1---
2layout: "docs"
3page_title: "operator init - Command"
4sidebar_title: "<code>init</code>"
5sidebar_current: "docs-commands-operator-init"
6description: |-
7  The "operator init" command initializes a Vault server. Initialization is the
8  process by which Vault's storage backend is prepared to receive data. Since
9  Vault servers share the same storage backend in HA mode, you only need to
10  initialize one Vault to initialize the storage backend.
11---
12
13# operator init
14
15The `operator init` command initializes a Vault server. Initialization is the
16process by which Vault's storage backend is prepared to receive data. Since
17Vault servers share the same storage backend in HA mode, you only need to
18initialize one Vault to initialize the storage backend.
19
20During initialization, Vault generates an in-memory master key and applies
21Shamir's secret sharing algorithm to disassemble that master key into a
22configuration number of key shares such that a configurable subset of those key
23shares must come together to regenerate the master key. These keys are often
24called "unseal keys" in Vault's documentation.
25
26This command cannot be run against already-initialized Vault cluster.
27
28For more information on sealing and unsealing, please the [seal concepts page](/docs/concepts/seal.html).
29
30## Examples
31
32Start initialization with the default options:
33
34```text
35$ vault operator init
36```
37
38Initialize, but encrypt the unseal keys with pgp keys:
39
40```text
41$ vault operator init \
42    -key-shares=3 \
43    -key-threshold=2 \
44    -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
45```
46
47Initialize Auto Unseal, but encrypt the recovery keys with pgp keys:
48
49```text
50$ vault operator init \
51    -recovery-shares=1 \
52    -recovery-threshold=1 \
53    -recovery-pgp-keys="keybase:grahamhashicorp"
54```
55
56Encrypt the initial root token using a pgp key:
57
58```text
59$ vault operator init -root-token-pgp-key="keybase:hashicorp"
60```
61
62## Usage
63
64The following flags are available in addition to the [standard set of
65flags](/docs/commands/index.html) included on all commands.
66
67### Output Options
68
69- `-format` `(string: "")` - Print the output in the given format. Valid formats
70  are "table", "json", or "yaml". The default is table. This can also be
71  specified via the `VAULT_FORMAT` environment variable.
72
73### Common Options
74
75- `-key-shares` `(int: 5)` - Number of key shares to split the generated master
76  key into. This is the number of "unseal keys" to generate. This is aliased as
77  `-n`.
78
79- `-key-threshold` `(int: 3)` - Number of key shares required to reconstruct the
80  master key. This must be less than or equal to -key-shares. This is aliased as
81  `-t`.
82
83- `-pgp-keys` `(string: "...")` - Comma-separated list of paths to files on disk
84  containing public GPG keys OR a comma-separated list of Keybase usernames
85  using the format `keybase:<username>`. When supplied, the generated unseal
86  keys will be encrypted and base64-encoded in the order specified in this list.
87  The number of entries must match -key-shares, unless -store-shares are used.
88
89- `-root-token-pgp-key` `(string: "")` - Path to a file on disk containing a
90  binary or base64-encoded public GPG key. This can also be specified as a
91  Keybase username using the format `keybase:<username>`. When supplied, the
92  generated root token will be encrypted and base64-encoded with the given
93  public key.
94
95- `-status` `(bool": false)` - Print the current initialization status. An exit
96  code of 0 means the Vault is already initialized. An exit code of 1 means an
97  error occurred. An exit code of 2 means the Vault is not initialized.
98
99### Consul Options
100
101- `-consul-auto` `(bool: false)` - Perform automatic service discovery using
102  Consul in HA mode. When all nodes in a Vault HA cluster are registered with
103  Consul, enabling this option will trigger automatic service discovery based on
104  the provided -consul-service value. When Consul is Vault's HA backend, this
105  functionality is automatically enabled. Ensure the proper Consul environment
106  variables are set (CONSUL_HTTP_ADDR, etc). When only one Vault server is
107  discovered, it will be initialized automatically. When more than one Vault
108  server is discovered, they will each be output for selection. The default is
109  false.
110
111- `-consul-service` `(string: "vault")` - Name of the service in Consul under
112  which the Vault servers are registered.
113
114### HSM and KMS Options
115
116- `-recovery-pgp-keys` `(string: "...")` - Behaves like `-pgp-keys`, but for the
117  recovery key shares. This is only used in HSM mode.
118
119- `-recovery-shares` `(int: 5)` - Number of key shares to split the recovery key
120  into. This is only used in HSM mode.
121
122- `-recovery-threshold` `(int: 3)` - Number of key shares required to
123  reconstruct the recovery key. This is only used in HSM mode.
124
125- `-stored-shares` `(int: 0)` - Number of unseal keys to store on an HSM. This
126  must be equal to `-key-shares`.
127