1--- 2layout: "docs" 3page_title: "operator init - Command" 4sidebar_title: "<code>init</code>" 5sidebar_current: "docs-commands-operator-init" 6description: |- 7 The "operator init" command initializes a Vault server. Initialization is the 8 process by which Vault's storage backend is prepared to receive data. Since 9 Vault servers share the same storage backend in HA mode, you only need to 10 initialize one Vault to initialize the storage backend. 11--- 12 13# operator init 14 15The `operator init` command initializes a Vault server. Initialization is the 16process by which Vault's storage backend is prepared to receive data. Since 17Vault servers share the same storage backend in HA mode, you only need to 18initialize one Vault to initialize the storage backend. 19 20During initialization, Vault generates an in-memory master key and applies 21Shamir's secret sharing algorithm to disassemble that master key into a 22configuration number of key shares such that a configurable subset of those key 23shares must come together to regenerate the master key. These keys are often 24called "unseal keys" in Vault's documentation. 25 26This command cannot be run against already-initialized Vault cluster. 27 28For more information on sealing and unsealing, please the [seal concepts page](/docs/concepts/seal.html). 29 30## Examples 31 32Start initialization with the default options: 33 34```text 35$ vault operator init 36``` 37 38Initialize, but encrypt the unseal keys with pgp keys: 39 40```text 41$ vault operator init \ 42 -key-shares=3 \ 43 -key-threshold=2 \ 44 -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo" 45``` 46 47Initialize Auto Unseal, but encrypt the recovery keys with pgp keys: 48 49```text 50$ vault operator init \ 51 -recovery-shares=1 \ 52 -recovery-threshold=1 \ 53 -recovery-pgp-keys="keybase:grahamhashicorp" 54``` 55 56Encrypt the initial root token using a pgp key: 57 58```text 59$ vault operator init -root-token-pgp-key="keybase:hashicorp" 60``` 61 62## Usage 63 64The following flags are available in addition to the [standard set of 65flags](/docs/commands/index.html) included on all commands. 66 67### Output Options 68 69- `-format` `(string: "")` - Print the output in the given format. Valid formats 70 are "table", "json", or "yaml". The default is table. This can also be 71 specified via the `VAULT_FORMAT` environment variable. 72 73### Common Options 74 75- `-key-shares` `(int: 5)` - Number of key shares to split the generated master 76 key into. This is the number of "unseal keys" to generate. This is aliased as 77 `-n`. 78 79- `-key-threshold` `(int: 3)` - Number of key shares required to reconstruct the 80 master key. This must be less than or equal to -key-shares. This is aliased as 81 `-t`. 82 83- `-pgp-keys` `(string: "...")` - Comma-separated list of paths to files on disk 84 containing public GPG keys OR a comma-separated list of Keybase usernames 85 using the format `keybase:<username>`. When supplied, the generated unseal 86 keys will be encrypted and base64-encoded in the order specified in this list. 87 The number of entries must match -key-shares, unless -store-shares are used. 88 89- `-root-token-pgp-key` `(string: "")` - Path to a file on disk containing a 90 binary or base64-encoded public GPG key. This can also be specified as a 91 Keybase username using the format `keybase:<username>`. When supplied, the 92 generated root token will be encrypted and base64-encoded with the given 93 public key. 94 95- `-status` `(bool": false)` - Print the current initialization status. An exit 96 code of 0 means the Vault is already initialized. An exit code of 1 means an 97 error occurred. An exit code of 2 means the Vault is not initialized. 98 99### Consul Options 100 101- `-consul-auto` `(bool: false)` - Perform automatic service discovery using 102 Consul in HA mode. When all nodes in a Vault HA cluster are registered with 103 Consul, enabling this option will trigger automatic service discovery based on 104 the provided -consul-service value. When Consul is Vault's HA backend, this 105 functionality is automatically enabled. Ensure the proper Consul environment 106 variables are set (CONSUL_HTTP_ADDR, etc). When only one Vault server is 107 discovered, it will be initialized automatically. When more than one Vault 108 server is discovered, they will each be output for selection. The default is 109 false. 110 111- `-consul-service` `(string: "vault")` - Name of the service in Consul under 112 which the Vault servers are registered. 113 114### HSM and KMS Options 115 116- `-recovery-pgp-keys` `(string: "...")` - Behaves like `-pgp-keys`, but for the 117 recovery key shares. This is only used in HSM mode. 118 119- `-recovery-shares` `(int: 5)` - Number of key shares to split the recovery key 120 into. This is only used in HSM mode. 121 122- `-recovery-threshold` `(int: 3)` - Number of key shares required to 123 reconstruct the recovery key. This is only used in HSM mode. 124 125- `-stored-shares` `(int: 0)` - Number of unseal keys to store on an HSM. This 126 must be equal to `-key-shares`. 127