgIru7yO/7fl8PezoNk8zEOJUpZZ+TE97YII10BzcPQN442sAm5R5Q9HYTPmim2bqkMdJUWlGs9uSYn3SH+/bEDIBplJYFG+IBal1J4beLfiaVuhOE3EdfrduEalafw3Mn9Mtff+XWT3Jj2x1uaWEQgUdZZpRFVeMckRTOvtb/No8xlOQ+D6lE1tNrQQGAh6schAjraeHqiPp+9dVrVKSYzL12oGIcO5MS2gdqRnQCKfLaZIpJeTqAt/HwrL29WyZObt5rAYGBD7FmK0xfLT8rJxJ4W3wuqc5luaDINfhyAqzHws9wvCOBowsY+gr5Ia4jW1kCjWSzTasxBSmLFMUaosbl0dONRFjX2vcxRRdBD9TpNFcFgu0VvNRIBzV96p9A2zLfXvRKGwYjmqXLUUwi5+bpOSc4Ayj8mjjKAxj2EuHdaFB6+8vKG3s4nWLsXCxBEsc438qvmDkGBLymI2XdjNIFklPAq1C242BL+VZFLfnGJ5GeNkbTBlIdPdU+2i3RXuB6YxP21KjeFrIejkCz3sQwHbFoxLiY3rEBIIkRem6QHn6Pq0xeczC3NrLScwFYS9ByDLuUxd34ap168mafVFJGuGD8mX7jOcLFKvdRMalGhrgVRB3q44HBXjnUwBZA6yYLmhAEqZwRgpFppXJayTtA5PmkTb/ahFv3vv72YY6m/05BM2xg4+czg1vb1YTBMl/l6ArKoD/6c1kjLZl2zwA=", "wcFMA2HV0H5Yb437ARAAzKN281TWhZvGcPt/hqV3S12a+LdJEpuoYsLYr81fb9cWGb0F9TkMsINyN+RV6t2QQ00cq4qwMlB7VAISCE5ONcz9DADW2GSBzbpYgy9AOBDMD+3H2bje6JstrvQAUG4aQ0gs5+JxcjdK0UCNyCDXgZ00kMTjByE+cJh7hIm8hqsZ4xjHO549kvtbtOChcs6TYwQgYlJB/StGW+5rja3fq1KRdu6OleHauO/7wrdvC6jseu4X0/5YS+VLWylYRqRUWv5TwARbAtVMauHbRZGvfVkF/flSawZlIK1QmgsK90ENt0T6ssWjOc1PNT7yfwiJna3l3xqtWPoKPJKeyhTlckOT2nIxL2GQ1RDf5wJzqYk/gXEpQX3OqmB7In55YyW6Kz3ZUVWhAC06ce+bvnk0SBqs57qe2n/mOJAJ+Yi6+uHN/rZrgkr0ORA9aWJPhvDcvpz1XhwgwIcGk/zHScTfxgXHUm30C9dVd/cDMg5dB1wa5kK6I29z9GQeGHlA8ewm437wj97Q1BEAnIM3c9ubuDnbLbQAEO6JCsGZQbg1nU54OF34do1AuqNDP5OFA6TPgX5r8PJL1HNCZ6Tp3h8pJQSYS54DgcYWIWJj5r2KPKsN1Z/2+3jTcENZKnt3HPXf+TUlbBMbO42y4bC+x0U/1kg/u+CwlFpTC4hTDmTjoLLScwHy4/mWXjyHlTYTbwLQI+0ZWS9i8bvaIyZcQFe75jQHXMB+BN5uufUjk/XIsAoZr8qme1+3ETL+hVEvU8cQUUX7oE+zENf8KCtWCnIfC8Qv0uWC27xBUy7KtC+KqjNajRzfcIRF8O7PR7geMWFldTO/cVg=", "wcFMA7LzhPOj8FQTARAAoX00PTCazROjLTcyLLxHafz9SggfAZLTKJsg2hfP+dZ9gPwH96XHVt37TFvc7BIy40OR9KY/xRvT9JdGksYs/NS8q3U1oJaIZEwcOxzaYx2W+rzFQx+CO39iTMffN9ooCKtSPqMtTmGGusK+wd8RGJLK7bKDlJxsafGTJHc+XssQI2N3dVKSpmNfDAeDdCwsxJ5q62Ce6TTyYD4jInvaAiXf6Wubqn3ze6cfF2eC95jXEnL3b/+vvj//bFjpx6MDk7P3s1oDuhDWtfgvJ3IWpuF1P7SxJuo00L8ZP33rkPs8ObiAsSI+39GG9GUykCHz6Fsxq8rw57Qs27J4mLwr7N5GZs6lQ82NFw/3udrSgffSyR3g/UqX7+ghQ18z2T19bYcnkZxhQKRb0AlxM92ZaNlaHsJWk45roSiUnwj33BRx+rW3SLtmXGgs0a3ABDbaCQlx7goqQo/iXK9ubTEqkODg89g3dyp4IR4vLfHAEHI2xOxPehjgx4iIvbswTal9j4UtIC0iq337aLmahkWYTM0XK0QAdO1RW/UpnFzzbesEFLUyeBv3GaGEc28RavldVYRZsGEe+Bx1/ng28unUiqcTps6hHSOCpsuN8LO1R/LSaIR75FdoHkUuhkRPYrHzjgcq3l6RLYiV9pj2SFwxckDiF3ygsIXlFKDAEX2vAJ7ScwG+DMl6u9V8zRfTP8UhzjbLasvPxofN0ohNLvinMeuRQgL44tWUrNt6vrEOIy5KbgjW9HpHKb65kNfjkqxY4o1V3KEizoRQxVoiTRnWtXiwoIN7wFnb/PeV7in9IBEIGDMZy5jzjsP3fc0XMHAJUxLm7Ls=" ], "root_token": "wcFMA8gU+lpIh7S8ARAAixxHUKqzCtJ6cv44m2YDdPOTAORhQKuyX0Q5+21x1ESZPSpy4zBzytlzsU/XtthzKnPjDX2bowuRDb0wo2nCyjd5OYUyNKOcZOtYp8jKjwZ+0WaFx9C2FlGm5qv9e4faep51jeW0JpVI9SrbL+17bR9+ZF7+lZc2lE5n9JhY2oKOJWL/npr0fBStLyxHLz7JeNXZiwZKH49JEc+kbfbISiYswRwy2AS6B3eWkYYBO7V2OMEVq3FrqKFy/GPlfhNIzEsDSYQ1rkLGaJBeUwN4hY32MmquRiV60gXZDhrYTslTXd32c9Pgg/mzDfEXYPiGWIsqzmoLP6pRWJjvO6aldBQhlhbTim8eME/YwLkhZffPL7tE7WtULPF5NUOt7rWU0bEOdT7fpqu0eBwZb8+9c+hchzcYJ2iPcSOx0WX1nJA56m/27N+Afl+wNoYJfjvMaE3hMSvlL/c9Ff0fMnPCa/ydzHODuT8p5xNjjt1VMPlgJYMEHmENWxWtzEyc8XUNh/q0q6xMEr7OttwWoEGnOs4gIX3qgfuk6iTt1C2CeFhnZaggBU+iCfB6WIwLDqDg+Bhl3NeeGyFaIwvb47ntnrZS6cdye4gsdCtY8rfP2jdlCRHjyByLNvonXfCHqulm3e7zqis605lJDHMgyVpA6351W/DvQ5qM5lWxXfMlyGrSTQGmqwj3fXFNBsdpmYk4TbLUNy5LglcN8AX2LaeiqVaTPf8vs6KgsYBh2WVsAU7fo5Mi6JBijv50IrF4ANmseqtINwYShHUMfE1dpZYf" }
The output includes hexadecimal-encoded and encrypted key shares, base64-encoded and encrypted key shares, and a base64-encoded and encrypted initial root token.
Warning
The Vault UI expects base64-encoded PGP public keys without beginning or ending identifier text. If you try to use ASCII armored versions, they won't work.
Go to the web UI at http://127.0.0.1:8200.
Select Create a new Raft cluster and click Next.
In the Key shares field, enter
5
.In the Key threshold field, enter
3
.Expand Encrypt output with PGP.
Under PGP KEY 1, click the Enter as text toggle.
Go to your terminal session and copy the value of Alice's GPG public key to your system clipboard. The examples shown in this tutorial use the
pbcopy
command for macOS, but you can substitutepbcopy
with your OS CLI clipboard command of choice instead.$ cat "$HC_LEARN_LAB"/alice/alice_key_base64.pub | pbcopy
$ cat "$HC_LEARN_LAB"/alice/alice_key_base64.pub | pbcopy
Return to your Vault UI browser tab and paste the value of Alice's GPG public key into the PGP KEY 1 text area.
Under PGP KEY 2, click the Enter as text toggle.
Go to your terminal session and copy the value of Bob's GPG public key to your system clipboard.
$ cat "$HC_LEARN_LAB"/bob/bob_key_base64.pub | pbcopy
$ cat "$HC_LEARN_LAB"/bob/bob_key_base64.pub | pbcopy
Return to your Vault UI browser tab and paste the value of Bob's GPG public key into the PGP KEY 2 text area.
Under PGP KEY 3, click the Enter as text toggle.
Go to your terminal session and copy the value of Carol's GPG public key to your system clipboard.
$ cat "$HC_LEARN_LAB"/carol/carol_key_base64.pub | pbcopy
$ cat "$HC_LEARN_LAB"/carol/carol_key_base64.pub | pbcopy
Return to your Vault UI browser tab and paste the value of Carol's GPG public key into the PGP KEY 3 text area.
Under PGP KEY 4, click the Enter as text toggle.
Go to your terminal session and copy the value of Dan's GPG public key to your system clipboard.
$ cat "$HC_LEARN_LAB"/dan/dan_key_base64.pub | pbcopy
$ cat "$HC_LEARN_LAB"/dan/dan_key_base64.pub | pbcopy
Return to your Vault UI browser tab and paste the value of Dan's GPG public key into the PGP KEY 4 text area.
Under PGP KEY 5, click the Enter as text toggle.
Go to your terminal session and copy the value of Frank's GPG public key to your system clipboard.
$ cat "$HC_LEARN_LAB"/frank/frank_key_base64.pub | pbcopy
$ cat "$HC_LEARN_LAB"/frank/frank_key_base64.pub | pbcopy
Return to your Vault UI browser tab and paste the value of Frank's GPG public key into the PGP KEY 5 text area.
Click Encrypt root token with PGP.
Click the Enter as text toggle.
Go to your terminal session and copy the value of Alice's GPG public key to your system clipboard.
$ cat "$HC_LEARN_LAB"/alice/alice_key_base64.pub | pbcopy
$ cat "$HC_LEARN_LAB"/alice/alice_key_base64.pub | pbcopy
Return to your Vault UI browser tab and paste the value of Alice's GPG public key into the PGP KEY 1 text area.
Click Initialize to initialize Vault.
You've initialized Vault. It returns the GPG encrypted key shares and initial root token values.
Scroll to observe the other keys.
Click Download keys to download a JSON file with all keys and initial root token. The file will be downloaded to your browser's default downloads folder with a filename like
vault-cluster-vault-2023-05-03T14_10_58.500Z.json
. Your exact filename will vary, and you should use its value whenever this file is referenced in the tutorial.Go to your terminal session and display the downloaded file's contents. Be sure to replace the example filename with your actual downloaded filename.
$ cat ~/Downloads/vault-cluster-vault-2023-05-03T14_10_58.500Z.json | jq
$ cat ~/Downloads/vault-cluster-vault-2023-05-03T14_10_58.500Z.json | jq
Expected example output:
{ "keys": [ "c1c14c03b369b8d1b6be9fac011000830627c3bc90de8417ce8bcffad90d4f768b9b3783e8d272b33b2820cf44fce79602f1b7a98c6e08c79d74d36fbd4b27267df60c8b6489df17de1771e56c2bb80da20d7d710faa9d6d679865b8acc11a39a693c6f1b3874ef6af4af049f599e0a886edffd4f436b81a14c7d2647152a75bb084cd64b563cd060760ff23433e46c9c162faf0aaead21e3448271a346c31a0dca6cdce96c7fa029acd81abce7d688dcf8fd186f6971f75d1c8ee8f9125fdb302a9c6fca7d2075924ea169227f6485b1f6c710b5f85465c8ead9285c118876e86d195c9010d224ac181489bfcabf3a3cda8cad2e3423be13a312809ccdaa4836f832a6f1ca02f97410154fd33736bc182cf760621692cbc2a354c67770ce886863a38c887f51e137cff514c6a89e305a4ab59c40c22ff93e9b293d92596f033408e16b0c58bc1c949b50e039317e3c532edc0954011c7410bcd16957a76205ce380547b1b148609d6c35ea9e8a94667a8e11f601e71c2aaa39d191624d738297c4dc52a27799bcd2f48f124b3e2008fed4e8ffb502bbae418e1a047dd11f6defdeaa9841d7f6a9e785e9161d37de2d00b01c83d79aa507524f9118b6088239acaf873862f8927c416e2ff9623a4a2d1b7aa6e22ac2ffbbf3d511f7e649b1ac7262069d1aefe8e802692f8fa16c85b31a60782b94c59b61f05fe618aefecd1fab2b96acce3b3fe72fecc27544df1fcd27301d551c218d3be974d43f3db4bda8cb274b53473ff180fa98cf3f186edf66eb5eec9590ff71eb493bba1d09692e5fe626ac5de9855dd38a162823f5723d50e6f5dac0312a7be0913631c1aac97b9038de28511583d6fa46996f14813d7c96744f6493c075beb149c10d1d8b931e7aa3972732f", "c1c14c030e03cb762d296f27010fff6ecfb36c68ada6d8d743c8205b8a80cbd1236e65492d17f05434c1a077451bb8c8433208178be61030c523f8a4906a1ed1798de96c051c1e7d32428a4a5816931d78f14f616ac4bd22b7dc548a6c68aeda245fab82a7759e09db98deaf99fd161aaf043e6044a12b0001151409783b91df025de505e03d80962424c855d324e8bd4940c43baee652b9aba8abc253619815ab2f0f5fc51afc1588511aa3f3ba08e93d0d7e4ae9de8bb93ef0af14e06bb305118cbb3b21b27154e38f0d03d5cc326a7aaddf7da3113a59c9a424060db94fba4cc6b06d530fcd0df596c3a636da598383fabbd6afdea278c388e2a194cf4a4338a59d5430f54c3c297b0c92c8215cbfbe50a9dff0a8c4c6445925da3cb6de873d7c8d5d771078c680e27e5b3746862d726d5e3b1be29fb033b19e2aeeff8ca26b932d8574e6a87b7ef1cbff564ff1767135fcc70cc8d9e53f13471b673d878774e311e707c5d2632f78db41379eeb1542819cf0e5886c351a02d09f11a23dcc3d4695b9be55e9183faa78bbc7e2fb0fa8096b9cadeb9b2a8ebad4a20956c1e8214372506463f92220854d59bb096f29782c8eeb3417a860e226743ac50ecc41a6315e4a1046337779b038d82b4beee2b67b856d47b90331f7a2ec1ba1d85aab15e44cdecd29557182cc68c8e6be7b22cab601ac459fcd5a44255f9f0d1072df1d662da8b698fbccfdba5e2ce21c98d273014526ea27962abf1a0fe51bcec0f86a12ca0a3f07039af49c2f0bdd31bf9391735447709038a53e5ef3121556a18a48919edabc75fd068f9cd31e3f0dffb238c5a5e331796534e4d2d35ebddaed72609237da33f74f6f17815c575d962efd6024e35b8fd3d99185218fbb3dd1446f1e1c4ac5", "c1c14c03c77aa7107d62654601100095e39e8f2b7d77d80f796d2f04cac55df73d2193678d9a680efd35ad7c8c6f3b40c05ada3e59528ca478915116ac1b9b64b2df6905420e2b05e0a7cb2b3f907591299da458f35e45ea26de30e01e3e660de486587ed5b02bec11f97534767b773963aaa514b0603bf53f3797e9ab3fda59f688802e6d4ed33ce0dfbf0268d37f0546e8955c5f4f46feb6e88566fc6cf087a2fb68467dd5823958fe043ba988f2c7868ce2ccea5a9b1912011d41412a1ab717dec60e7954453374546e0f81c5c9b0470491e82a06f9c6a3afdce87e9cf313bca3d742f8ad2572285bd2cc59c30e5f9650f6ad0c750d8315b731e0c1debf3a59cf43e3af6b416b89bf39aa46b8125d567f1a404c5139a73c8c1fc2e9773e175433dada86e89463d07ab42d941613ea6b4094bbfe2ee4d51a0f7812627feca79f339c544c66b149f8c3b01b61e7d415ee5d6203edc0e1aa54e909bf302a45d56cec80c7a015717f45eaca4ecc0dc6a5d93b3ec6b05ebc8ac69bf4e879d683cefff3c7203a4a7087b528b1054894e7e576802141cf82a5b044791475567f47a0b5be85da652e4e0551338fd633467cdc22c6301cec05084ad5173cc6a0b0c7c5127d838dff839571c39dc2bed90d6c50ba4d054edda857f1a0b46e161e795320cec0a98ff94fb204774e6870c65ca4b8a71f307635deaca15acffc6e3429320b397db9b568974cb0001d6118973d04d273014cb914a0cf92dcabbf9443b32c6df331f16649303d9d1a229b8fac1cc0c748c010e6adb0a91dfb4d865c3d8d2699ff36592cf50a14b427920a229efac3f28c8576135393fd47779afbc2626424aa04627d5682e5759da5c400847b4344d56b70897f1f9459e8d62853cfcec5c9527592ed5d", "c1c14c0389720c2e94093d47010fff7451277b89cf7794badddcd8b27371ae210a22ce4f6ec8dc95baf1621c020127233950ec7142435dc82f27a15cb5705836ea56e8434c71fdc323916caa67b5914e3ba69fd0b7b7de80106077828f2e9c7c8c8f34e933782495da7eb1517f9adbf583325aa3c79e060af1cbc8db09619f13b53837651fcd0692770a6c47153056b350dca94ed8cb8c3bbe5ebbc91d41e46ef4fda5eb2e55ef7dce5ba8aca659fbf6411c1412478453a3b134c9beb22a2e3423014edd9d901ef535a5fe56eb7e344870b0d2b79afd502b996cea4b282986159a50aba86ac51d44cfcf417d1255b5b37657b42bb515b5c9fb81f15cc51df1852e9ec09897640e8f77135691f89584d42ac287122999fcec5b3db349d982fa5f0a81f7c388b87ce8e6b45a8884c4d712628452148ac9b5471c1e1584dc7fd2d1d36bc6eddb6e506b84db7f08696860d7617a1144473d8a5ee2ddbd83a13fab09b9af255cc10f13cb739247cce64bd5b79b4b9d668bd4a760f65a544d0df1e21d9585c99af6989cc98fa20b1c444dc90bc98f4282144f8f842fa1e4ab04fdab721a2d6297b01acc214758d5e3b2f6303047497f7fa593c7124ef805ef0dd1ab001b9a3daba7e9c4ed4becc335b5f5536225526fb5cd6131b119016701834e59390ad9bba9233a453e82e878c0c947756fbe2899567571fc7a1ebf5cf870ba89427262380ebee8138aa84fcd261fb89dd27301ed184bb8bd1b9ca1bb047b4c1cb7ddcb86592a96f00105f23e7a1abc6b8b89df43ed8c4d928545cabd96796306a275958396da57c0e837588265e44e4ae000c581dbe41398e3f51664dba7ecae5691c64ac1e2b279121519f781526e9e05d4b54d798de1aff1c6a34186e2d85921341319c2", "c1c14c03479bf58e0a14b6d3010ffe3aa66d7649cfad6cdf36c2c1554708dc1507469e2018a9865c0cd48923538f0d867b9d0707bb3e1a347b05ecb1795dc7cd017cd5d9a84dd9058db2724de6eb4332e4e0bfc8a4786f4053f118e0dcc34707b44598793742fd63a4ba41223cbdd02b69c41df366196f97ae4c19a1c6862120d6d9268b41d3c151b2f53e3524d3126ef8b41c159522eaa18197c293e131705069789bbef9867e31f48d747168e3236e1fbc26104dd1fb989c6913190c0e5242d6ad0ee210cad90859cd46000243d6f7c102493d99442aacb2baa9f428ef8eb0399022d912cf86f27c199184a94b0384063874485075ba9bee9eb3eb4cd80bfc08025b7ceabe584f4841337aa7c6b9f66e658aa4e8cbda68669b41f9c4847c930fd086a9a2ba4b37cf3c60455edba5bc9e0f2c36169594517bf867af7d166e0cab24cd65388b3fb232789cb460b7dad56f9c09814efeb471c8b32f04cce2d3098bdb4c86f58f443516e47a56884df7b1c6c7ca3240a35967521c0b164cd78b0836839bcd49ffa971cbdc4a7e1bd3a38c6cb96762692d8e2d1c6723900a926a7564a7100651cc66cf40131aa5cb5127f8720254a2e388250cac1dd0466fa17f11ff4c40d90129aaa2340c9f71e92a38f987ce06ab68ba9e1da2c44c3548e096be02a735207159b4f3cdbe73124817ba84c1acdc54216ff78e3d09081d7a02058c8a999b2eadb98cb356d1a175d62b3ad273012c0613d00a5cdc4e870fe3500a4811306308dacfcfa21d866831af532b2edf37c09aafffd3d59f0a7d950622b9891c5a6224bab494bbdf8951c489dafed305e8d49ef08479109f691aeed3ecdca0c625bb6895f48528a7c03257861db9783fb6735d90fa330700449a6e3bc6e427c2092bda" ], "keys_base64": [ "wcFMA7NpuNG2vp+sARAAgwYnw7yQ3oQXzovP+tkNT3aLmzeD6NJyszsoIM9E/OeWAvG3qYxuCMeddNNvvUsnJn32DItkid8X3hdx5WwruA2iDX1xD6qdbWeYZbiswRo5ppPG8bOHTvavSvBJ9ZngqIbt/9T0NrgaFMfSZHFSp1uwhM1ktWPNBgdg/yNDPkbJwWL68Krq0h40SCcaNGwxoNymzc6Wx/oCms2Bq859aI3Pj9GG9pcfddHI7o+RJf2zAqnG/KfSB1kk6haSJ/ZIWx9scQtfhUZcjq2ShcEYh26G0ZXJAQ0iSsGBSJv8q/OjzajK0uNCO+E6MSgJzNqkg2+DKm8coC+XQQFU/TNza8GCz3YGIWksvCo1TGd3DOiGhjo4yIf1HhN8/1FMaonjBaSrWcQMIv+T6bKT2SWW8DNAjhawxYvByUm1DgOTF+PFMu3AlUARx0ELzRaVenYgXOOAVHsbFIYJ1sNeqeipRmeo4R9gHnHCqqOdGRYk1zgpfE3FKid5m80vSPEks+IAj+1Oj/tQK7rkGOGgR90R9t796qmEHX9qnnhekWHTfeLQCwHIPXmqUHUk+RGLYIgjmsr4c4YviSfEFuL/liOkotG3qm4irC/7vz1RH35kmxrHJiBp0a7+joAmkvj6FshbMaYHgrlMWbYfBf5hiu/s0fqyuWrM47P+cv7MJ1RN8fzScwHVUcIY076XTUPz20vajLJ0tTRz/xgPqYzz8Ybt9m617slZD/cetJO7odCWkuX+YmrF3phV3TihYoI/VyPVDm9drAMSp74JE2McGqyXuQON4oURWD1vpGmW8UgT18lnRPZJPAdb6xScENHYuTHnqjlycy8=", "wcFMAw4Dy3YtKW8nAQ//bs+zbGitptjXQ8ggW4qAy9EjbmVJLRfwVDTBoHdFG7jIQzIIF4vmEDDFI/ikkGoe0XmN6WwFHB59MkKKSlgWkx148U9hasS9IrfcVIpsaK7aJF+rgqd1ngnbmN6vmf0WGq8EPmBEoSsAARUUCXg7kd8CXeUF4D2AliQkyFXTJOi9SUDEO67mUrmrqKvCU2GYFasvD1/FGvwViFEao/O6COk9DX5K6d6LuT7wrxTga7MFEYy7OyGycVTjjw0D1cwyanqt332jETpZyaQkBg25T7pMxrBtUw/NDfWWw6Y22lmDg/q71q/eonjDiOKhlM9KQzilnVQw9Uw8KXsMksghXL++UKnf8KjExkRZJdo8tt6HPXyNXXcQeMaA4n5bN0aGLXJtXjsb4p+wM7GeKu7/jKJrky2FdOaoe37xy/9WT/F2cTX8xwzI2eU/E0cbZz2Hh3TjEecHxdJjL3jbQTee6xVCgZzw5YhsNRoC0J8Roj3MPUaVub5V6Rg/qni7x+L7D6gJa5yt65sqjrrUoglWweghQ3JQZGP5IiCFTVm7CW8peCyO6zQXqGDiJnQ6xQ7MQaYxXkoQRjN3ebA42CtL7uK2e4VtR7kDMfei7Buh2FqrFeRM3s0pVXGCzGjI5r57Isq2AaxFn81aRCVfnw0Qct8dZi2otpj7zP26XiziHJjScwFFJuonliq/Gg/lG87A+GoSygo/BwOa9JwvC90xv5ORc1RHcJA4pT5e8xIVVqGKSJGe2rx1/QaPnNMePw3/sjjFpeMxeWU05NLTXr3a7XJgkjfaM/dPbxeBXFddli79YCTjW4/T2ZGFIY+7PdFEbx4cSsU=", "wcFMA8d6pxB9YmVGARAAleOejyt9d9gPeW0vBMrFXfc9IZNnjZpoDv01rXyMbztAwFraPllSjKR4kVEWrBubZLLfaQVCDisF4KfLKz+QdZEpnaRY815F6ibeMOAePmYN5IZYftWwK+wR+XU0dnt3OWOqpRSwYDv1PzeX6as/2ln2iIAubU7TPODfvwJo038FRuiVXF9PRv626IVm/Gzwh6L7aEZ91YI5WP4EO6mI8seGjOLM6lqbGRIBHUFBKhq3F97GDnlURTN0VG4PgcXJsEcEkegqBvnGo6/c6H6c8xO8o9dC+K0lcihb0sxZww5fllD2rQx1DYMVtzHgwd6/OlnPQ+Ova0Frib85qka4El1WfxpATFE5pzyMH8Lpdz4XVDPa2obolGPQerQtlBYT6mtAlLv+LuTVGg94EmJ/7KefM5xUTGaxSfjDsBth59QV7l1iA+3A4apU6Qm/MCpF1WzsgMegFXF/RerKTswNxqXZOz7GsF68isab9Oh51oPO//PHIDpKcIe1KLEFSJTn5XaAIUHPgqWwRHkUdVZ/R6C1voXaZS5OBVEzj9YzRnzcIsYwHOwFCErVFzzGoLDHxRJ9g43/g5Vxw53CvtkNbFC6TQVO3ahX8aC0bhYeeVMgzsCpj/lPsgR3TmhwxlykuKcfMHY13qyhWs/8bjQpMgs5fbm1aJdMsAAdYRiXPQTScwFMuRSgz5Lcq7+UQ7MsbfMx8WZJMD2dGiKbj6wcwMdIwBDmrbCpHftNhlw9jSaZ/zZZLPUKFLQnkgoinvrD8oyFdhNTk/1Hd5r7wmJkJKoEYn1WguV1naXEAIR7Q0TVa3CJfx+UWejWKFPPzsXJUnWS7V0=", "wcFMA4lyDC6UCT1HAQ//dFEne4nPd5S63dzYsnNxriEKIs5PbsjclbrxYhwCAScjOVDscUJDXcgvJ6FctXBYNupW6ENMcf3DI5Fsqme1kU47pp/Qt7fegBBgd4KPLpx8jI806TN4JJXafrFRf5rb9YMyWqPHngYK8cvI2wlhnxO1ODdlH80GkncKbEcVMFazUNypTtjLjDu+XrvJHUHkbvT9pesuVe99zluorKZZ+/ZBHBQSR4RTo7E0yb6yKi40IwFO3Z2QHvU1pf5W6340SHCw0rea/VArmWzqSygphhWaUKuoasUdRM/PQX0SVbWzdle0K7UVtcn7gfFcxR3xhS6ewJiXZA6PdxNWkfiVhNQqwocSKZn87Fs9s0nZgvpfCoH3w4i4fOjmtFqIhMTXEmKEUhSKybVHHB4VhNx/0tHTa8bt225Qa4TbfwhpaGDXYXoRREc9il7i3b2DoT+rCbmvJVzBDxPLc5JHzOZL1bebS51mi9SnYPZaVE0N8eIdlYXJmvaYnMmPogscRE3JC8mPQoIUT4+EL6HkqwT9q3IaLWKXsBrMIUdY1eOy9jAwR0l/f6WTxxJO+AXvDdGrABuaPaun6cTtS+zDNbX1U2IlUm+1zWExsRkBZwGDTlk5Ctm7qSM6RT6C6HjAyUd1b74omVZ1cfx6Hr9c+HC6iUJyYjgOvugTiqhPzSYfuJ3ScwHtGEu4vRucobsEe0wct93LhlkqlvABBfI+ehq8a4uJ30PtjE2ShUXKvZZ5YwaidZWDltpXwOg3WIJl5E5K4ADFgdvkE5jj9RZk26fsrlaRxkrB4rJ5EhUZ94FSbp4F1LVNeY3hr/HGo0GG4thZITQTGcI=", "wcFMA0eb9Y4KFLbTAQ/+OqZtdknPrWzfNsLBVUcI3BUHRp4gGKmGXAzUiSNTjw2Ge50HB7s+GjR7BeyxeV3HzQF81dmoTdkFjbJyTebrQzLk4L/IpHhvQFPxGODcw0cHtEWYeTdC/WOkukEiPL3QK2nEHfNmGW+XrkwZocaGISDW2SaLQdPBUbL1PjUk0xJu+LQcFZUi6qGBl8KT4TFwUGl4m775hn4x9I10cWjjI24fvCYQTdH7mJxpExkMDlJC1q0O4hDK2QhZzUYAAkPW98ECST2ZRCqssrqp9CjvjrA5kCLZEs+G8nwZkYSpSwOEBjh0SFB1upvunrPrTNgL/AgCW3zqvlhPSEEzeqfGufZuZYqk6MvaaGabQfnEhHyTD9CGqaK6SzfPPGBFXtulvJ4PLDYWlZRRe/hnr30WbgyrJM1lOIs/sjJ4nLRgt9rVb5wJgU7+tHHIsy8EzOLTCYvbTIb1j0Q1FuR6VohN97HGx8oyQKNZZ1IcCxZM14sINoObzUn/qXHL3Ep+G9OjjGy5Z2JpLY4tHGcjkAqSanVkpxAGUcxmz0ATGqXLUSf4cgJUouOIJQysHdBGb6F/Ef9MQNkBKaqiNAyfcekqOPmHzgaraLqeHaLETDVI4Ja+Aqc1IHFZtPPNvnMSSBe6hMGs3FQhb/eOPQkIHXoCBYyKmZsurbmMs1bRoXXWKzrScwEsBhPQClzcTocP41AKSBEwYwjaz8+iHYZoMa9TKy7fN8Car//T1Z8KfZUGIrmJHFpiJLq0lLvfiVHEidr+0wXo1J7whHkQn2ka7tPs3KDGJbtolfSFKKfAMleGHbl4P7ZzXZD6MwcARJpuO8bkJ8IJK9o=" ], "root_token": "wcFMA7NpuNG2vp+sAQ/5ARiq4FOSSiyBT8uv3XbFwQ+QQknYHmZfRA5q+S+DEWPtDLopi/JxseDSoBMmhi+tat82HWfexL1KS2Ec/+I7DV5o+wxgB5LR0GB+gsJE9wHoJSR9/ogaLsHyudR//yxXooHi81d7Clor2cwwKPUJypbs68XYFvszoUAk93VwaFj9QKAs8OSl1kUocMhAsqb7wPxyUn1VDonVMwCUGHAJHoKNn12XtoJiGsa6tyHnIQAc698m9JUzBeLHUz2m7h3grYQdAySJXwlwVi7jhuB2qssPgwYqjnQ70Hmie+yeXZwnzlxoTe6qLf3nKCabGMwlYHd5KSC2GYefMN/TMfl3B+UsFV4Bw2p9MzpYr5YhEHQ9C9UUQ9GaGur0xsF4poPD8v7En2lQrqzz9mBpqqzdJdZsXej3p+NnOBqN55PNV+TzDZvxpltAMLPMgbapEZs9701r79460PlfCqggHHq4CSxARMraI0qFNT/+PP1AYIgPPooKFohCxScNEc7PpPGJ+6mu+S+vatzu0Ssy1owBwbTRoXfa1+pme0YE/I0nEuIbQWvEFq2uJ0LyvPquVfqZe4nAs2tCHXYhkjXjxPoSOsJ7jcBPxNrhrYEpgOOOWt+lpuKNdgHDLt32FahUTxXOFXHxSQDELoBldgKTHptlFLHK6yEqMwAm7IS8ee+cI/DSTQFg2pg/YpVM4jrgBW8ijycyrAHGwpKzxYFO9OX+BB+vRvPgHZ0MqZ2z9Ajyn8XD+pdcBeMkk+7hlQah8R8Vpdc6LdltJdp079Ex8/0m" }
{ "keys": [ "c1c14c03b369b8d1b6be9fac011000830627c3bc90de8417ce8bcffad90d4f768b9b3783e8d272b33b2820cf44fce79602f1b7a98c6e08c79d74d36fbd4b27267df60c8b6489df17de1771e56c2bb80da20d7d710faa9d6d679865b8acc11a39a693c6f1b3874ef6af4af049f599e0a886edffd4f436b81a14c7d2647152a75bb084cd64b563cd060760ff23433e46c9c162faf0aaead21e3448271a346c31a0dca6cdce96c7fa029acd81abce7d688dcf8fd186f6971f75d1c8ee8f9125fdb302a9c6fca7d2075924ea169227f6485b1f6c710b5f85465c8ead9285c118876e86d195c9010d224ac181489bfcabf3a3cda8cad2e3423be13a312809ccdaa4836f832a6f1ca02f97410154fd33736bc182cf760621692cbc2a354c67770ce886863a38c887f51e137cff514c6a89e305a4ab59c40c22ff93e9b293d92596f033408e16b0c58bc1c949b50e039317e3c532edc0954011c7410bcd16957a76205ce380547b1b148609d6c35ea9e8a94667a8e11f601e71c2aaa39d191624d738297c4dc52a27799bcd2f48f124b3e2008fed4e8ffb502bbae418e1a047dd11f6defdeaa9841d7f6a9e785e9161d37de2d00b01c83d79aa507524f9118b6088239acaf873862f8927c416e2ff9623a4a2d1b7aa6e22ac2ffbbf3d511f7e649b1ac7262069d1aefe8e802692f8fa16c85b31a60782b94c59b61f05fe618aefecd1fab2b96acce3b3fe72fecc27544df1fcd27301d551c218d3be974d43f3db4bda8cb274b53473ff180fa98cf3f186edf66eb5eec9590ff71eb493bba1d09692e5fe626ac5de9855dd38a162823f5723d50e6f5dac0312a7be0913631c1aac97b9038de28511583d6fa46996f14813d7c96744f6493c075beb149c10d1d8b931e7aa3972732f", "c1c14c030e03cb762d296f27010fff6ecfb36c68ada6d8d743c8205b8a80cbd1236e65492d17f05434c1a077451bb8c8433208178be61030c523f8a4906a1ed1798de96c051c1e7d32428a4a5816931d78f14f616ac4bd22b7dc548a6c68aeda245fab82a7759e09db98deaf99fd161aaf043e6044a12b0001151409783b91df025de505e03d80962424c855d324e8bd4940c43baee652b9aba8abc253619815ab2f0f5fc51afc1588511aa3f3ba08e93d0d7e4ae9de8bb93ef0af14e06bb305118cbb3b21b27154e38f0d03d5cc326a7aaddf7da3113a59c9a424060db94fba4cc6b06d530fcd0df596c3a636da598383fabbd6afdea278c388e2a194cf4a4338a59d5430f54c3c297b0c92c8215cbfbe50a9dff0a8c4c6445925da3cb6de873d7c8d5d771078c680e27e5b3746862d726d5e3b1be29fb033b19e2aeeff8ca26b932d8574e6a87b7ef1cbff564ff1767135fcc70cc8d9e53f13471b673d878774e311e707c5d2632f78db41379eeb1542819cf0e5886c351a02d09f11a23dcc3d4695b9be55e9183faa78bbc7e2fb0fa8096b9cadeb9b2a8ebad4a20956c1e8214372506463f92220854d59bb096f29782c8eeb3417a860e226743ac50ecc41a6315e4a1046337779b038d82b4beee2b67b856d47b90331f7a2ec1ba1d85aab15e44cdecd29557182cc68c8e6be7b22cab601ac459fcd5a44255f9f0d1072df1d662da8b698fbccfdba5e2ce21c98d273014526ea27962abf1a0fe51bcec0f86a12ca0a3f07039af49c2f0bdd31bf9391735447709038a53e5ef3121556a18a48919edabc75fd068f9cd31e3f0dffb238c5a5e331796534e4d2d35ebddaed72609237da33f74f6f17815c575d962efd6024e35b8fd3d99185218fbb3dd1446f1e1c4ac5", "c1c14c03c77aa7107d62654601100095e39e8f2b7d77d80f796d2f04cac55df73d2193678d9a680efd35ad7c8c6f3b40c05ada3e59528ca478915116ac1b9b64b2df6905420e2b05e0a7cb2b3f907591299da458f35e45ea26de30e01e3e660de486587ed5b02bec11f97534767b773963aaa514b0603bf53f3797e9ab3fda59f688802e6d4ed33ce0dfbf0268d37f0546e8955c5f4f46feb6e88566fc6cf087a2fb68467dd5823958fe043ba988f2c7868ce2ccea5a9b1912011d41412a1ab717dec60e7954453374546e0f81c5c9b0470491e82a06f9c6a3afdce87e9cf313bca3d742f8ad2572285bd2cc59c30e5f9650f6ad0c750d8315b731e0c1debf3a59cf43e3af6b416b89bf39aa46b8125d567f1a404c5139a73c8c1fc2e9773e175433dada86e89463d07ab42d941613ea6b4094bbfe2ee4d51a0f7812627feca79f339c544c66b149f8c3b01b61e7d415ee5d6203edc0e1aa54e909bf302a45d56cec80c7a015717f45eaca4ecc0dc6a5d93b3ec6b05ebc8ac69bf4e879d683cefff3c7203a4a7087b528b1054894e7e576802141cf82a5b044791475567f47a0b5be85da652e4e0551338fd633467cdc22c6301cec05084ad5173cc6a0b0c7c5127d838dff839571c39dc2bed90d6c50ba4d054edda857f1a0b46e161e795320cec0a98ff94fb204774e6870c65ca4b8a71f307635deaca15acffc6e3429320b397db9b568974cb0001d6118973d04d273014cb914a0cf92dcabbf9443b32c6df331f16649303d9d1a229b8fac1cc0c748c010e6adb0a91dfb4d865c3d8d2699ff36592cf50a14b427920a229efac3f28c8576135393fd47779afbc2626424aa04627d5682e5759da5c400847b4344d56b70897f1f9459e8d62853cfcec5c9527592ed5d", "c1c14c0389720c2e94093d47010fff7451277b89cf7794badddcd8b27371ae210a22ce4f6ec8dc95baf1621c020127233950ec7142435dc82f27a15cb5705836ea56e8434c71fdc323916caa67b5914e3ba69fd0b7b7de80106077828f2e9c7c8c8f34e933782495da7eb1517f9adbf583325aa3c79e060af1cbc8db09619f13b53837651fcd0692770a6c47153056b350dca94ed8cb8c3bbe5ebbc91d41e46ef4fda5eb2e55ef7dce5ba8aca659fbf6411c1412478453a3b134c9beb22a2e3423014edd9d901ef535a5fe56eb7e344870b0d2b79afd502b996cea4b282986159a50aba86ac51d44cfcf417d1255b5b37657b42bb515b5c9fb81f15cc51df1852e9ec09897640e8f77135691f89584d42ac287122999fcec5b3db349d982fa5f0a81f7c388b87ce8e6b45a8884c4d712628452148ac9b5471c1e1584dc7fd2d1d36bc6eddb6e506b84db7f08696860d7617a1144473d8a5ee2ddbd83a13fab09b9af255cc10f13cb739247cce64bd5b79b4b9d668bd4a760f65a544d0df1e21d9585c99af6989cc98fa20b1c444dc90bc98f4282144f8f842fa1e4ab04fdab721a2d6297b01acc214758d5e3b2f6303047497f7fa593c7124ef805ef0dd1ab001b9a3daba7e9c4ed4becc335b5f5536225526fb5cd6131b119016701834e59390ad9bba9233a453e82e878c0c947756fbe2899567571fc7a1ebf5cf870ba89427262380ebee8138aa84fcd261fb89dd27301ed184bb8bd1b9ca1bb047b4c1cb7ddcb86592a96f00105f23e7a1abc6b8b89df43ed8c4d928545cabd96796306a275958396da57c0e837588265e44e4ae000c581dbe41398e3f51664dba7ecae5691c64ac1e2b279121519f781526e9e05d4b54d798de1aff1c6a34186e2d85921341319c2", "c1c14c03479bf58e0a14b6d3010ffe3aa66d7649cfad6cdf36c2c1554708dc1507469e2018a9865c0cd48923538f0d867b9d0707bb3e1a347b05ecb1795dc7cd017cd5d9a84dd9058db2724de6eb4332e4e0bfc8a4786f4053f118e0dcc34707b44598793742fd63a4ba41223cbdd02b69c41df366196f97ae4c19a1c6862120d6d9268b41d3c151b2f53e3524d3126ef8b41c159522eaa18197c293e131705069789bbef9867e31f48d747168e3236e1fbc26104dd1fb989c6913190c0e5242d6ad0ee210cad90859cd46000243d6f7c102493d99442aacb2baa9f428ef8eb0399022d912cf86f27c199184a94b0384063874485075ba9bee9eb3eb4cd80bfc08025b7ceabe584f4841337aa7c6b9f66e658aa4e8cbda68669b41f9c4847c930fd086a9a2ba4b37cf3c60455edba5bc9e0f2c36169594517bf867af7d166e0cab24cd65388b3fb232789cb460b7dad56f9c09814efeb471c8b32f04cce2d3098bdb4c86f58f443516e47a56884df7b1c6c7ca3240a35967521c0b164cd78b0836839bcd49ffa971cbdc4a7e1bd3a38c6cb96762692d8e2d1c6723900a926a7564a7100651cc66cf40131aa5cb5127f8720254a2e388250cac1dd0466fa17f11ff4c40d90129aaa2340c9f71e92a38f987ce06ab68ba9e1da2c44c3548e096be02a735207159b4f3cdbe73124817ba84c1acdc54216ff78e3d09081d7a02058c8a999b2eadb98cb356d1a175d62b3ad273012c0613d00a5cdc4e870fe3500a4811306308dacfcfa21d866831af532b2edf37c09aafffd3d59f0a7d950622b9891c5a6224bab494bbdf8951c489dafed305e8d49ef08479109f691aeed3ecdca0c625bb6895f48528a7c03257861db9783fb6735d90fa330700449a6e3bc6e427c2092bda" ], "keys_base64": [ "wcFMA7NpuNG2vp+sARAAgwYnw7yQ3oQXzovP+tkNT3aLmzeD6NJyszsoIM9E/OeWAvG3qYxuCMeddNNvvUsnJn32DItkid8X3hdx5WwruA2iDX1xD6qdbWeYZbiswRo5ppPG8bOHTvavSvBJ9ZngqIbt/9T0NrgaFMfSZHFSp1uwhM1ktWPNBgdg/yNDPkbJwWL68Krq0h40SCcaNGwxoNymzc6Wx/oCms2Bq859aI3Pj9GG9pcfddHI7o+RJf2zAqnG/KfSB1kk6haSJ/ZIWx9scQtfhUZcjq2ShcEYh26G0ZXJAQ0iSsGBSJv8q/OjzajK0uNCO+E6MSgJzNqkg2+DKm8coC+XQQFU/TNza8GCz3YGIWksvCo1TGd3DOiGhjo4yIf1HhN8/1FMaonjBaSrWcQMIv+T6bKT2SWW8DNAjhawxYvByUm1DgOTF+PFMu3AlUARx0ELzRaVenYgXOOAVHsbFIYJ1sNeqeipRmeo4R9gHnHCqqOdGRYk1zgpfE3FKid5m80vSPEks+IAj+1Oj/tQK7rkGOGgR90R9t796qmEHX9qnnhekWHTfeLQCwHIPXmqUHUk+RGLYIgjmsr4c4YviSfEFuL/liOkotG3qm4irC/7vz1RH35kmxrHJiBp0a7+joAmkvj6FshbMaYHgrlMWbYfBf5hiu/s0fqyuWrM47P+cv7MJ1RN8fzScwHVUcIY076XTUPz20vajLJ0tTRz/xgPqYzz8Ybt9m617slZD/cetJO7odCWkuX+YmrF3phV3TihYoI/VyPVDm9drAMSp74JE2McGqyXuQON4oURWD1vpGmW8UgT18lnRPZJPAdb6xScENHYuTHnqjlycy8=", "wcFMAw4Dy3YtKW8nAQ//bs+zbGitptjXQ8ggW4qAy9EjbmVJLRfwVDTBoHdFG7jIQzIIF4vmEDDFI/ikkGoe0XmN6WwFHB59MkKKSlgWkx148U9hasS9IrfcVIpsaK7aJF+rgqd1ngnbmN6vmf0WGq8EPmBEoSsAARUUCXg7kd8CXeUF4D2AliQkyFXTJOi9SUDEO67mUrmrqKvCU2GYFasvD1/FGvwViFEao/O6COk9DX5K6d6LuT7wrxTga7MFEYy7OyGycVTjjw0D1cwyanqt332jETpZyaQkBg25T7pMxrBtUw/NDfWWw6Y22lmDg/q71q/eonjDiOKhlM9KQzilnVQw9Uw8KXsMksghXL++UKnf8KjExkRZJdo8tt6HPXyNXXcQeMaA4n5bN0aGLXJtXjsb4p+wM7GeKu7/jKJrky2FdOaoe37xy/9WT/F2cTX8xwzI2eU/E0cbZz2Hh3TjEecHxdJjL3jbQTee6xVCgZzw5YhsNRoC0J8Roj3MPUaVub5V6Rg/qni7x+L7D6gJa5yt65sqjrrUoglWweghQ3JQZGP5IiCFTVm7CW8peCyO6zQXqGDiJnQ6xQ7MQaYxXkoQRjN3ebA42CtL7uK2e4VtR7kDMfei7Buh2FqrFeRM3s0pVXGCzGjI5r57Isq2AaxFn81aRCVfnw0Qct8dZi2otpj7zP26XiziHJjScwFFJuonliq/Gg/lG87A+GoSygo/BwOa9JwvC90xv5ORc1RHcJA4pT5e8xIVVqGKSJGe2rx1/QaPnNMePw3/sjjFpeMxeWU05NLTXr3a7XJgkjfaM/dPbxeBXFddli79YCTjW4/T2ZGFIY+7PdFEbx4cSsU=", "wcFMA8d6pxB9YmVGARAAleOejyt9d9gPeW0vBMrFXfc9IZNnjZpoDv01rXyMbztAwFraPllSjKR4kVEWrBubZLLfaQVCDisF4KfLKz+QdZEpnaRY815F6ibeMOAePmYN5IZYftWwK+wR+XU0dnt3OWOqpRSwYDv1PzeX6as/2ln2iIAubU7TPODfvwJo038FRuiVXF9PRv626IVm/Gzwh6L7aEZ91YI5WP4EO6mI8seGjOLM6lqbGRIBHUFBKhq3F97GDnlURTN0VG4PgcXJsEcEkegqBvnGo6/c6H6c8xO8o9dC+K0lcihb0sxZww5fllD2rQx1DYMVtzHgwd6/OlnPQ+Ova0Frib85qka4El1WfxpATFE5pzyMH8Lpdz4XVDPa2obolGPQerQtlBYT6mtAlLv+LuTVGg94EmJ/7KefM5xUTGaxSfjDsBth59QV7l1iA+3A4apU6Qm/MCpF1WzsgMegFXF/RerKTswNxqXZOz7GsF68isab9Oh51oPO//PHIDpKcIe1KLEFSJTn5XaAIUHPgqWwRHkUdVZ/R6C1voXaZS5OBVEzj9YzRnzcIsYwHOwFCErVFzzGoLDHxRJ9g43/g5Vxw53CvtkNbFC6TQVO3ahX8aC0bhYeeVMgzsCpj/lPsgR3TmhwxlykuKcfMHY13qyhWs/8bjQpMgs5fbm1aJdMsAAdYRiXPQTScwFMuRSgz5Lcq7+UQ7MsbfMx8WZJMD2dGiKbj6wcwMdIwBDmrbCpHftNhlw9jSaZ/zZZLPUKFLQnkgoinvrD8oyFdhNTk/1Hd5r7wmJkJKoEYn1WguV1naXEAIR7Q0TVa3CJfx+UWejWKFPPzsXJUnWS7V0=", "wcFMA4lyDC6UCT1HAQ//dFEne4nPd5S63dzYsnNxriEKIs5PbsjclbrxYhwCAScjOVDscUJDXcgvJ6FctXBYNupW6ENMcf3DI5Fsqme1kU47pp/Qt7fegBBgd4KPLpx8jI806TN4JJXafrFRf5rb9YMyWqPHngYK8cvI2wlhnxO1ODdlH80GkncKbEcVMFazUNypTtjLjDu+XrvJHUHkbvT9pesuVe99zluorKZZ+/ZBHBQSR4RTo7E0yb6yKi40IwFO3Z2QHvU1pf5W6340SHCw0rea/VArmWzqSygphhWaUKuoasUdRM/PQX0SVbWzdle0K7UVtcn7gfFcxR3xhS6ewJiXZA6PdxNWkfiVhNQqwocSKZn87Fs9s0nZgvpfCoH3w4i4fOjmtFqIhMTXEmKEUhSKybVHHB4VhNx/0tHTa8bt225Qa4TbfwhpaGDXYXoRREc9il7i3b2DoT+rCbmvJVzBDxPLc5JHzOZL1bebS51mi9SnYPZaVE0N8eIdlYXJmvaYnMmPogscRE3JC8mPQoIUT4+EL6HkqwT9q3IaLWKXsBrMIUdY1eOy9jAwR0l/f6WTxxJO+AXvDdGrABuaPaun6cTtS+zDNbX1U2IlUm+1zWExsRkBZwGDTlk5Ctm7qSM6RT6C6HjAyUd1b74omVZ1cfx6Hr9c+HC6iUJyYjgOvugTiqhPzSYfuJ3ScwHtGEu4vRucobsEe0wct93LhlkqlvABBfI+ehq8a4uJ30PtjE2ShUXKvZZ5YwaidZWDltpXwOg3WIJl5E5K4ADFgdvkE5jj9RZk26fsrlaRxkrB4rJ5EhUZ94FSbp4F1LVNeY3hr/HGo0GG4thZITQTGcI=", "wcFMA0eb9Y4KFLbTAQ/+OqZtdknPrWzfNsLBVUcI3BUHRp4gGKmGXAzUiSNTjw2Ge50HB7s+GjR7BeyxeV3HzQF81dmoTdkFjbJyTebrQzLk4L/IpHhvQFPxGODcw0cHtEWYeTdC/WOkukEiPL3QK2nEHfNmGW+XrkwZocaGISDW2SaLQdPBUbL1PjUk0xJu+LQcFZUi6qGBl8KT4TFwUGl4m775hn4x9I10cWjjI24fvCYQTdH7mJxpExkMDlJC1q0O4hDK2QhZzUYAAkPW98ECST2ZRCqssrqp9CjvjrA5kCLZEs+G8nwZkYSpSwOEBjh0SFB1upvunrPrTNgL/AgCW3zqvlhPSEEzeqfGufZuZYqk6MvaaGabQfnEhHyTD9CGqaK6SzfPPGBFXtulvJ4PLDYWlZRRe/hnr30WbgyrJM1lOIs/sjJ4nLRgt9rVb5wJgU7+tHHIsy8EzOLTCYvbTIb1j0Q1FuR6VohN97HGx8oyQKNZZ1IcCxZM14sINoObzUn/qXHL3Ep+G9OjjGy5Z2JpLY4tHGcjkAqSanVkpxAGUcxmz0ATGqXLUSf4cgJUouOIJQysHdBGb6F/Ef9MQNkBKaqiNAyfcekqOPmHzgaraLqeHaLETDVI4Ja+Aqc1IHFZtPPNvnMSSBe6hMGs3FQhb/eOPQkIHXoCBYyKmZsurbmMs1bRoXXWKzrScwEsBhPQClzcTocP41AKSBEwYwjaz8+iHYZoMa9TKy7fN8Car//T1Z8KfZUGIrmJHFpiJLq0lLvfiVHEidr+0wXo1J7whHkQn2ka7tPs3KDGJbtolfSFKKfAMleGHbl4P7ZzXZD6MwcARJpuO8bkJ8IJK9o=" ], "root_token": "wcFMA7NpuNG2vp+sAQ/5ARiq4FOSSiyBT8uv3XbFwQ+QQknYHmZfRA5q+S+DEWPtDLopi/JxseDSoBMmhi+tat82HWfexL1KS2Ec/+I7DV5o+wxgB5LR0GB+gsJE9wHoJSR9/ogaLsHyudR//yxXooHi81d7Clor2cwwKPUJypbs68XYFvszoUAk93VwaFj9QKAs8OSl1kUocMhAsqb7wPxyUn1VDonVMwCUGHAJHoKNn12XtoJiGsa6tyHnIQAc698m9JUzBeLHUz2m7h3grYQdAySJXwlwVi7jhuB2qssPgwYqjnQ70Hmie+yeXZwnzlxoTe6qLf3nKCabGMwlYHd5KSC2GYefMN/TMfl3B+UsFV4Bw2p9MzpYr5YhEHQ9C9UUQ9GaGur0xsF4poPD8v7En2lQrqzz9mBpqqzdJdZsXej3p+NnOBqN55PNV+TzDZvxpltAMLPMgbapEZs9701r79460PlfCqggHHq4CSxARMraI0qFNT/+PP1AYIgPPooKFohCxScNEc7PpPGJ+6mu+S+vatzu0Ssy1owBwbTRoXfa1+pme0YE/I0nEuIbQWvEFq2uJ0LyvPquVfqZe4nAs2tCHXYhkjXjxPoSOsJ7jcBPxNrhrYEpgOOOWt+lpuKNdgHDLt32FahUTxXOFXHxSQDELoBldgKTHptlFLHK6yEqMwAm7IS8ee+cI/DSTQFg2pg/YpVM4jrgBW8ijycyrAHGwpKzxYFO9OX+BB+vRvPgHZ0MqZ2z9Ajyn8XD+pdcBeMkk+7hlQah8R8Vpdc6LdltJdp079Ex8/0m" }
The output includes hexadecimal-encoded and encrypted key shares, base64-encoded and encrypted key shares, and a base64-encoded and encrypted initial root token.
Copy the file to
"$HC_LEARN_LAB/vault_init_output.json"
. Be sure to change the example filename to match your downloaded JSON filename.$ cp ~/Downloads/vault-cluster-vault-2023-05-03T14_10_58.500Z.json "$HC_LEARN_LAB/vault_init_output.json"
$ cp ~/Downloads/vault-cluster-vault-2023-05-03T14_10_58.500Z.json "$HC_LEARN_LAB/vault_init_output.json"
Warning
The Vault UI expects base64-encoded GPG public keys. If you upload or paste ASCII armored versions, they won't work.
Go to the web UI at http://127.0.0.1:8200.
Select Create a new Raft cluster and click Next.
In the Key shares field, enter
5
.In the Key threshold field, enter
3
.Expand Encrypt output with PGP.
Under PGP KEY 1, click Choose a file...
Navigate to
/tmp/learn-vault-pgp/alice
in the file dialog, select the filealice_key_base64.pub
, and click Open.Under PGP KEY 2, click Choose a file...
Navigate to
/tmp/learn-vault-pgp/bob
in the file dialog, select the filebob_key_base64.pub
, and click Open.Under PGP KEY 3, click Choose a file...
Navigate to
/tmp/learn-vault-pgp/carol
in the file dialog, select the filecarol_key_base64.pub
, and click Open.Under PGP KEY 4, click Choose a file...
Navigate to
/tmp/learn-vault-pgp/dan
in the file dialog, select the filedan_key_base64.pub
, and click Open.Under PGP KEY 5, click Choose a file...
Navigate to
/tmp/learn-vault-pgp/frank
in the file dialog, select the filefrank_key_base64.pub
, and click Open.Click the Encrypt root token with PGP drop down.
The initial root token is encrypted with Alice's public key. Under PGP KEY 1, click Choose a file.
Navigate to
/tmp/learn-vault-pgp/alice
in the file dialog, select the filealice_key_base64.pub
, and click Open.Click Initialize to initialize Vault.
You've initialized Vault. It returns the GPG encrypted key shares and initial root token values.
Scroll to observe the other keys.
You are now ready to unseal and rekey Vault with the GPG encrypted key shares.
Unseal Vault with encrypted key shares
You initialized Vault, and it output the GPG encrypted unseal key shares and initial root token value.
Now you can use the encrypted key shares for Alice, Carol, and Dan to unseal Vault.
Your workflow for each encrypted unseal key is to use Base64 for decoding the Vault output value, then GPG to decrypt that decoded value. The result is an unseal key share that you can pass to Vault for rekeying or unsealing.
Tip
For the examples in this tutorial, the following passphrases are used. You need these passphrases to decrypt each of the key shares used in the following examples.
- Alice:
recede-yard-unwilling-shrouded
- Bob:
giggle-suing-starring-sugar
- Carol:
unnerving-appealing-primarily-overload
- Dan:
shawl-stem-elective-stoop
- Frank:
capitol-wasting-darwinism-surcharge
Vault returned Alice's encrypted key share as the value of
Unseal Key 1:
when you initialized it. To make the unseal key data available for decryption, you can base64 decode it and write it to the file$HC_LEARN_LAB/alice/alice_unseal_key.dat
, which gets mapped to/root/.gnupg/alice_unseal_key.dat
in the GPG Docker container.$ grep 'Unseal Key 1' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/alice/alice_unseal_key.dat
$ grep 'Unseal Key 1' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/alice/alice_unseal_key.dat
Carol's encrypted key share is the value of
Unseal Key 3:
. Base64 decode it, and write it to the file$HC_LEARN_LAB/carol/carol_unseal_key.dat
, which gets mapped to/root/.gnupg/carol_unseal_key.dat
in the GPG Docker container.$ grep 'Unseal Key 3' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/carol/carol_unseal_key.dat
$ grep 'Unseal Key 3' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/carol/carol_unseal_key.dat
Dan's encrypted key share is the value of
Unseal Key 4:
. Base64 decode it, and write it to the file$HC_LEARN_LAB/dan/dan_unseal_key.dat
, which gets mapped to/root/.gnupg/dan_unseal_key.dat
in the GPG Docker container.$ grep 'Unseal Key 4' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/dan/dan_unseal_key.dat
$ grep 'Unseal Key 4' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/dan/dan_unseal_key.dat
Define a shell alias
gpg
that interacts with the Docker GPG container for the Alice persona. For the purpose of this tutorial, you can pass in Alice's GPG key passphrase with the--passphrase
flag.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
As the Alice persona, begin the unseal operation by decrypting the encrypted unseal key with GPG, and then passing it to Vault.
$ vault operator unseal $(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)
$ vault operator unseal $(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 91002A8F909C6714, created 2023-04-17 "Alice (Alice is a Vault PGP user) <alice@example.com>" Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce fd60be59-ccb0-7789-8f11-a7d52cff410d Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft HA Enabled true
gpg: encrypted with 4096-bit RSA key, ID 91002A8F909C6714, created 2023-04-17 "Alice (Alice is a Vault PGP user) <alice@example.com>" Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce fd60be59-ccb0-7789-8f11-a7d52cff410d Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft HA Enabled true
Update the
gpg
alias so that it interacts with the Docker GPG container for the Carol persona. For the purpose of this tutorial, you can pass in Carol's GPG key passphrase with the--passphrase
flag.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
As the Carol persona, continue the unseal workflow by decrypting the encrypted unseal key with GPG, and then passing it to Vault.
$ vault operator unseal $(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)
$ vault operator unseal $(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID C8DFC373E8AC8E61, created 2023-04-17 "Carol (Carol is a Vault PGP user) <carol@example.com>" Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce fd60be59-ccb0-7789-8f11-a7d52cff410d Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft HA Enabled true
gpg: encrypted with 4096-bit RSA key, ID C8DFC373E8AC8E61, created 2023-04-17 "Carol (Carol is a Vault PGP user) <carol@example.com>" Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce fd60be59-ccb0-7789-8f11-a7d52cff410d Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft HA Enabled true
Update the
gpg
alias so that it interacts with the Docker GPG container for the Dan persona. For the purpose of this tutorial, you can pass in Dan's GPG key passphrase with the--passphrase
flag.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
As the Dan persona, continue the unseal workflow by decrypting the encrypted unseal key with GPG, and then passing it to Vault.
$ vault operator unseal $(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)
$ vault operator unseal $(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 6ED85F446B6FAA27, created 2023-04-17 "Dan (Dan is a Vault PGP user) <dan@example.com>" Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft Cluster Name vault-cluster-ae243d4d Cluster ID 51ae1a01-6ebd-1f6e-ade0-312c644278a1 HA Enabled true HA Cluster n/a HA Mode standby Active Node Address <none> Raft Committed Index 31 Raft Applied Index 31
gpg: encrypted with 4096-bit RSA key, ID 6ED85F446B6FAA27, created 2023-04-17 "Dan (Dan is a Vault PGP user) <dan@example.com>" Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.13.2 Build Date 2023-04-25T13:02:50Z Storage Type raft Cluster Name vault-cluster-ae243d4d Cluster ID 51ae1a01-6ebd-1f6e-ade0-312c644278a1 HA Enabled true HA Cluster n/a HA Mode standby Active Node Address <none> Raft Committed Index 31 Raft Applied Index 31
Vault returned Alice's encrypted key share as the value of
Unseal Key 1:
when you initialized it. To make the unseal key data available for decryption, you can base64 decode it and write it to the file$HC_LEARN_LAB/alice/alice_unseal_key.dat
, which gets mapped to/root/.gnupg/alice_unseal_key.dat
in the GPG Docker container.$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[0]' \ | base64 --decode > "$HC_LEARN_LAB"/alice/alice_unseal_key.dat
$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[0]' \ | base64 --decode > "$HC_LEARN_LAB"/alice/alice_unseal_key.dat
Carol's encrypted key share is the value of
Unseal Key 3:
. Base64 decode it, and write it to the file$HC_LEARN_LAB/carol/carol_unseal_key.dat
, which gets mapped to/root/.gnupg/carol_unseal_key.dat
in the GPG Docker container.$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[2]' \ | base64 --decode > "$HC_LEARN_LAB"/carol/carol_unseal_key.dat
$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[2]' \ | base64 --decode > "$HC_LEARN_LAB"/carol/carol_unseal_key.dat
Dan's encrypted key share is the value of
Unseal Key 4:
. Base64 decode it, and write it to the file$HC_LEARN_LAB/dan/dan_unseal_key.dat
, which gets mapped to/root/.gnupg/dan_unseal_key.dat
in the GPG Docker container.$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[3]' \ | base64 --decode > "$HC_LEARN_LAB"/dan/dan_unseal_key.dat
$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[3]' \ | base64 --decode > "$HC_LEARN_LAB"/dan/dan_unseal_key.dat
Define a shell alias
gpg
that interacts with the Docker GPG container for the Alice persona. For the purpose of this tutorial, you can pass in Alice's GPG key passphrase with the--passphrase
flag.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
As the Alice persona, begin the unseal operation by decrypting the encrypted unseal key with GPG, and then passing it to Vault.
$ curl \ --silent \ --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)\"}" \ $VAULT_ADDR/v1/sys/unseal \ | jq
$ curl \ --silent \ --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)\"}" \ $VAULT_ADDR/v1/sys/unseal \ | jq
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03 "Alice (Alice is a Vault PGP user) <alice@example.com>" { "type": "shamir", "initialized": true, "sealed": true, "t": 3, "n": 5, "progress": 1, "nonce": "e7167d32-c791-6d1e-3cce-dc36b530b698", "version": "1.13.2", "build_date": "2023-04-25T13:02:50Z", "migration": false, "recovery_seal": false, "storage_type": "raft" }
gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03 "Alice (Alice is a Vault PGP user) <alice@example.com>" { "type": "shamir", "initialized": true, "sealed": true, "t": 3, "n": 5, "progress": 1, "nonce": "e7167d32-c791-6d1e-3cce-dc36b530b698", "version": "1.13.2", "build_date": "2023-04-25T13:02:50Z", "migration": false, "recovery_seal": false, "storage_type": "raft" }
Update the
gpg
alias so that it interacts with the Docker GPG container for the Carol persona. For the purpose of this tutorial, you can pass in Carol's GPG key passphrase with the--passphrase
flag.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
As the Carol persona, continue the unseal workflow by decrypting the encrypted unseal key with GPG, and then passing it to Vault.
$ curl \ --silent \ --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)\"}" \ $VAULT_ADDR/v1/sys/unseal \ | jq
$ curl \ --silent \ --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)\"}" \ $VAULT_ADDR/v1/sys/unseal \ | jq
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID C969BA5593C0C6DE, created 2023-05-03 "Carol (Carol is a Vault PGP user) <carol@example.com>" { "type": "shamir", "initialized": true, "sealed": true, "t": 3, "n": 5, "progress": 2, "nonce": "e7167d32-c791-6d1e-3cce-dc36b530b698", "version": "1.13.2", "build_date": "2023-04-25T13:02:50Z", "migration": false, "recovery_seal": false, "storage_type": "raft" }
gpg: encrypted with 4096-bit RSA key, ID C969BA5593C0C6DE, created 2023-05-03 "Carol (Carol is a Vault PGP user) <carol@example.com>" { "type": "shamir", "initialized": true, "sealed": true, "t": 3, "n": 5, "progress": 2, "nonce": "e7167d32-c791-6d1e-3cce-dc36b530b698", "version": "1.13.2", "build_date": "2023-04-25T13:02:50Z", "migration": false, "recovery_seal": false, "storage_type": "raft" }
Update the
gpg
alias so that it interacts with the Docker GPG container for the Dan persona. For the purpose of this tutorial, you can pass in Dan's GPG key passphrase with the--passphrase
flag.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
As the Dan persona, continue the unseal workflow by decrypting the encrypted unseal key with GPG, and then passing it to Vault.
$ curl \ --silent \ --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)\"}" \ $VAULT_ADDR/v1/sys/unseal \ | jq
$ curl \ --silent \ --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)\"}" \ $VAULT_ADDR/v1/sys/unseal \ | jq
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 61D5D07E586F8DFB, created 2023-05-03 "Dan (Dan is a Vault PGP user) <dan@example.com>" { "type": "shamir", "initialized": true, "sealed": false, "t": 3, "n": 5, "progress": 0, "nonce": "", "version": "1.13.2", "build_date": "2023-04-25T13:02:50Z", "migration": false, "cluster_name": "vault-cluster-32f2ebc5", "cluster_id": "75401012-76c5-0578-ed1d-0e1a650946be", "recovery_seal": false, "storage_type": "raft" }
gpg: encrypted with 4096-bit RSA key, ID 61D5D07E586F8DFB, created 2023-05-03 "Dan (Dan is a Vault PGP user) <dan@example.com>" { "type": "shamir", "initialized": true, "sealed": false, "t": 3, "n": 5, "progress": 0, "nonce": "", "version": "1.13.2", "build_date": "2023-04-25T13:02:50Z", "migration": false, "cluster_name": "vault-cluster-32f2ebc5", "cluster_id": "75401012-76c5-0578-ed1d-0e1a650946be", "recovery_seal": false, "storage_type": "raft" }
Vault returned Alice's encrypted key share as the 0th value of the
keys_base64
arraywhen you initialized it. To make the unseal key data available for decryption, you can base64 decode it and write it to the file
$HC_LEARN_LAB/alice/alice_unseal_key.dat, which gets mapped to
/root/.gnupg/alice_unseal_key.dat` in the GPG Docker container.$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[0]' \ | base64 --decode > "$HC_LEARN_LAB"/alice/alice_unseal_key.dat
$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[0]' \ | base64 --decode > "$HC_LEARN_LAB"/alice/alice_unseal_key.dat
- Update the
gpg
alias so it interacts with the Docker GPG container for the Alice persona.
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume "$HC_LEARN_LAB"/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume "$HC_LEARN_LAB"/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
- Update the
Decrypt Alice's unseal key and copy the resulting value to the system clipboard.
$ gpg --decrypt /root/.gnupg/alice_unseal_key.dat | pbcopy
$ gpg --decrypt /root/.gnupg/alice_unseal_key.dat | pbcopy
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 7A193E1B4E184F32, created 2023-05-08 "Alice (Alice is a Vault PGP user) <alice@example.com>"
gpg: encrypted with 4096-bit RSA key, ID 7A193E1B4E184F32, created 2023-05-08 "Alice (Alice is a Vault PGP user) <alice@example.com>"
Return to your Vault UI browser tab, and paste the value into the Unseal Key Portion text field.
Click Unseal.
Carol's encrypted key share as the 2nd value of the
keys_base64
array. Base64 decode it, and write it to the file$HC_LEARN_LAB/carol/carol_unseal_key.dat
, which gets mapped to/root/.gnupg/carol_unseal_key.dat
in the GPG Docker container.$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[2]' \ | base64 --decode > "$HC_LEARN_LAB"/carol/carol_unseal_key.dat
$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[2]' \ | base64 --decode > "$HC_LEARN_LAB"/carol/carol_unseal_key.dat
- Update the
gpg
alias so it interacts with the Docker GPG container for the Carol persona.
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume "$HC_LEARN_LAB"/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume "$HC_LEARN_LAB"/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
- Update the
Decrypt Carol's unseal key and copy the resulting value to the system clipboard.
$ gpg --decrypt /root/.gnupg/carol_unseal_key.dat | pbcopy
$ gpg --decrypt /root/.gnupg/carol_unseal_key.dat | pbcopy
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 789465A58676A024, created 2023-05-08 "Carol (Carol is a Vault PGP user) <carol@example.com>"
gpg: encrypted with 4096-bit RSA key, ID 789465A58676A024, created 2023-05-08 "Carol (Carol is a Vault PGP user) <carol@example.com>"
Return to your Vault UI browser tab, and paste the value into the Unseal Key Portion text field.
Click Unseal.
Dan's encrypted key share as the 3rd value of the
keys_base64
array. Base64 decode it, and write it to the file
$HC_LEARN_LAB/dan/dan_unseal_key.dat, which gets mapped to
/root/.gnupg/dan_unseal_key.dat` in the GPG Docker container.$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[3]' \ | base64 --decode > "$HC_LEARN_LAB"/dan/dan_unseal_key.dat
$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.keys_base64[3]' \ | base64 --decode > "$HC_LEARN_LAB"/dan/dan_unseal_key.dat
- Update the
gpg
alias so it interacts with the Docker GPG container for the Dan persona.
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume "$HC_LEARN_LAB"/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume "$HC_LEARN_LAB"/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
- Update the
Decrypt Dan's unseal key and copy the resulting value to the system clipboard.
$ gpg --decrypt /root/.gnupg/dan_unseal_key.dat | pbcopy
$ gpg --decrypt /root/.gnupg/dan_unseal_key.dat | pbcopy
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 36A87C11411C470D, created 2023-05-08 "Dan (Dan is a Vault PGP user) <dan@example.com>"
gpg: encrypted with 4096-bit RSA key, ID 36A87C11411C470D, created 2023-05-08 "Dan (Dan is a Vault PGP user) <dan@example.com>"
Return to your Vault UI browser tab, and paste the value into the Unseal Key Portion text field.
Click Unseal.
The Sign in to Vault dialog appears.
Sign in with initial root token
Recall that Alice's GPG public key was used to encrypt the initial root token value. Follow these steps to decrypt the key and use it to sign in to the Vault UI.
Perform these steps as the Alice persona.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Alice persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
Base64 decode the encrypted initial root token value, and write it to the file
$HC_LEARN_LAB/alice/initial_root_token.dat
, which gets mapped to/root/.gnupg/initial_root_token.dat
in the GPG Docker container.$ cat "$HC_LEARN_LAB"/vault_init_output.json \ | jq -r '.root_token' \ | base64 --decode > "$HC_LEARN_LAB"/alice/initial_root_token.dat
$ cat "$HC_LEARN_LAB"/vault_init_output.json \ | jq -r '.root_token' \ | base64 --decode > "$HC_LEARN_LAB"/alice/initial_root_token.dat
Decrypt the encrypted initial root token value and copy it to the system clipboard.
$ gpg --decrypt /root/.gnupg/initial_root_token.dat | pbcopy
$ gpg --decrypt /root/.gnupg/initial_root_token.dat | pbcopy
Expected example output:
gpg: encrypted with 4096-bit RSA key, ID 7A193E1B4E184F32, created 2023-05-08 "Alice (Alice is a Vault PGP user) <alice@example.com>"
gpg: encrypted with 4096-bit RSA key, ID 7A193E1B4E184F32, created 2023-05-08 "Alice (Alice is a Vault PGP user) <alice@example.com>"
Return to your Vault UI browser tab, and paste the initial root token value into the Token field.
Click Sign in.
You are signed in to the Vault UI with the initial root token.
You've unsealed the Vault server with GPG encrypted unseal key shares. You also decrypted the encrypted initial root token value and used it to sin into the Vault UI.
In the next section, you'll learn how to rekey Vault with encrypted key shares.
Rekey Vault with encrypted key shares
Now that you've experienced unsealing Vault with encrypted key shares, you're ready to try rekeying Vault with those same encrypted key shares.
Rekeying Vault requires a token with capabilities to POST against the /sys/rekey/
API endpoints. In this tutorial, you'll use the initial root token value for this token.
Perform these steps as the Alice persona.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Alice persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
Base64 decode the initial root token value, and write it to the file
$HC_LEARN_LAB/alice/initial_root_token.dat
, which gets mapped to/root/.gnupg/initial_root_token.dat
in the GPG Docker container.$ grep 'Initial Root Token' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/alice/initial_root_token.dat
$ grep 'Initial Root Token' "$HC_LEARN_LAB/vault_init_output.txt" \ | awk '{print $NF}' \ | base64 --decode > "$HC_LEARN_LAB"/alice/initial_root_token.dat
Decrypt the encrypted initial root token value and export the result as the
VAULT_TOKEN
environment variable.$ export VAULT_TOKEN=$(gpg --decrypt /root/.gnupg/initial_root_token.dat)
$ export VAULT_TOKEN=$(gpg --decrypt /root/.gnupg/initial_root_token.dat)
Expected example output:
gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03 "Alice (Alice is a Vault PGP user) <alice@example.com>"
gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03 "Alice (Alice is a Vault PGP user) <alice@example.com>"
Start the rekey workflow. Use the
-backup
option to save the encrypted keys in Vault's core so if they are lost, you can still recover.$ vault operator rekey \ -init \ -backup \ -key-shares=5 \ -key-threshold=3 \ -pgp-keys "$HC_LEARN_LAB/alice/alice_key_base64.pub,$HC_LEARN_LAB/bob/bob_key_base64.pub,$HC_LEARN_LAB/carol/carol_key_base64.pub,$HC_LEARN_LAB/dan/dan_key_base64.pub,$HC_LEARN_LAB/frank/frank_key_base64.pub"
$ vault operator rekey \ -init \ -backup \ -key-shares=5 \ -key-threshold=3 \ -pgp-keys "$HC_LEARN_LAB/alice/alice_key_base64.pub,$HC_LEARN_LAB/bob/bob_key_base64.pub,$HC_LEARN_LAB/carol/carol_key_base64.pub,$HC_LEARN_LAB/dan/dan_key_base64.pub,$HC_LEARN_LAB/frank/frank_key_base64.pub"
Example expected output:
Key Value --- ----- Nonce 216100bc-fa97-6ce6-dacd-e774a2635175 Started true Rekey Progress 0/3 New Shares 5 New Threshold 3 Verification Required false PGP Fingerprints [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f] Backup true
Key Value --- ----- Nonce 216100bc-fa97-6ce6-dacd-e774a2635175 Started true Rekey Progress 0/3 New Shares 5 New Threshold 3 Verification Required false PGP Fingerprints [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f] Backup true
Store the returned nonce value in an environment variable.
Example:
$ export REKEY_NONCE="216100bc-fa97-6ce6-dacd-e774a2635175"
$ export REKEY_NONCE="216100bc-fa97-6ce6-dacd-e774a2635175"
Where
216100bc-fa97-6ce6-dacd-e774a2635175
is the nonce value returned to you.Each of the 3 personas holding a quorum of key shares must now submit their decrypted key share. As the Alice persona, execute the rekey command to submit Alice's unseal key share.
$ vault operator rekey \ -nonce $REKEY_NONCE \ $(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)
$ vault operator rekey \ -nonce $REKEY_NONCE \ $(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 4819B20CE84021D4, created 2023-05-04 "Alice (Alice is a Vault PGP user) <alice@example.com>" Key Value --- ----- Nonce 216100bc-fa97-6ce6-dacd-e774a2635175 Started true Rekey Progress 1/3 New Shares 5 New Threshold 3 Verification Required false PGP Fingerprints [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f] Backup true
gpg: encrypted with 4096-bit RSA key, ID 4819B20CE84021D4, created 2023-05-04 "Alice (Alice is a Vault PGP user) <alice@example.com>" Key Value --- ----- Nonce 216100bc-fa97-6ce6-dacd-e774a2635175 Started true Rekey Progress 1/3 New Shares 5 New Threshold 3 Verification Required false PGP Fingerprints [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f] Backup true
The Rekey Progress now shows 1/3.
Perform these steps as the Carol persona.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Carol persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
Execute the rekey command to submit Alice's unseal key share.
$ vault operator rekey \ -nonce $REKEY_NONCE \ $(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)
$ vault operator rekey \ -nonce $REKEY_NONCE \ $(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 01BE679ED28EE728, created 2023-05-04 "Carol (Carol is a Vault PGP user) <carol@example.com>" Key Value --- ----- Nonce 216100bc-fa97-6ce6-dacd-e774a2635175 Started true Rekey Progress 2/3 New Shares 5 New Threshold 3 Verification Required false PGP Fingerprints [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f] Backup true
gpg: encrypted with 4096-bit RSA key, ID 01BE679ED28EE728, created 2023-05-04 "Carol (Carol is a Vault PGP user) <carol@example.com>" Key Value --- ----- Nonce 216100bc-fa97-6ce6-dacd-e774a2635175 Started true Rekey Progress 2/3 New Shares 5 New Threshold 3 Verification Required false PGP Fingerprints [4f00b90c33fc6a47de9a4285fc43d002393b1f85 257fc6c27bdb928f101761cca5a489753448f1bd 3215732ef11181a20a742dfd8864f87b373ebdc0 93a9c4a954ae96b116696378f113d94f46774c5b eed03eb4be75d8657d2abb710aaa36867906299f] Backup true
The Rekey Progress now shows 2/3.
Perform these steps as the Dan persona.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Dan persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
Execute the rekey command to submit Alice's unseal key share.
$ vault operator rekey \ -nonce $REKEY_NONCE \ $(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)
$ vault operator rekey \ -nonce $REKEY_NONCE \ $(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)
Example expected output:
gpg: encrypted with 4096-bit RSA key, ID CBA9F148AAEB2F20, created 2023-05-04 "Dan (Dan is a Vault PGP user) <dan@example.com>" Key 1 fingerprint: 4f00b90c33fc6a47de9a4285fc43d002393b1f85; value: wcFMA0gZsgzoQCHUARAAmOv3d8GxgPdgZllTa+KT9NTmcvWf8omNkRcJDwHoEiB21qqFMKy6273JyUlGdomygWTpLfTHOfCLGF7IXDaPuTdwurw/mXkMpiS9xBUNjkvXJ2EyIEACh7rRIaTq3+IGSrae5MeaOmmQl9FEx9J0RvCajfuIY6hrtUn9FoIFD7Okq3Jq0QJJftHuLovxzOQEOjw6Qtk7M4eTg8dQDgWljti2LLBDCCDY9YRTzv1Zf7ptfuGc3LVOldt/HaE9JvUsRgnWzNDlGLvLWGG37SFCRNJTuDuoEs7ki9mJYLPx1LxL+wHta+s4d9mpYxOS+XdQn1ETRhbHhDFJD8bYaH+f0U47MjnCWGhHQmbLlhZrDegXlQK4mKePBY6BHz2a3Vc4jSRLtNq4XcZb1KTKT5HekclsqffggNHQakGYC/u9/aHVGIffYvEKGTTXng3TpYrEVC9YlaNBo6gXYxW+bYygieOxrg+X1sEKOjemtIvurIBjomTU5Z5qZgI10XsL3IuuTAR7fIuPBK/m/vtleuFdKvCQgfmjAxWtxlK18FF5ovORO3A5878WjR8KYQnUWTt1AahSTXyW+4f84cFXs4C8gi6zaet9NILyD7zXYIxfSdpj4PC8oVGkdjLOz58CfAg1f0T16AdNNW4oquNS4E0ewen27V7Bp5NybcK9tOuGXR3ScwH0D3yiFiwJPga8gQvtFq+fAhVMwCKCr0xYP3X3+/O+mbEAQMeLuxD8bEMEIVZ7DGtmP66FOg378pKiBhjTX7S3VOcjbUAaLzf2JqaG4b7PMtmPSHKALtapN77VG2SguEKjd6xOtaCEtWiRGRJs4+DqipU= Key 2 fingerprint: 257fc6c27bdb928f101761cca5a489753448f1bd; value: wcFMA8T3p2AFsDorAQ//TyzgY8dcvG6YgZ9H7uolN7SuTnS4p7jBcIkP3XU0N7dfqU9dcwYI9YZ0F6Dxg4HH4Sd24ZZ4H1xcFaJ4AF8AXgnwdXPeuqugn6x0xZH3paTwABwyexYddQxhbe62pVb60TbgVurNjPpOwz/jU39SBsToWtql2LVDyZ4yM5cNmWfzPs6qpgcNuVmuDoUojXwzZjmg46UOhxIcrgG/+dnG84kB5YL4j9UBEemC8NTWXoY0HD5k4MkuaLuuOdBrQGozn5m4M5h0BLP+D2XUchLcvs50GjgCbbaE9MMoU6l4NMmMA1fGl63UhyJb9miv4PWSs7NfX2K/qm/lbyLvSDEq+ZEFqkuSsreNvxQ5ktFp0STEf0xwO36C+eOCJz6DC1MI1SAQX4jMCOBV8xU9XBDvnjXNpn0eXZQx0fIvu/3CzxjWx1uVf1i9FZpd+J2DVa8EIZF8idrlPQ+cl7QSCboi0q1tp1f6XYLoPK+9GvaWruUGPCSMN1qBXr4lWvNFv9txPC8gsnxSyDcTTNF1vg35ZiXie04OuUQqMy3GJYp8D9B22szX7O23jb8KOZF5DtmO1od3GXClVx7K7t01yYCir/TTX+zl7WfB6YNqky3xVb0rQHx8eru0duUOmoW5B532mZ3ul/AlGJOhuY0Ip3lAj/nhcvcVNPfrQoTRYgiaTSvScwGm02X0FVO+naJniuYZY0f5UATHaScP9D6IyiUrdTUuzoUcMfqM9jLCKoT4SA33lV5xbgCrYZbx5pz2D6/pJk+XtbsJGDHkqO5QXH4vGQCLdbqLSG+rm2iQnC3OB2NwiyWgAAR6KzDr//hefYt9FXn482k= Key 3 fingerprint: 3215732ef11181a20a742dfd8864f87b373ebdc0; value: wcFMAwG+Z57SjucoAQ/+J18Dnjx7s5GU9Ft2EOFBV7CsxSP7obsyltP3Q12EVTDcDmHhvTW4yUqP6l6Jccb7R5LFWwTc9YDxlDFXGGEPocI1IP8K0Bg4DjXztHdeV7gZU+RWisaCryNbXB2H2drIORRr0/Q75P3P0c0hg8ceBCJjyxiDLaCMXjlLhpqTH+ototkOBoMWRzoOsyzPv2DPIdJlyZ+JsmAjGwnL3AOjt9uTgLBtnICioWOZVIduX28rutDpPxn3a6XNn6uk4dTjf2tQ43QXpAp8KaisnvyYoKiscerD89gm0NjXMd1K8Ap1v676AtJsSTZgOCzfv6av1h5iLV4/gEP3RgHQm2g+z+IoIphiRnrCzbN+QFKzud5gZtuJJyj0YxCGsgl5p/toM71jIqrw+V8CQ4ciOOMa6H3BetjqDTnddvTdG2QT3IJQOaim3eVVqWTDAu7xKLvtTmFP9pvAI96vB9OVAx5yl3CHLV18olmM9SD5Ji5VGF5rTr8RBBKJwjlrtIei2lUgHvkiw/1jxTYkIc3X8LqJidtUd/ULfsQx3v58KdwNy2iT/GrGUiiKHcZijjQnBRzI/27gV1utQCOwucSygBdCb6pI1mx/F9MaDioW3pKwMhz0SbCbc1EMycOsIj1oaKQ4NnYcq6Apm5eJ12cgqfKZuawIdnZFkD0dZ5xj02JKWpbScwHPbCYLRKRyTS+XIvj8B1RQkXU7m8p+erYukix+wDI0YGZiAnNxo+qp7s7KxUPpVdGCmepCA5/CcUuGMUshIXafJZ1PpBq9A73rJt0J3YmCgl4UlLUDdY43RIUhqYQ3N4BypPd+VYhV4Nt3hJjQmgpgwwc= Key 4 fingerprint: 93a9c4a954ae96b116696378f113d94f46774c5b; value: wcFMA8up8Uiq6y8gARAAs5FUHgZ4dDsMrnQFclNGel/krwYd8H3cm/sbpGKZrc264tMOJdlDhVXmpJ43nvM7tWDwm9OfR3QFhGZeme0vBbCSm7QAn61yvTKo27XgJR5tmJYsjqdM+W2wjwFvrlmelvlb2f3qvl3JMexaNp1hL8l9O/c0ojnDq2v51ZHC4bJsDdq9ffsYx2C0fWRpz5ETLEDKkbTmPMITMKp0Heuf2pOfNoAVwb67TRT+hot6bTUByS1yA/8RetuTt5c/HhcvxVD+BORofamq0NVXZsydr2KOxhGqE8J+K8orL/fFQ1h/j8DeED1ma+pykVtac4zziuXLHtjpoBK/1WChZ2PX2CiJt4nw4GQL6rls1lk7k+ysntXU6LmoRMw6huryiFqCCLxGe9RzZSsagJIMBo59WeFrPH6kA/TvzmJiOTA+n2q4q2i4TnVVX+0ijBLEvr7ockIb/mctEAsMd60comdh1EB8uRlpfBYdzf8LKcyei+0vDZ3hstTHQxgG4Nt516T4TlaDeFukNU4O1yXVUximf9lBMDDdJAbckaU5d/990MOJDqSlJnkBMWoGW2kVpUFOKjOSvAhbFPAFvf4VEtVX7l61ybKNatiZiHzaKyJRllEcturJcuZDhkJ1h3w9WrPI+N198cfFnS1Jce3XuiQrjZJb46w7KdDfpvT+/6/4ehXScwGfRX5hfLzBpumOLLtQ3xqPi5d0nRpua6XDOGm6rEeSrj5E6pTm5VYHiU67hLi3Za97U0L6rfMFNtyMhUgg0xU8Qcev4CbD54bVWG6uiyEfnspieRLGspIo/FtpCD5sB/z3bEZX3Uh1v6RXXQEUeP7Xa8s= Key 5 fingerprint: eed03eb4be75d8657d2abb710aaa36867906299f; value: wcFMAxlo+iLMDjOcARAAm1TXdjvDIxJvQAI+fdNMfU9Y5129KB4rRMmZfNls19L4nbzOZ4Mhwpx6ezaUREcXJAGW2cIxonjPBA3n928vfrr+VzKrVB+g6WswERvgm62FFIXBpGkkDCZV5aCvQRJktBAXGlXXaq3rbPeNgLoh0DGHRUpk93Z9SVypQF3iWMVyI1Zuk7HR3RxYz0/0ByOsrnKcvyMD7CgDnjMCIhPTh0+aaND9C7jb6svLtPPZEAsnXcXWUS8eV4OlcjB6tSpPoddg+8GIia2X/ghqXYbAKPB3ZVGlDgo05isFBUPkt6U6IsXqTzPmq0pBDLMXzG9YM/JoKIxWye9vk5YG6TbxfMvKNHOryQUqjC0uG2PbsUGnBxYx7ABAyJ7WLVib3oqiSMeKzTiJlQ9e+Slwupvclaf0JwtAEWyLGO3EsWh5VbAT85JhhuXbNsIlJuMUHDl5GjImcBmtJdd0G2hePuP08UfxmbU4vH1bsIs9EsafxyfJfTZRjVKFjSsb46el+/4WgyuowuUH40bGwHie0v36DA1stFR6Q1B8ewbnMEO/IFvarfKwt8evShRn/Io/UxjNf9EoP4//Sf1eonETw/1TnxWvxJMUKAA04FkmolVvFlpVN84V47wHaKjPX0wFoz2SCiYPiXMV1epVqbyfSLxMcBSeJx0hFKJhMLCcEi6a7l/ScwG2yGo9FSeC+uMykiEeHm65wHSdjxTc7k2Dh0KVjYp5rqJTUSCSkBfM7oMpPpZezZLN1P2CmQ+WrMNHoV622M39P/PmI1jpMLcp8DDPXaGjdeJKVvA5J42ELlanWhrbLDxLEZHWkZ19F/12xTpMACWnNwE= Operation nonce: 216100bc-fa97-6ce6-dacd-e774a2635175 The encrypted unseal keys are backed up to "core/unseal-keys-backup" in the storage backend. Remove these keys at any time using "vault operator rekey -backup-delete". Vault does not automatically remove these keys. Vault unseal keys rekeyed with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests.
gpg: encrypted with 4096-bit RSA key, ID CBA9F148AAEB2F20, created 2023-05-04 "Dan (Dan is a Vault PGP user) <dan@example.com>" Key 1 fingerprint: 4f00b90c33fc6a47de9a4285fc43d002393b1f85; value: wcFMA0gZsgzoQCHUARAAmOv3d8GxgPdgZllTa+KT9NTmcvWf8omNkRcJDwHoEiB21qqFMKy6273JyUlGdomygWTpLfTHOfCLGF7IXDaPuTdwurw/mXkMpiS9xBUNjkvXJ2EyIEACh7rRIaTq3+IGSrae5MeaOmmQl9FEx9J0RvCajfuIY6hrtUn9FoIFD7Okq3Jq0QJJftHuLovxzOQEOjw6Qtk7M4eTg8dQDgWljti2LLBDCCDY9YRTzv1Zf7ptfuGc3LVOldt/HaE9JvUsRgnWzNDlGLvLWGG37SFCRNJTuDuoEs7ki9mJYLPx1LxL+wHta+s4d9mpYxOS+XdQn1ETRhbHhDFJD8bYaH+f0U47MjnCWGhHQmbLlhZrDegXlQK4mKePBY6BHz2a3Vc4jSRLtNq4XcZb1KTKT5HekclsqffggNHQakGYC/u9/aHVGIffYvEKGTTXng3TpYrEVC9YlaNBo6gXYxW+bYygieOxrg+X1sEKOjemtIvurIBjomTU5Z5qZgI10XsL3IuuTAR7fIuPBK/m/vtleuFdKvCQgfmjAxWtxlK18FF5ovORO3A5878WjR8KYQnUWTt1AahSTXyW+4f84cFXs4C8gi6zaet9NILyD7zXYIxfSdpj4PC8oVGkdjLOz58CfAg1f0T16AdNNW4oquNS4E0ewen27V7Bp5NybcK9tOuGXR3ScwH0D3yiFiwJPga8gQvtFq+fAhVMwCKCr0xYP3X3+/O+mbEAQMeLuxD8bEMEIVZ7DGtmP66FOg378pKiBhjTX7S3VOcjbUAaLzf2JqaG4b7PMtmPSHKALtapN77VG2SguEKjd6xOtaCEtWiRGRJs4+DqipU= Key 2 fingerprint: 257fc6c27bdb928f101761cca5a489753448f1bd; value: wcFMA8T3p2AFsDorAQ//TyzgY8dcvG6YgZ9H7uolN7SuTnS4p7jBcIkP3XU0N7dfqU9dcwYI9YZ0F6Dxg4HH4Sd24ZZ4H1xcFaJ4AF8AXgnwdXPeuqugn6x0xZH3paTwABwyexYddQxhbe62pVb60TbgVurNjPpOwz/jU39SBsToWtql2LVDyZ4yM5cNmWfzPs6qpgcNuVmuDoUojXwzZjmg46UOhxIcrgG/+dnG84kB5YL4j9UBEemC8NTWXoY0HD5k4MkuaLuuOdBrQGozn5m4M5h0BLP+D2XUchLcvs50GjgCbbaE9MMoU6l4NMmMA1fGl63UhyJb9miv4PWSs7NfX2K/qm/lbyLvSDEq+ZEFqkuSsreNvxQ5ktFp0STEf0xwO36C+eOCJz6DC1MI1SAQX4jMCOBV8xU9XBDvnjXNpn0eXZQx0fIvu/3CzxjWx1uVf1i9FZpd+J2DVa8EIZF8idrlPQ+cl7QSCboi0q1tp1f6XYLoPK+9GvaWruUGPCSMN1qBXr4lWvNFv9txPC8gsnxSyDcTTNF1vg35ZiXie04OuUQqMy3GJYp8D9B22szX7O23jb8KOZF5DtmO1od3GXClVx7K7t01yYCir/TTX+zl7WfB6YNqky3xVb0rQHx8eru0duUOmoW5B532mZ3ul/AlGJOhuY0Ip3lAj/nhcvcVNPfrQoTRYgiaTSvScwGm02X0FVO+naJniuYZY0f5UATHaScP9D6IyiUrdTUuzoUcMfqM9jLCKoT4SA33lV5xbgCrYZbx5pz2D6/pJk+XtbsJGDHkqO5QXH4vGQCLdbqLSG+rm2iQnC3OB2NwiyWgAAR6KzDr//hefYt9FXn482k= Key 3 fingerprint: 3215732ef11181a20a742dfd8864f87b373ebdc0; value: wcFMAwG+Z57SjucoAQ/+J18Dnjx7s5GU9Ft2EOFBV7CsxSP7obsyltP3Q12EVTDcDmHhvTW4yUqP6l6Jccb7R5LFWwTc9YDxlDFXGGEPocI1IP8K0Bg4DjXztHdeV7gZU+RWisaCryNbXB2H2drIORRr0/Q75P3P0c0hg8ceBCJjyxiDLaCMXjlLhpqTH+ototkOBoMWRzoOsyzPv2DPIdJlyZ+JsmAjGwnL3AOjt9uTgLBtnICioWOZVIduX28rutDpPxn3a6XNn6uk4dTjf2tQ43QXpAp8KaisnvyYoKiscerD89gm0NjXMd1K8Ap1v676AtJsSTZgOCzfv6av1h5iLV4/gEP3RgHQm2g+z+IoIphiRnrCzbN+QFKzud5gZtuJJyj0YxCGsgl5p/toM71jIqrw+V8CQ4ciOOMa6H3BetjqDTnddvTdG2QT3IJQOaim3eVVqWTDAu7xKLvtTmFP9pvAI96vB9OVAx5yl3CHLV18olmM9SD5Ji5VGF5rTr8RBBKJwjlrtIei2lUgHvkiw/1jxTYkIc3X8LqJidtUd/ULfsQx3v58KdwNy2iT/GrGUiiKHcZijjQnBRzI/27gV1utQCOwucSygBdCb6pI1mx/F9MaDioW3pKwMhz0SbCbc1EMycOsIj1oaKQ4NnYcq6Apm5eJ12cgqfKZuawIdnZFkD0dZ5xj02JKWpbScwHPbCYLRKRyTS+XIvj8B1RQkXU7m8p+erYukix+wDI0YGZiAnNxo+qp7s7KxUPpVdGCmepCA5/CcUuGMUshIXafJZ1PpBq9A73rJt0J3YmCgl4UlLUDdY43RIUhqYQ3N4BypPd+VYhV4Nt3hJjQmgpgwwc= Key 4 fingerprint: 93a9c4a954ae96b116696378f113d94f46774c5b; value: wcFMA8up8Uiq6y8gARAAs5FUHgZ4dDsMrnQFclNGel/krwYd8H3cm/sbpGKZrc264tMOJdlDhVXmpJ43nvM7tWDwm9OfR3QFhGZeme0vBbCSm7QAn61yvTKo27XgJR5tmJYsjqdM+W2wjwFvrlmelvlb2f3qvl3JMexaNp1hL8l9O/c0ojnDq2v51ZHC4bJsDdq9ffsYx2C0fWRpz5ETLEDKkbTmPMITMKp0Heuf2pOfNoAVwb67TRT+hot6bTUByS1yA/8RetuTt5c/HhcvxVD+BORofamq0NVXZsydr2KOxhGqE8J+K8orL/fFQ1h/j8DeED1ma+pykVtac4zziuXLHtjpoBK/1WChZ2PX2CiJt4nw4GQL6rls1lk7k+ysntXU6LmoRMw6huryiFqCCLxGe9RzZSsagJIMBo59WeFrPH6kA/TvzmJiOTA+n2q4q2i4TnVVX+0ijBLEvr7ockIb/mctEAsMd60comdh1EB8uRlpfBYdzf8LKcyei+0vDZ3hstTHQxgG4Nt516T4TlaDeFukNU4O1yXVUximf9lBMDDdJAbckaU5d/990MOJDqSlJnkBMWoGW2kVpUFOKjOSvAhbFPAFvf4VEtVX7l61ybKNatiZiHzaKyJRllEcturJcuZDhkJ1h3w9WrPI+N198cfFnS1Jce3XuiQrjZJb46w7KdDfpvT+/6/4ehXScwGfRX5hfLzBpumOLLtQ3xqPi5d0nRpua6XDOGm6rEeSrj5E6pTm5VYHiU67hLi3Za97U0L6rfMFNtyMhUgg0xU8Qcev4CbD54bVWG6uiyEfnspieRLGspIo/FtpCD5sB/z3bEZX3Uh1v6RXXQEUeP7Xa8s= Key 5 fingerprint: eed03eb4be75d8657d2abb710aaa36867906299f; value: wcFMAxlo+iLMDjOcARAAm1TXdjvDIxJvQAI+fdNMfU9Y5129KB4rRMmZfNls19L4nbzOZ4Mhwpx6ezaUREcXJAGW2cIxonjPBA3n928vfrr+VzKrVB+g6WswERvgm62FFIXBpGkkDCZV5aCvQRJktBAXGlXXaq3rbPeNgLoh0DGHRUpk93Z9SVypQF3iWMVyI1Zuk7HR3RxYz0/0ByOsrnKcvyMD7CgDnjMCIhPTh0+aaND9C7jb6svLtPPZEAsnXcXWUS8eV4OlcjB6tSpPoddg+8GIia2X/ghqXYbAKPB3ZVGlDgo05isFBUPkt6U6IsXqTzPmq0pBDLMXzG9YM/JoKIxWye9vk5YG6TbxfMvKNHOryQUqjC0uG2PbsUGnBxYx7ABAyJ7WLVib3oqiSMeKzTiJlQ9e+Slwupvclaf0JwtAEWyLGO3EsWh5VbAT85JhhuXbNsIlJuMUHDl5GjImcBmtJdd0G2hePuP08UfxmbU4vH1bsIs9EsafxyfJfTZRjVKFjSsb46el+/4WgyuowuUH40bGwHie0v36DA1stFR6Q1B8ewbnMEO/IFvarfKwt8evShRn/Io/UxjNf9EoP4//Sf1eonETw/1TnxWvxJMUKAA04FkmolVvFlpVN84V47wHaKjPX0wFoz2SCiYPiXMV1epVqbyfSLxMcBSeJx0hFKJhMLCcEi6a7l/ScwG2yGo9FSeC+uMykiEeHm65wHSdjxTc7k2Dh0KVjYp5rqJTUSCSkBfM7oMpPpZezZLN1P2CmQ+WrMNHoV622M39P/PmI1jpMLcp8DDPXaGjdeJKVvA5J42ELlanWhrbLDxLEZHWkZ19F/12xTpMACWnNwE= Operation nonce: 216100bc-fa97-6ce6-dacd-e774a2635175 The encrypted unseal keys are backed up to "core/unseal-keys-backup" in the storage backend. Remove these keys at any time using "vault operator rekey -backup-delete". Vault does not automatically remove these keys. Vault unseal keys rekeyed with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests.
You have rekeyed Vault with encrypted key shares using the CLI. Vault returns the new base64-encoded and encrypted key shares. It also makes a backup of the keys, and stores them in Vault storage.
Complete these steps as the Alice persona.
Rekeying Vault requires a token with capabilities to make POST calls against the /sys/rekey/
API endpoints. In this tutorial, you will use the initial root token value for this token.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Alice persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-alice --volume $HC_LEARN_LAB/alice:/root/.gnupg vladgh/gpg --passphrase=recede-yard-unwilling-shrouded --pinentry-mode=loopback"
Base64 decode the initial root token value, and write it to the file
$HC_LEARN_LAB/alice/initial_root_token.dat
, which gets mapped to/root/.gnupg/initial_root_token.dat
in the GPG Docker container.$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.root_token' \ | base64 --decode > "$HC_LEARN_LAB"/alice/initial_root_token.dat
$ cat "$HC_LEARN_LAB/vault_init_output.json" \ | jq -r '.root_token' \ | base64 --decode > "$HC_LEARN_LAB"/alice/initial_root_token.dat
Decrypt the encrypted initial root token value and export the result as the
VAULT_TOKEN
environment variable.$ export VAULT_TOKEN=$(gpg --decrypt /root/.gnupg/initial_root_token.dat)
$ export VAULT_TOKEN=$(gpg --decrypt /root/.gnupg/initial_root_token.dat)
Expected example output:
gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03 "Alice (Alice is a Vault PGP user) <alice@example.com>"
gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03 "Alice (Alice is a Vault PGP user) <alice@example.com>"
Generate a JSON payload for the rekey API call. It holds each of the base64-encoded encrypted key shares, the key share count, and key share threshold.
$ cat > "$HC_LEARN_LAB"/rekey_payload.json << EOF { "pgp_keys": ["$(cat $HC_LEARN_LAB/alice/alice_key_base64.pub)","$(cat $HC_LEARN_LAB/bob/bob_key_base64.pub)","$(cat $HC_LEARN_LAB/carol/carol_key_base64.pub)","$(cat $HC_LEARN_LAB/dan/dan_key_base64.pub)","$(cat $HC_LEARN_LAB/frank/frank_key_base64.pub)"], "root_token_pgp_key": "$(cat $HC_LEARN_LAB/alice/alice_key_base64.pub)", "secret_shares": 5, "secret_threshold": 3 } EOF
$ cat > "$HC_LEARN_LAB"/rekey_payload.json << EOF { "pgp_keys": ["$(cat $HC_LEARN_LAB/alice/alice_key_base64.pub)","$(cat $HC_LEARN_LAB/bob/bob_key_base64.pub)","$(cat $HC_LEARN_LAB/carol/carol_key_base64.pub)","$(cat $HC_LEARN_LAB/dan/dan_key_base64.pub)","$(cat $HC_LEARN_LAB/frank/frank_key_base64.pub)"], "root_token_pgp_key": "$(cat $HC_LEARN_LAB/alice/alice_key_base64.pub)", "secret_shares": 5, "secret_threshold": 3 } EOF
Start the rekey workflow.
$ curl --silent --request POST --data @"$HC_LEARN_LAB"/rekey_payload.json \ $VAULT_ADDR/v1/sys/rekey/init \ | jq
$ curl --silent --request POST --data @"$HC_LEARN_LAB"/rekey_payload.json \ $VAULT_ADDR/v1/sys/rekey/init \ | jq
Example expected output:
{ "nonce": "a4b5a516-061e-3af9-b638-186ed9522753", "started": true, "t": 3, "n": 5, "progress": 0, "required": 3, "pgp_fingerprints": [ "f744a6bce8eaf16b17ca290a9c605bef5060e09e", "d080659a28b82cc98f5e102f729e1ba96293b8a3", "019b3abd0093a98a2b7c9137ec146dc1dec3cd4c", "c9ff9d0f8adad6a8b1b6cec597114fda03ad5265", "608ab07614cfd1d61b096a7db6e85c2e054c2c51" ], "backup": false, "verification_required": false }
{ "nonce": "a4b5a516-061e-3af9-b638-186ed9522753", "started": true, "t": 3, "n": 5, "progress": 0, "required": 3, "pgp_fingerprints": [ "f744a6bce8eaf16b17ca290a9c605bef5060e09e", "d080659a28b82cc98f5e102f729e1ba96293b8a3", "019b3abd0093a98a2b7c9137ec146dc1dec3cd4c", "c9ff9d0f8adad6a8b1b6cec597114fda03ad5265", "608ab07614cfd1d61b096a7db6e85c2e054c2c51" ], "backup": false, "verification_required": false }
You will use the returned
nonce
value to rekey Vault.Each of the 3 personas holding a quorum of key shares must now submit their decrypted key share. As the Alice persona, call the rekey update API to submit Alice's unseal key share.
$ curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)\",\"nonce\": \"a4b5a516-061e-3af9-b638-186ed9522753\"}" \ $VAULT_ADDR/v1/sys/rekey/update \ | jq
$ curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/alice_unseal_key.dat)\",\"nonce\": \"a4b5a516-061e-3af9-b638-186ed9522753\"}" \ $VAULT_ADDR/v1/sys/rekey/update \ | jq
Note
Be sure to replace
a4b5a516-061e-3af9-b638-186ed9522753
with the actual"nonce"
value returned to you.Example expected output:
gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03 "Alice (Alice is a Vault PGP user) <alice@example.com>" { "nonce": "a4b5a516-061e-3af9-b638-186ed9522753", "started": true, "t": 3, "n": 5, "progress": 1, "required": 3, "pgp_fingerprints": [ "f744a6bce8eaf16b17ca290a9c605bef5060e09e", "d080659a28b82cc98f5e102f729e1ba96293b8a3", "019b3abd0093a98a2b7c9137ec146dc1dec3cd4c", "c9ff9d0f8adad6a8b1b6cec597114fda03ad5265", "608ab07614cfd1d61b096a7db6e85c2e054c2c51" ], "backup": false, "verification_required": false }
gpg: encrypted with 4096-bit RSA key, ID C814FA5A4887B4BC, created 2023-05-03 "Alice (Alice is a Vault PGP user) <alice@example.com>" { "nonce": "a4b5a516-061e-3af9-b638-186ed9522753", "started": true, "t": 3, "n": 5, "progress": 1, "required": 3, "pgp_fingerprints": [ "f744a6bce8eaf16b17ca290a9c605bef5060e09e", "d080659a28b82cc98f5e102f729e1ba96293b8a3", "019b3abd0093a98a2b7c9137ec146dc1dec3cd4c", "c9ff9d0f8adad6a8b1b6cec597114fda03ad5265", "608ab07614cfd1d61b096a7db6e85c2e054c2c51" ], "backup": false, "verification_required": false }
The rekey progress now shows 1.
Complete these steps as the Carol persona.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Carol persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-carol --volume $HC_LEARN_LAB/carol:/root/.gnupg vladgh/gpg --passphrase=unnerving-appealing-primarily-overload --pinentry-mode=loopback"
Call the rekey update API to submit Carol's unseal key share.
$ curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)\",\"nonce\": \"a4b5a516-061e-3af9-b638-186ed9522753\"}" \ $VAULT_ADDR/v1/sys/rekey/update \ | jq
$ curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/carol_unseal_key.dat)\",\"nonce\": \"a4b5a516-061e-3af9-b638-186ed9522753\"}" \ $VAULT_ADDR/v1/sys/rekey/update \ | jq
Note
Be sure to replace
a4b5a516-061e-3af9-b638-186ed9522753
with the actual"nonce"
value returned to you.Example expected output:
gpg: encrypted with 4096-bit RSA key, ID C969BA5593C0C6DE, created 2023-05-03 "Carol (Carol is a Vault PGP user) <carol@example.com>" { "nonce": "a4b5a516-061e-3af9-b638-186ed9522753", "started": true, "t": 3, "n": 5, "progress": 2, "required": 3, "pgp_fingerprints": [ "f744a6bce8eaf16b17ca290a9c605bef5060e09e", "d080659a28b82cc98f5e102f729e1ba96293b8a3", "019b3abd0093a98a2b7c9137ec146dc1dec3cd4c", "c9ff9d0f8adad6a8b1b6cec597114fda03ad5265", "608ab07614cfd1d61b096a7db6e85c2e054c2c51" ], "backup": false, "verification_required": false }
gpg: encrypted with 4096-bit RSA key, ID C969BA5593C0C6DE, created 2023-05-03 "Carol (Carol is a Vault PGP user) <carol@example.com>" { "nonce": "a4b5a516-061e-3af9-b638-186ed9522753", "started": true, "t": 3, "n": 5, "progress": 2, "required": 3, "pgp_fingerprints": [ "f744a6bce8eaf16b17ca290a9c605bef5060e09e", "d080659a28b82cc98f5e102f729e1ba96293b8a3", "019b3abd0093a98a2b7c9137ec146dc1dec3cd4c", "c9ff9d0f8adad6a8b1b6cec597114fda03ad5265", "608ab07614cfd1d61b096a7db6e85c2e054c2c51" ], "backup": false, "verification_required": false }
The rekey progress now shows 2.
Complete these steps as the Dan persona.
Update the
gpg
alias so that it interacts with the Docker GPG container for the Dan persona.$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
$ alias gpg="docker run --rm --env GPG_TTY=/dev/console --name learn-vault-gpg-dan --volume $HC_LEARN_LAB/dan:/root/.gnupg vladgh/gpg --passphrase=shawl-stem-elective-stoop --pinentry-mode=loopback"
Call the rekey update API to submit Dan's unseal key share.
$ curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)\",\"nonce\": \"a4b5a516-061e-3af9-b638-186ed9522753\"}" \ $VAULT_ADDR/v1/sys/rekey/update \ | jq
$ curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ --data "{\"key\": \"$(gpg --decrypt /root/.gnupg/dan_unseal_key.dat)\",\"nonce\": \"a4b5a516-061e-3af9-b638-186ed9522753\"}" \ $VAULT_ADDR/v1/sys/rekey/update \ | jq
Note
Be sure to replace
a4b5a516-061e-3af9-b638-186ed9522753
with the actual"nonce"
value returned to you.Example expected output:
gpg: encrypted with 4096-bit RSA key, ID 61D5D07E586F8DFB, created 2023-05-03 "Dan (Dan is a Vault PGP user) <dan@example.com>" { "nonce": "a4b5a516-061e-3af9-b638-186ed9522753", "complete": true, "keys": [ "c1c14c03c814fa5a4887b4bc01100096cbdecaba697f26ed015b4a6877e8371c87ebca0aee8feb02621d775ee7eca1b67d753bf2698b872934a94960d78b38a4b0cf6781c36d524f1f15e04fbfae7a027568d9c8f1bead51b151fbf80a79013b64fff29244de03a39a8e6248507938a65f80a64e2673a02711cdabd950d557a0858baf79b6a440085255475e1d6be01d02ee064448a8bf9b6f8a4964e32a9626ff4694a5324036ef54d71348692474291193989661dae5efe62766711c32d1bcc629c48576e2d58f78be8492988546cdeb0c71afb7cd99156ceda2e4d7bb4073923d8df1e533894e399ebc8de0d104c30c4a907a6809023c6a48f8769da58a90e345c33b84fa09a55627a237056e06d160beab66c560cebbdd37afec28336e38fc1f4984a27c7f674cc816d50e0559332e02f13aa9308263d46b266f5b7154c8f1daa430d4dcbf5e0f54be4b919eb33e2744b5aef3c2c52812e1003e856c3fc1482c267affd2eb6d5a4f032eaaa27f8c8fa40719f77a73bb06485dc10ffe805f005e818f1e5dc05d3c0d5edeee973bb4e385dee93d84f36c729fd534011c47fb1d0f85abcba9247a8ce86c763aaf720f0cad3a7742c981e7d8560269adc9beee60cdb757822b8959eed4d887f2c630a47ac7e9047e8f1cc6e556850aabccbe756230b44e6b1803ed6e133ac2c3d208ad1ab8527fa0d27cb690bcfa2d7812c91d2701597f8a7578efcba62f3dcbed34d27301ea9dfb0e0cfd8720a5934cfd5a6e4168263c150cb626221d5d28635c7307da2e4ed56846e860c81d416d825fe10a26cba7f2043b5210c9d6e007ffa1f5bc2e43c8aeaabbaafe902a1383e8a22adc063cf3d842681f2f4f1405610e8ee26efb502e19e6760f2b1f70a639f2b3d1a0996e6e01", "c1c14c036242df3d7793ba36010fff661d4a6e19f418220a55f245e503a57996b7df8e754587e9f503e730b51c294ac47df7c4925957633166f2f4fc5afaab15f318a9377056c798d96d18a64ad4da12e3f5b780472a393391b28f666b1471935063e8551a507327683afd5b746e3f762da343e6cc47a65e113864670edcc35a8e2b0a5d5ddbd7607f0feeb887ff6b1d9b654dcdc1bd990d0fc24b74ffb3c50dc774bc20a8b574c1c12f40ba0d0d6960adc956fe2c3b6dd340613bc4f1721d5a828926117465debaf2e4d5adddf13c9f786c4bf16594875f46913503ff28a5bd6a2bbad85ed62b652d3e6aad897fdaef4e026f4d8e24a8c402c07431b876ab0c9b8326f920d7b6d1c57f059cc374d943952e2db8311f1233a7c7ca42a63e48dbb23355be23ad5d276f8df76eadfa4437218605764237461458599043942234651e6da07f4539acff1cafd7e7127bb40b155d5eeceedab342ca6f95cc618e8e67221a1267e9fe5d1d5a28402b9d49c9e7afefba122b3505770a371bb853d53c38a5fe5f6695a8e3f800f88674ebfad3fb1680ff0e120137e9af71b6f216a5a2d3ce661b8b177296d0b582e321b99ac610c99144f1399d37f9bcd55988aab4219588d8ca46760edd93b9c28e563ed1826a28ce626e252605772b5b61bd55b95e7d2860dcfe1337746c7612d02d052bedef7f34348c1c0ece8bbbf3e3ab81a8b17d81749d129eb53e3cf20061ee216d93d273015fd19cd427cf2f7b11cdce6aa5617ba8b4099dbc0aedbe76a4385c3f23dcfa316ffd1a4736240f691b2bc299fdc8f7d77940af43bc2488c9a6d1166c913461efc4b1448a8ebe21b4ce5ddb6772dd5bd323f01a24fefd5aa9ac246ce1e297e7f2b4710a8df624cff64131c851f5b986c2956d", "c1c14c03c969ba5593c0c6de010fff6506ef354a393af532d5a9068bbdbd33315a59d70ac0a5f82e88ba5b7f913455410795b4c13336feeddda76bbbb7d49f3c1ecd0d6d3cdbe0bda92e0725d5fac41a87530a3a5c84b97d42e5a63c6dc02033254599287e551b74217eb0fc05a6d4a7e99186e01094438136554b240271bc820ab45e344b0ecb2ad9afe6b2171fc5ff2060b40842aa9a7c5bd6e73a1fea71dd465ff5f5128759ed7c7af0ed1b441aa738d463c2b7adb81e630c239aad684a647da47bf171c122f263d47d745ff06569c036e0cc80cb97dc4f41b55b3b0217804b21ce39224794359e0e6d76dc949208f55403e655119d77def367f879fe434ac2ffe0808d9b27f4701eb366af5ee517e06c5211647bcad43bddf0973e4a8302d9676a581f79103a3c65ac0d1b634462a4baf91f5450512087d698c32bbe968d7dc0595e58d31a49c7857b18975b79bfa1cd5bdafadebdb082d71f1023006e6a5fd0b4b882f51fe101cc1aef423313d60c7d1749415354692f74c9f1b3b423b265b62c2f314d85fd33997ddb662b9a7ef026636be4092fc6fbe8aeb80839b2784893148cd9bf1bc2cb9ead348be68165d155c0b679bfd2dfc9620fa76a6db4e8c1bca01fc3972b483a94b612cd62635efdc9ab976f3e9b4d2273bb144be88c4d2b286d46580df71d03bc3e944e1e90d0f37a5964db5f24469ceeb660ccfde9518a51612f2f212d98590956eba0596cd27301ad3c5658bb2182201012861a732661db58d5a733b06044669c9bf4a3810b459f08d718b3ae083c8ecebdae3a617917543bc397830917900cc2349d1f91f4177f70068d94fccfb601c00c7293d0f9e41626912570fed67b398e5c498212897d104c03202e2d15ffb9de884bc2ab6c72aa2d14", "c1c14c0361d5d07e586f8dfb010ffb07fd734d2fc7714c3b3eb828e36fb9a7c56f8c87684125febe1a93b994d34822c9236efada6fb27e9f64c9c25a1fe9aad23e73392eec1812b312314eeb2fbec1d29e08dbfaeb75d883c1ef436fee87377b0fc08a63da6122ba0edef3c3f347f651e459668c7c9f9b6eadaa5942045d5fddf979dbad3561194290f2a83b38bf3f70c9dd72635b3cf0c5d916e461282ba3c245a7a8368cb2c9a30e4cfccbc61629bf81c98cb8b0862c7da3e7f8bc6351458c662d47af14a18dcd4cf85585207c799e2874bcfbcaac251374d3103676ccb2b37cf2a4037c0c246cf39a19b845767c822031259ca69d69451e543ae7dd267be5686030a0352e8997b620171b250ad135cbfd174655278f2181e9855976df33d6b4419a1e9bcda19901df11a52f3f964c6c310efae3b233c148d4ad6d74a553e19ac7e420ff4f8e4fd17d8160b8e62b67cb70c29205c533f5baefb83b0a355ea7c5b046e0f7fa365ae6300772c671b192151f3713054b443bd2be8d2a750d94ac5f3e5d9cd478686448f4214b5190cc74af19d2985d350e4c0244a86ad276a5895c513b4ae066ced966c162aca7ea86df1708a4a796d2d6e97755727937220f14168d93fae69ff06e769e75c7fb6fc0c3b1f9f0eba4e10d0ad674b7b47d674a4dd912561e9ee89326cd4c76d245ace95203fdb68ed441106e74175988edea3019b6deecb3fa2ff29ab49d00c734b8f8d2730132a632aa2053bea512d28ee246b6a7f43ad8ca0af06abd09375bd8b816aefac66c32bc0609b3af39cd1d3643515c9b0d87e917d2e1c8085319a27cf48fbdcfabfc0b7d30a2050aae79e5e5a51c9bae319ec1cd7087398e832cae20b3809714cd669d19f2a4aa21e4323be14938b82f5cabad", "c1c14c03b2f384f3a3f054130110009da150b2a49c19b37e595a619948bc70728883c47f6e750e21a7b14c28bf7024f99213cde5c1de0b98a3523e841f142b46fb434aeb4263238db71adf4e85bd8fb552c2c42d361d8eec385bf420544c08b485ce89f898db15f6327e81a4cedf45570cb0fad7bcaf59327db7c17798dc68eaa50d899a3ae93e2c59ac10815a830c0dd271c3f17f59660eeb0e877401cf5700e71fc1fabc12b5aabf6b912e89f27ed723b9c22e878790d96788e79e2f2258c4297e3258b7aacf4528e07adee8478b3542bbc02508776c820dd97dfdc6cbbf703bd49d310e435821b10f12358f01f21c36e8ae5ff138f392f8bcfcac20c0dd44608c1bec8fa62a86c3c8df2a54f228272cf71258491438d0f146b5fda978bf93e09db34c21465726cf0bdd0f5f068000940052551cd1f8864ea3f4c9ee6cc6bb71cdcffcbbf736060e36d8aa6a62ea1d02fa34d801326c3f41a8b0b3f5b43a3f8fdc448a1b6a57d1a05e68506ceb24a9027d9a8c3785f241932f16bc89cf849cde4c408824fb2648b72c2414635309d26516577a1231ce5080d9b0b41ae2e9c769f251e803ecfe6b636214389805b8e62e0e9c8d71f3f555c10b3cce426a91356fdd8d570e30a51103edadac8235d95604cf681f8117f7fc7c05c52200f42b2ac84679de034c05e251624ec623df883657a44646d7cbfa9139e35f256641619d8ded14803860cd8eedc29d296d589ad2730185e61a1a24a03684066dc48405e4fc45f210e0187460ef8089800db064d87a96206ec16787c984d032c322870bfd06839ecfde878d971c46916a3af86d45eae96b562deeb5efbfba4ed27a567a462b083f6bbcacb90a68de75fea75dd35ded29e7640302aa51e955ade1480a2c210d2567fc" ], "keys_base64": [ "wcFMA8gU+lpIh7S8ARAAlsveyrppfybtAVtKaHfoNxyH68oK7o/rAmIdd17n7KG2fXU78mmLhyk0qUlg14s4pLDPZ4HDbVJPHxXgT7+uegJ1aNnI8b6tUbFR+/gKeQE7ZP/ykkTeA6OajmJIUHk4pl+Apk4mc6AnEc2r2VDVV6CFi695tqRACFJVR14da+AdAu4GREiov5tviklk4yqWJv9GlKUyQDbvVNcTSGkkdCkRk5iWYdrl7+YnZnEcMtG8xinEhXbi1Y94voSSmIVGzesMca+3zZkVbO2i5Ne7QHOSPY3x5TOJTjmevI3g0QTDDEqQemgJAjxqSPh2naWKkONFwzuE+gmlVieiNwVuBtFgvqtmxWDOu903r+woM244/B9JhKJ8f2dMyBbVDgVZMy4C8TqpMIJj1Gsmb1txVMjx2qQw1Ny/Xg9UvkuRnrM+J0S1rvPCxSgS4QA+hWw/wUgsJnr/0uttWk8DLqqif4yPpAcZ93pzuwZIXcEP/oBfAF6Bjx5dwF08DV7e7pc7tOOF3uk9hPNscp/VNAEcR/sdD4Wry6kkeozobHY6r3IPDK06d0LJgefYVgJprcm+7mDNt1eCK4lZ7tTYh/LGMKR6x+kEfo8cxuVWhQqrzL51YjC0TmsYA+1uEzrCw9IIrRq4Un+g0ny2kLz6LXgSyR0nAVl/inV478umLz3L7TTScwHqnfsODP2HIKWTTP1abkFoJjwVDLYmIh1dKGNccwfaLk7VaEboYMgdQW2CX+EKJsun8gQ7UhDJ1uAH/6H1vC5DyK6qu6r+kCoTg+iiKtwGPPPYQmgfL08UBWEOjuJu+1AuGeZ2DysfcKY58rPRoJlubgE=", "wcFMA2JC3z13k7o2AQ//Zh1Kbhn0GCIKVfJF5QOleZa33451RYfp9QPnMLUcKUrEfffEkllXYzFm8vT8WvqrFfMYqTdwVseY2W0YpkrU2hLj9beARyo5M5Gyj2ZrFHGTUGPoVRpQcydoOv1bdG4/di2jQ+bMR6ZeEThkZw7cw1qOKwpdXdvXYH8P7riH/2sdm2VNzcG9mQ0Pwkt0/7PFDcd0vCCotXTBwS9Aug0NaWCtyVb+LDtt00BhO8Txch1agokmEXRl3rry5NWt3fE8n3hsS/FllIdfRpE1A/8opb1qK7rYXtYrZS0+aq2Jf9rvTgJvTY4kqMQCwHQxuHarDJuDJvkg17bRxX8FnMN02UOVLi24MR8SM6fHykKmPkjbsjNVviOtXSdvjfdurfpENyGGBXZCN0YUWFmQQ5QiNGUebaB/RTms/xyv1+cSe7QLFV1e7O7as0LKb5XMYY6OZyIaEmfp/l0dWihAK51Jyeev77oSKzUFdwo3G7hT1Tw4pf5fZpWo4/gA+IZ06/rT+xaA/w4SATfpr3G28halotPOZhuLF3KW0LWC4yG5msYQyZFE8TmdN/m81VmIqrQhlYjYykZ2Dt2TucKOVj7RgmoozmJuJSYFdytbYb1VuV59KGDc/hM3dGx2EtAtBSvt7380NIwcDs6Lu/Pjq4GosX2BdJ0SnrU+PPIAYe4hbZPScwFf0ZzUJ88vexHNzmqlYXuotAmdvArtvnakOFw/I9z6MW/9Gkc2JA9pGyvCmf3I99d5QK9DvCSIyabRFmyRNGHvxLFEio6+IbTOXdtnct1b0yPwGiT+/VqprCRs4eKX5/K0cQqN9iTP9kExyFH1uYbClW0=", "wcFMA8lpulWTwMbeAQ//ZQbvNUo5OvUy1akGi729MzFaWdcKwKX4Loi6W3+RNFVBB5W0wTM2/u3dp2u7t9SfPB7NDW082+C9qS4HJdX6xBqHUwo6XIS5fULlpjxtwCAzJUWZKH5VG3QhfrD8BabUp+mRhuAQlEOBNlVLJAJxvIIKtF40Sw7LKtmv5rIXH8X/IGC0CEKqmnxb1uc6H+px3UZf9fUSh1ntfHrw7RtEGqc41GPCt624HmMMI5qtaEpkfaR78XHBIvJj1H10X/BlacA24MyAy5fcT0G1WzsCF4BLIc45IkeUNZ4ObXbclJII9VQD5lURnXfe82f4ef5DSsL/4ICNmyf0cB6zZq9e5RfgbFIRZHvK1Dvd8Jc+SoMC2WdqWB95EDo8ZawNG2NEYqS6+R9UUFEgh9aYwyu+lo19wFleWNMaSceFexiXW3m/oc1b2vrevbCC1x8QIwBual/QtLiC9R/hAcwa70IzE9YMfRdJQVNUaS90yfGztCOyZbYsLzFNhf0zmX3bZiuafvAmY2vkCS/G++iuuAg5snhIkxSM2b8bwsuerTSL5oFl0VXAtnm/0t/JYg+nam206MG8oB/DlytIOpS2Es1iY179yauXbz6bTSJzuxRL6IxNKyhtRlgN9x0DvD6UTh6Q0PN6WWTbXyRGnO62YMz96VGKUWEvLyEtmFkJVuugWWzScwGtPFZYuyGCIBAShhpzJmHbWNWnM7BgRGacm/SjgQtFnwjXGLOuCDyOzr2uOmF5F1Q7w5eDCReQDMI0nR+R9Bd/cAaNlPzPtgHADHKT0PnkFiaRJXD+1ns5jlxJghKJfRBMAyAuLRX/ud6IS8KrbHKqLRQ=", "wcFMA2HV0H5Yb437AQ/7B/1zTS/HcUw7Prgo42+5p8VvjIdoQSX+vhqTuZTTSCLJI2762m+yfp9kycJaH+mq0j5zOS7sGBKzEjFO6y++wdKeCNv663XYg8HvQ2/uhzd7D8CKY9phIroO3vPD80f2UeRZZox8n5turapZQgRdX935edutNWEZQpDyqDs4vz9wyd1yY1s88MXZFuRhKCujwkWnqDaMssmjDkz8y8YWKb+ByYy4sIYsfaPn+LxjUUWMZi1HrxShjc1M+FWFIHx5nih0vPvKrCUTdNMQNnbMsrN88qQDfAwkbPOaGbhFdnyCIDElnKadaUUeVDrn3SZ75WhgMKA1LomXtiAXGyUK0TXL/RdGVSePIYHphVl23zPWtEGaHpvNoZkB3xGlLz+WTGwxDvrjsjPBSNStbXSlU+Gax+Qg/0+OT9F9gWC45itny3DCkgXFM/W677g7CjVep8WwRuD3+jZa5jAHcsZxsZIVHzcTBUtEO9K+jSp1DZSsXz5dnNR4aGRI9CFLUZDMdK8Z0phdNQ5MAkSoatJ2pYlcUTtK4GbO2WbBYqyn6obfFwikp5bS1ul3VXJ5NyIPFBaNk/rmn/Budp51x/tvwMOx+fDrpOENCtZ0t7R9Z0pN2RJWHp7okybNTHbSRazpUgP9to7UQRBudBdZiO3qMBm23uyz+i/ymrSdAMc0uPjScwEypjKqIFO+pRLSjuJGtqf0OtjKCvBqvQk3W9i4Fq76xmwyvAYJs685zR02Q1Fcmw2H6RfS4cgIUxmifPSPvc+r/At9MKIFCq555eWlHJuuMZ7BzXCHOY6DLK4gs4CXFM1mnRnypKoh5DI74Uk4uC9cq60=", "wcFMA7LzhPOj8FQTARAAnaFQsqScGbN+WVphmUi8cHKIg8R/bnUOIaexTCi/cCT5khPN5cHeC5ijUj6EHxQrRvtDSutCYyONtxrfToW9j7VSwsQtNh2O7Dhb9CBUTAi0hc6J+JjbFfYyfoGkzt9FVwyw+te8r1kyfbfBd5jcaOqlDYmaOuk+LFmsEIFagwwN0nHD8X9ZZg7rDod0Ac9XAOcfwfq8ErWqv2uRLonyftcjucIuh4eQ2WeI554vIljEKX4yWLeqz0Uo4Hre6EeLNUK7wCUId2yCDdl9/cbLv3A71J0xDkNYIbEPEjWPAfIcNuiuX/E485L4vPysIMDdRGCMG+yPpiqGw8jfKlTyKCcs9xJYSRQ40PFGtf2peL+T4J2zTCFGVybPC90PXwaAAJQAUlUc0fiGTqP0ye5sxrtxzc/8u/c2Bg422KpqYuodAvo02AEybD9BqLCz9bQ6P4/cRIobalfRoF5oUGzrJKkCfZqMN4XyQZMvFryJz4Sc3kxAiCT7Jki3LCQUY1MJ0mUWV3oSMc5QgNmwtBri6cdp8lHoA+z+a2NiFDiYBbjmLg6cjXHz9VXBCzzOQmqRNW/djVcOMKURA+2trII12VYEz2gfgRf3/HwFxSIA9CsqyEZ53gNMBeJRYk7GI9+INlekRkbXy/qROeNfJWZBYZ2N7RSAOGDNju3CnSltWJrScwGF5hoaJKA2hAZtxIQF5PxF8hDgGHRg74CJgA2wZNh6liBuwWeHyYTQMsMihwv9BoOez96HjZccRpFqOvhtRerpa1Yt7rXvv7pO0npWekYrCD9rvKy5Cmjedf6nXdNd7SnnZAMCqlHpVa3hSAosIQ0lZ/w=" ], "pgp_fingerprints": [ "f744a6bce8eaf16b17ca290a9c605bef5060e09e", "d080659a28b82cc98f5e102f729e1ba96293b8a3", "019b3abd0093a98a2b7c9137ec146dc1dec3cd4c", "c9ff9d0f8adad6a8b1b6cec597114fda03ad5265", "608ab07614cfd1d61b096a7db6e85c2e054c2c51" ], "backup": false, "verification_required": false }
gpg: encrypted with 4096-bit RSA key, ID 61D5D07E586F8DFB, created 2023-05-03 "Dan (Dan is a Vault PGP user) <dan@example.com>" { "nonce": "a4b5a516-061e-3af9-b638-186ed9522753", "complete": true, "keys": [ "c1c14c03c814fa5a4887b4bc01100096cbdecaba697f26ed015b4a6877e8371c87ebca0aee8feb02621d775ee7eca1b67d753bf2698b872934a94960d78b38a4b0cf6781c36d524f1f15e04fbfae7a027568d9c8f1bead51b151fbf80a79013b64fff29244de03a39a8e6248507938a65f80a64e2673a02711cdabd950d557a0858baf79b6a440085255475e1d6be01d02ee064448a8bf9b6f8a4964e32a9626ff4694a5324036ef54d71348692474291193989661dae5efe62766711c32d1bcc629c48576e2d58f78be8492988546cdeb0c71afb7cd99156ceda2e4d7bb4073923d8df1e533894e399ebc8de0d104c30c4a907a6809023c6a48f8769da58a90e345c33b84fa09a55627a237056e06d160beab66c560cebbdd37afec28336e38fc1f4984a27c7f674cc816d50e0559332e02f13aa9308263d46b266f5b7154c8f1daa430d4dcbf5e0f54be4b919eb33e2744b5aef3c2c52812e1003e856c3fc1482c267affd2eb6d5a4f032eaaa27f8c8fa40719f77a73bb06485dc10ffe805f005e818f1e5dc05d3c0d5edeee973bb4e385dee93d84f36c729fd534011c47fb1d0f85abcba9247a8ce86c763aaf720f0cad3a7742c981e7d8560269adc9beee60cdb757822b8959eed4d887f2c630a47ac7e9047e8f1cc6e556850aabccbe756230b44e6b1803ed6e133ac2c3d208ad1ab8527fa0d27cb690bcfa2d7812c91d2701597f8a7578efcba62f3dcbed34d27301ea9dfb0e0cfd8720a5934cfd5a6e4168263c150cb626221d5d28635c7307da2e4ed56846e860c81d416d825fe10a26cba7f2043b5210c9d6e007ffa1f5bc2e43c8aeaabbaafe902a1383e8a22adc063cf3d842681f2f4f1405610e8ee26efb502e19e6760f2b1f70a639f2b3d1a0996e6e01", "c1c14c036242df3d7793ba36010fff661d4a6e19f418220a55f245e503a57996b7df8e754587e9f503e730b51c294ac47df7c4925957633166f2f4fc5afaab15f318a9377056c798d96d18a64ad4da12e3f5b780472a393391b28f666b1471935063e8551a507327683afd5b746e3f762da343e6cc47a65e113864670edcc35a8e2b0a5d5ddbd7607f0feeb887ff6b1d9b654dcdc1bd990d0fc24b74ffb3c50dc774bc20a8b574c1c12f40ba0d0d6960adc956fe2c3b6dd340613bc4f1721d5a828926117465debaf2e4d5adddf13c9f786c4bf16594875f46913503ff28a5bd6a2bbad85ed62b652d3e6aad897fdaef4e026f4d8e24a8c402c07431b876ab0c9b8326f920d7b6d1c57f059cc374d943952e2db8311f1233a7c7ca42a63e48dbb23355be23ad5d276f8df76eadfa4437218605764237461458599043942234651e6da07f4539acff1cafd7e7127bb40b155d5eeceedab342ca6f95cc618e8e67221a1267e9fe5d1d5a28402b9d49c9e7afefba122b3505770a371bb853d53c38a5fe5f6695a8e3f800f88674ebfad3fb1680ff0e120137e9af71b6f216a5a2d3ce661b8b177296d0b582e321b99ac610c99144f1399d37f9bcd55988aab4219588d8ca46760edd93b9c28e563ed1826a28ce626e252605772b5b61bd55b95e7d2860dcfe1337746c7612d02d052bedef7f34348c1c0ece8bbbf3e3ab81a8b17d81749d129eb53e3cf20061ee216d93d273015fd19cd427cf2f7b11cdce6aa5617ba8b4099dbc0aedbe76a4385c3f23dcfa316ffd1a4736240f691b2bc299fdc8f7d77940af43bc2488c9a6d1166c913461efc4b1448a8ebe21b4ce5ddb6772dd5bd323f01a24fefd5aa9ac246ce1e297e7f2b4710a8df624cff64131c851f5b986c2956d", "c1c14c03c969ba5593c0c6de010fff6506ef354a393af532d5a9068bbdbd33315a59d70ac0a5f82e88ba5b7f913455410795b4c13336feeddda76bbbb7d49f3c1ecd0d6d3cdbe0bda92e0725d5fac41a87530a3a5c84b97d42e5a63c6dc02033254599287e551b74217eb0fc05a6d4a7e99186e01094438136554b240271bc820ab45e344b0ecb2ad9afe6b2171fc5ff2060b40842aa9a7c5bd6e73a1fea71dd465ff5f5128759ed7c7af0ed1b441aa738d463c2b7adb81e630c239aad684a647da47bf171c122f263d47d745ff06569c036e0cc80cb97dc4f41b55b3b0217804b21ce39224794359e0e6d76dc949208f55403e655119d77def367f879fe434ac2ffe0808d9b27f4701eb366af5ee517e06c5211647bcad43bddf0973e4a8302d9676a581f79103a3c65ac0d1b634462a4baf91f5450512087d698c32bbe968d7dc0595e58d31a49c7857b18975b79bfa1cd5bdafadebdb082d71f1023006e6a5fd0b4b882f51fe101cc1aef423313d60c7d1749415354692f74c9f1b3b423b265b62c2f314d85fd33997ddb662b9a7ef026636be4092fc6fbe8aeb80839b2784893148cd9bf1bc2cb9ead348be68165d155c0b679bfd2dfc9620fa76a6db4e8c1bca01fc3972b483a94b612cd62635efdc9ab976f3e9b4d2273bb144be88c4d2b286d46580df71d03bc3e944e1e90d0f37a5964db5f24469ceeb660ccfde9518a51612f2f212d98590956eba0596cd27301ad3c5658bb2182201012861a732661db58d5a733b06044669c9bf4a3810b459f08d718b3ae083c8ecebdae3a617917543bc397830917900cc2349d1f91f4177f70068d94fccfb601c00c7293d0f9e41626912570fed67b398e5c498212897d104c03202e2d15ffb9de884bc2ab6c72aa2d14", "c1c14c0361d5d07e586f8dfb010ffb07fd734d2fc7714c3b3eb828e36fb9a7c56f8c87684125febe1a93b994d34822c9236efada6fb27e9f64c9c25a1fe9aad23e73392eec1812b312314eeb2fbec1d29e08dbfaeb75d883c1ef436fee87377b0fc08a63da6122ba0edef3c3f347f651e459668c7c9f9b6eadaa5942045d5fddf979dbad3561194290f2a83b38bf3f70c9dd72635b3cf0c5d916e461282ba3c245a7a8368cb2c9a30e4cfccbc61629bf81c98cb8b0862c7da3e7f8bc6351458c662d47af14a18dcd4cf85585207c799e2874bcfbcaac251374d3103676ccb2b37cf2a4037c0c246cf39a19b845767c822031259ca69d69451e543ae7dd267be5686030a0352e8997b620171b250ad135cbfd174655278f2181e9855976df33d6b4419a1e9bcda19901df11a52f3f964c6c310efae3b233c148d4ad6d74a553e19ac7e420ff4f8e4fd17d8160b8e62b67cb70c29205c533f5baefb83b0a355ea7c5b046e0f7fa365ae6300772c671b192151f3713054b443bd2be8d2a750d94ac5f3e5d9cd478686448f4214b5190cc74af19d2985d350e4c0244a86ad276a5895c513b4ae066ced966c162aca7ea86df1708a4a796d2d6e97755727937220f14168d93fae69ff06e769e75c7fb6fc0c3b1f9f0eba4e10d0ad674b7b47d674a4dd912561e9ee89326cd4c76d245ace95203fdb68ed441106e74175988edea3019b6deecb3fa2ff29ab49d00c734b8f8d2730132a632aa2053bea512d28ee246b6a7f43ad8ca0af06abd09375bd8b816aefac66c32bc0609b3af39cd1d3643515c9b0d87e917d2e1c8085319a27cf48fbdcfabfc0b7d30a2050aae79e5e5a51c9bae319ec1cd7087398e832cae20b3809714cd669d19f2a4aa21e4323be14938b82f5cabad", "c1c14c03b2f384f3a3f054130110009da150b2a49c19b37e595a619948bc70728883c47f6e750e21a7b14c28bf7024f99213cde5c1de0b98a3523e841f142b46fb434aeb4263238db71adf4e85bd8fb552c2c42d361d8eec385bf420544c08b485ce89f898db15f6327e81a4cedf45570cb0fad7bcaf59327db7c17798dc68eaa50d899a3ae93e2c59ac10815a830c0dd271c3f17f59660eeb0e877401cf5700e71fc1fabc12b5aabf6b912e89f27ed723b9c22e878790d96788e79e2f2258c4297e3258b7aacf4528e07adee8478b3542bbc02508776c820dd97dfdc6cbbf703bd49d310e435821b10f12358f01f21c36e8ae5ff138f392f8bcfcac20c0dd44608c1bec8fa62a86c3c8df2a54f228272cf71258491438d0f146b5fda978bf93e09db34c21465726cf0bdd0f5f068000940052551cd1f8864ea3f4c9ee6cc6bb71cdcffcbbf736060e36d8aa6a62ea1d02fa34d801326c3f41a8b0b3f5b43a3f8fdc448a1b6a57d1a05e68506ceb24a9027d9a8c3785f241932f16bc89cf849cde4c408824fb2648b72c2414635309d26516577a1231ce5080d9b0b41ae2e9c769f251e803ecfe6b636214389805b8e62e0e9c8d71f3f555c10b3cce426a91356fdd8d570e30a51103edadac8235d95604cf681f8117f7fc7c05c52200f42b2ac84679de034c05e251624ec623df883657a44646d7cbfa9139e35f256641619d8ded14803860cd8eedc29d296d589ad2730185e61a1a24a03684066dc48405e4fc45f210e0187460ef8089800db064d87a96206ec16787c984d032c322870bfd06839ecfde878d971c46916a3af86d45eae96b562deeb5efbfba4ed27a567a462b083f6bbcacb90a68de75fea75dd35ded29e7640302aa51e955ade1480a2c210d2567fc" ], "keys_base64": [ "wcFMA8gU+lpIh7S8ARAAlsveyrppfybtAVtKaHfoNxyH68oK7o/rAmIdd17n7KG2fXU78mmLhyk0qUlg14s4pLDPZ4HDbVJPHxXgT7+uegJ1aNnI8b6tUbFR+/gKeQE7ZP/ykkTeA6OajmJIUHk4pl+Apk4mc6AnEc2r2VDVV6CFi695tqRACFJVR14da+AdAu4GREiov5tviklk4yqWJv9GlKUyQDbvVNcTSGkkdCkRk5iWYdrl7+YnZnEcMtG8xinEhXbi1Y94voSSmIVGzesMca+3zZkVbO2i5Ne7QHOSPY3x5TOJTjmevI3g0QTDDEqQemgJAjxqSPh2naWKkONFwzuE+gmlVieiNwVuBtFgvqtmxWDOu903r+woM244/B9JhKJ8f2dMyBbVDgVZMy4C8TqpMIJj1Gsmb1txVMjx2qQw1Ny/Xg9UvkuRnrM+J0S1rvPCxSgS4QA+hWw/wUgsJnr/0uttWk8DLqqif4yPpAcZ93pzuwZIXcEP/oBfAF6Bjx5dwF08DV7e7pc7tOOF3uk9hPNscp/VNAEcR/sdD4Wry6kkeozobHY6r3IPDK06d0LJgefYVgJprcm+7mDNt1eCK4lZ7tTYh/LGMKR6x+kEfo8cxuVWhQqrzL51YjC0TmsYA+1uEzrCw9IIrRq4Un+g0ny2kLz6LXgSyR0nAVl/inV478umLz3L7TTScwHqnfsODP2HIKWTTP1abkFoJjwVDLYmIh1dKGNccwfaLk7VaEboYMgdQW2CX+EKJsun8gQ7UhDJ1uAH/6H1vC5DyK6qu6r+kCoTg+iiKtwGPPPYQmgfL08UBWEOjuJu+1AuGeZ2DysfcKY58rPRoJlubgE=", "wcFMA2JC3z13k7o2AQ//Zh1Kbhn0GCIKVfJF5QOleZa33451RYfp9QPnMLUcKUrEfffEkllXYzFm8vT8WvqrFfMYqTdwVseY2W0YpkrU2hLj9beARyo5M5Gyj2ZrFHGTUGPoVRpQcydoOv1bdG4/di2jQ+bMR6ZeEThkZw7cw1qOKwpdXdvXYH8P7riH/2sdm2VNzcG9mQ0Pwkt0/7PFDcd0vCCotXTBwS9Aug0NaWCtyVb+LDtt00BhO8Txch1agokmEXRl3rry5NWt3fE8n3hsS/FllIdfRpE1A/8opb1qK7rYXtYrZS0+aq2Jf9rvTgJvTY4kqMQCwHQxuHarDJuDJvkg17bRxX8FnMN02UOVLi24MR8SM6fHykKmPkjbsjNVviOtXSdvjfdurfpENyGGBXZCN0YUWFmQQ5QiNGUebaB/RTms/xyv1+cSe7QLFV1e7O7as0LKb5XMYY6OZyIaEmfp/l0dWihAK51Jyeev77oSKzUFdwo3G7hT1Tw4pf5fZpWo4/gA+IZ06/rT+xaA/w4SATfpr3G28halotPOZhuLF3KW0LWC4yG5msYQyZFE8TmdN/m81VmIqrQhlYjYykZ2Dt2TucKOVj7RgmoozmJuJSYFdytbYb1VuV59KGDc/hM3dGx2EtAtBSvt7380NIwcDs6Lu/Pjq4GosX2BdJ0SnrU+PPIAYe4hbZPScwFf0ZzUJ88vexHNzmqlYXuotAmdvArtvnakOFw/I9z6MW/9Gkc2JA9pGyvCmf3I99d5QK9DvCSIyabRFmyRNGHvxLFEio6+IbTOXdtnct1b0yPwGiT+/VqprCRs4eKX5/K0cQqN9iTP9kExyFH1uYbClW0=", "wcFMA8lpulWTwMbeAQ//ZQbvNUo5OvUy1akGi729MzFaWdcKwKX4Loi6W3+RNFVBB5W0wTM2/u3dp2u7t9SfPB7NDW082+C9qS4HJdX6xBqHUwo6XIS5fULlpjxtwCAzJUWZKH5VG3QhfrD8BabUp+mRhuAQlEOBNlVLJAJxvIIKtF40Sw7LKtmv5rIXH8X/IGC0CEKqmnxb1uc6H+px3UZf9fUSh1ntfHrw7RtEGqc41GPCt624HmMMI5qtaEpkfaR78XHBIvJj1H10X/BlacA24MyAy5fcT0G1WzsCF4BLIc45IkeUNZ4ObXbclJII9VQD5lURnXfe82f4ef5DSsL/4ICNmyf0cB6zZq9e5RfgbFIRZHvK1Dvd8Jc+SoMC2WdqWB95EDo8ZawNG2NEYqS6+R9UUFEgh9aYwyu+lo19wFleWNMaSceFexiXW3m/oc1b2vrevbCC1x8QIwBual/QtLiC9R/hAcwa70IzE9YMfRdJQVNUaS90yfGztCOyZbYsLzFNhf0zmX3bZiuafvAmY2vkCS/G++iuuAg5snhIkxSM2b8bwsuerTSL5oFl0VXAtnm/0t/JYg+nam206MG8oB/DlytIOpS2Es1iY179yauXbz6bTSJzuxRL6IxNKyhtRlgN9x0DvD6UTh6Q0PN6WWTbXyRGnO62YMz96VGKUWEvLyEtmFkJVuugWWzScwGtPFZYuyGCIBAShhpzJmHbWNWnM7BgRGacm/SjgQtFnwjXGLOuCDyOzr2uOmF5F1Q7w5eDCReQDMI0nR+R9Bd/cAaNlPzPtgHADHKT0PnkFiaRJXD+1ns5jlxJghKJfRBMAyAuLRX/ud6IS8KrbHKqLRQ=", "wcFMA2HV0H5Yb437AQ/7B/1zTS/HcUw7Prgo42+5p8VvjIdoQSX+vhqTuZTTSCLJI2762m+yfp9kycJaH+mq0j5zOS7sGBKzEjFO6y++wdKeCNv663XYg8HvQ2/uhzd7D8CKY9phIroO3vPD80f2UeRZZox8n5turapZQgRdX935edutNWEZQpDyqDs4vz9wyd1yY1s88MXZFuRhKCujwkWnqDaMssmjDkz8y8YWKb+ByYy4sIYsfaPn+LxjUUWMZi1HrxShjc1M+FWFIHx5nih0vPvKrCUTdNMQNnbMsrN88qQDfAwkbPOaGbhFdnyCIDElnKadaUUeVDrn3SZ75WhgMKA1LomXtiAXGyUK0TXL/RdGVSePIYHphVl23zPWtEGaHpvNoZkB3xGlLz+WTGwxDvrjsjPBSNStbXSlU+Gax+Qg/0+OT9F9gWC45itny3DCkgXFM/W677g7CjVep8WwRuD3+jZa5jAHcsZxsZIVHzcTBUtEO9K+jSp1DZSsXz5dnNR4aGRI9CFLUZDMdK8Z0phdNQ5MAkSoatJ2pYlcUTtK4GbO2WbBYqyn6obfFwikp5bS1ul3VXJ5NyIPFBaNk/rmn/Budp51x/tvwMOx+fDrpOENCtZ0t7R9Z0pN2RJWHp7okybNTHbSRazpUgP9to7UQRBudBdZiO3qMBm23uyz+i/ymrSdAMc0uPjScwEypjKqIFO+pRLSjuJGtqf0OtjKCvBqvQk3W9i4Fq76xmwyvAYJs685zR02Q1Fcmw2H6RfS4cgIUxmifPSPvc+r/At9MKIFCq555eWlHJuuMZ7BzXCHOY6DLK4gs4CXFM1mnRnypKoh5DI74Uk4uC9cq60=", "wcFMA7LzhPOj8FQTARAAnaFQsqScGbN+WVphmUi8cHKIg8R/bnUOIaexTCi/cCT5khPN5cHeC5ijUj6EHxQrRvtDSutCYyONtxrfToW9j7VSwsQtNh2O7Dhb9CBUTAi0hc6J+JjbFfYyfoGkzt9FVwyw+te8r1kyfbfBd5jcaOqlDYmaOuk+LFmsEIFagwwN0nHD8X9ZZg7rDod0Ac9XAOcfwfq8ErWqv2uRLonyftcjucIuh4eQ2WeI554vIljEKX4yWLeqz0Uo4Hre6EeLNUK7wCUId2yCDdl9/cbLv3A71J0xDkNYIbEPEjWPAfIcNuiuX/E485L4vPysIMDdRGCMG+yPpiqGw8jfKlTyKCcs9xJYSRQ40PFGtf2peL+T4J2zTCFGVybPC90PXwaAAJQAUlUc0fiGTqP0ye5sxrtxzc/8u/c2Bg422KpqYuodAvo02AEybD9BqLCz9bQ6P4/cRIobalfRoF5oUGzrJKkCfZqMN4XyQZMvFryJz4Sc3kxAiCT7Jki3LCQUY1MJ0mUWV3oSMc5QgNmwtBri6cdp8lHoA+z+a2NiFDiYBbjmLg6cjXHz9VXBCzzOQmqRNW/djVcOMKURA+2trII12VYEz2gfgRf3/HwFxSIA9CsqyEZ53gNMBeJRYk7GI9+INlekRkbXy/qROeNfJWZBYZ2N7RSAOGDNju3CnSltWJrScwGF5hoaJKA2hAZtxIQF5PxF8hDgGHRg74CJgA2wZNh6liBuwWeHyYTQMsMihwv9BoOez96HjZccRpFqOvhtRerpa1Yt7rXvv7pO0npWekYrCD9rvKy5Cmjedf6nXdNd7SnnZAMCqlHpVa3hSAosIQ0lZ/w=" ], "pgp_fingerprints": [ "f744a6bce8eaf16b17ca290a9c605bef5060e09e", "d080659a28b82cc98f5e102f729e1ba96293b8a3", "019b3abd0093a98a2b7c9137ec146dc1dec3cd4c", "c9ff9d0f8adad6a8b1b6cec597114fda03ad5265", "608ab07614cfd1d61b096a7db6e85c2e054c2c51" ], "backup": false, "verification_required": false }
The rekey workflow complete is true.
You have rekeyed Vault with encrypted key shares using the HTTP API. Vault emits new encrypted key shares in hexadecimal-encoded (keys), and base64-encoded (keys_base64) formats.
Next steps
You can learn more about Vault seals in the Vault Architecture and Seal/Unseal documentation.
If you'd like to learn about automatically unsealing Vault with cloud based seals, a hardware security module (HSM), or the Vault Transit secrets engine, review the Vault seal configuration documentation.
Cleanup
Stop the Vault Docker container (Docker removes it automatically).
$ docker stop learn-vault
$ docker stop learn-vault
Remove the Docker network.
$ docker network rm learn-vault
$ docker network rm learn-vault
Remove the hands-on lab directory.
$ rm -rf "$HC_LEARN_LAB"
$ rm -rf "$HC_LEARN_LAB"
Unset the
gpg
alias.$ unalias gpg
$ unalias gpg
Unset the environment variables.
$ unset HC_LEARN_LAB VAULT_TOKEN VAULT_ADDR REKEY_NONCE
$ unset HC_LEARN_LAB VAULT_TOKEN VAULT_ADDR REKEY_NONCE