1--- 2layout: "docs" 3page_title: "operator rekey - Command" 4sidebar_title: "<code>rekey</code>" 5sidebar_current: "docs-commands-operator-rekey" 6description: |- 7 The "operator rekey" command generates a new set of unseal keys. This can 8 optionally change the total number of key shares or the required threshold of 9 those key shares to reconstruct the master key. This operation is zero 10 downtime, but it requires the Vault is unsealed and a quorum of existing 11 unseal keys are provided. 12--- 13 14# operator rekey 15 16The `operator rekey` command generates a new set of unseal keys. This can 17optionally change the total number of key shares or the required threshold of 18those key shares to reconstruct the master key. This operation is zero downtime, 19but it requires the Vault is unsealed and a quorum of existing unseal keys are 20provided. 21 22An unseal key may be provided directly on the command line as an argument to the 23command. If key is specified as "-", the command will read from stdin. If a TTY 24is available, the command will prompt for text. 25 26Please see the [rotating and rekeying](/guides/operations/rekeying-and-rotating.html) for 27step-by-step instructions. 28 29## Examples 30 31Initialize a rekey: 32 33```text 34$ vault operator rekey \ 35 -init \ 36 -key-shares=15 \ 37 -key-threshold=9 38``` 39 40Rekey and encrypt the resulting unseal keys with PGP: 41 42```text 43$ vault operator rekey \ 44 -init \ 45 -key-shares=3 \ 46 -key-threshold=2 \ 47 -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo" 48``` 49 50Rekey an Auto Unseal vault and encrypt the resulting recovery keys with PGP: 51 52```text 53$ vault operator rekey \ 54 -target=recovery \ 55 -init \ 56 -pgp-keys=keybase:grahamhashicorp 57 -key-shares=1 58 -key-threshold=1 59``` 60 61Store encrypted PGP keys in Vault's core: 62 63```text 64$ vault operator rekey \ 65 -init \ 66 -pgp-keys="..." \ 67 -backup 68``` 69 70Retrieve backed-up unseal keys: 71 72```text 73$ vault operator rekey -backup-retrieve 74``` 75 76Delete backed-up unseal keys: 77 78```text 79$ vault operator rekey -backup-delete 80``` 81 82## Usage 83 84The following flags are available in addition to the [standard set of 85flags](/docs/commands/index.html) included on all commands. 86 87### Output Options 88 89- `-format` `(string: "table")` - Print the output in the given format. Valid 90 formats are "table", "json", or "yaml". This can also be specified via the 91 `VAULT_FORMAT` environment variable. 92 93### Command Options 94 95- `-cancel` `(bool: false)` - Reset the rekeying progress. This will discard any submitted unseal keys 96 or configuration. The default is false. 97 98- `-init` `(bool: false)` - Initialize the rekeying operation. This can only be 99 done if no rekeying operation is in progress. Customize the new number of key 100 shares and key threshold using the `-key-shares` and `-key-threshold flags`. 101 102- `-key-shares` `(int: 5)` - Number of key shares to split the generated master 103 key into. This is the number of "unseal keys" to generate. This is aliased as 104 `-n` 105 106- `-key-threshold` `(int: 3)` - Number of key shares required to reconstruct the 107 master key. This must be less than or equal to -key-shares. This is aliased as 108 `-t`. 109 110- `-nonce` `(string: "")` - Nonce value provided at initialization. The same 111 nonce value must be provided with each unseal key. 112 113- `-pgp-keys` `(string: "...")` - Comma-separated list of paths to files on disk 114 containing public GPG keys OR a comma-separated list of Keybase usernames 115 using the format `keybase:<username>`. When supplied, the generated unseal 116 keys will be encrypted and base64-encoded in the order specified in this list. 117 118- `-status` `(bool: false)` - Print the status of the current attempt without 119 providing an unseal key. The default is false. 120 121- `-target` `(string: "barrier")` - Target for rekeying. "recovery" only applies 122 when HSM support is enabled. 123 124### Backup Options 125 126- `-backup` `(bool: false)` - Store a backup of the current PGP encrypted unseal 127 keys in Vault's core. The encrypted values can be recovered in the event of 128 failure or discarded after success. See the -backup-delete and 129 -backup-retrieve options for more information. This option only applies when 130 the existing unseal keys were PGP encrypted. 131 132- `-backup-delete` `(bool: false)` - Delete any stored backup unseal keys. 133 134- `-backup-retrieve` `(bool: false)` - Retrieve the backed-up unseal keys. This 135 option is only available if the PGP keys were provided and the backup has not 136 been deleted. 137