door lock

The best practices for Hashicorp Vault are to destroy your default root token after you have finished the initial setup of Vault. However, you will still find times when you need a new root token for certain advanced functions.

This article describes how to create a new root token using your vault unseal keys.

Instructions were found here:

Generate One time Password:

First, we will use the vault generate-root command with the genopt argument. This will generate a one time password to access our newly generated root token. I say a one time password, but you will actually use it a few times through this process.

vault generate-root -genotp

save OTP Output, for example: tXJxQcj01NoR3whDnt9OxQ==

Initialize Process:

Next, we will use our One-time password and pass it back into the generate-root command telling it to initialize the process.
vault generate-root -init -otp=”<OTP Value>”

Example: vault generate-root -init -otp=”tXJxQcj01NoR3whDnt9OxQ==”

Enter Unseal Keys:

Now we tell vault to actually generate the root token:
vault generate-root

Enter unseal key when prompted. Repeat with additional reseal keys as needed. Once the threshold is reached, it will generate an Encoded root token. It will look something similar to the example below:

Example: GYox3aZVAGXZfI9Gku1ohQ==

Decode Root Token:

The last step is to retrieve/decode your new root token:

vault generate-root -decode=”<Encoded root token>” -otp=”<One time password>”

Example: vault generate-root -decode=”GYox3aZVAGXZfI9Gku1ohQ==” -otp=”tXJxQcj01NoR3whDnt9OxQ==”

New Root token will be output to the system console.


You now know how to generate new root tokens for your vault. For security reasons, Hashicorp recommends you destroy the root token when it is no longer needed. Generate a new one if you need it again. You can see it does take a few steps to create the replacement root tokens. However, root tokens never expire. So if you lose it, and someone finds it, it will be valid unless you have destroyed it. Regular tokens self destruct when they reach the end of their TTL.