diff --git a/website/source/docs/concepts/tokens.html.md b/website/source/docs/concepts/tokens.html.md index 8c7fd43c1c..52a8414fcc 100644 --- a/website/source/docs/concepts/tokens.html.md +++ b/website/source/docs/concepts/tokens.html.md @@ -54,7 +54,7 @@ of version 0.6.1, there are only three ways to create root tokens: expiration 2. By using another root token; a root token with an expiration cannot create a root token that never expires -3. By using `vault generate-root` ([example](/guides/operations/generate-root.html)) +3. By using `vault operator generate-root` ([example](/guides/operations/generate-root.html)) with the permission of a quorum of unseal key holders Root tokens are useful in development but should be extremely carefully guarded @@ -62,9 +62,8 @@ in production. In fact, the Vault team recommends that root tokens are only used for just enough initial setup (usually, setting up auth methods and policies necessary to allow administrators to acquire more limited tokens) or in emergencies, and are revoked immediately after they are no longer needed. -If a new root token is needed, the `generate-root` command and associated [API -endpoint](/api/system/generate-root.html) can be -used to generate one on-the-fly. +If a new root token is needed, the `operator generate-root` command and associated +[API endpoint](/api/system/generate-root.html) can be used to generate one on-the-fly. It is also good security practice for there to be multiple eyes on a terminal whenever a root token is live. This way multiple people can verify as to the diff --git a/website/source/guides/operations/generate-root.html.md b/website/source/guides/operations/generate-root.html.md index 83592cc6d4..5e067a722d 100644 --- a/website/source/guides/operations/generate-root.html.md +++ b/website/source/guides/operations/generate-root.html.md @@ -10,8 +10,8 @@ description: |- It is generally considered a best practice to not persist [root tokens][root-tokens]. Instead a root token should be generated using -Vault's `generate-root` command only when absolutely necessary. This guide -demonstrates regenerating a root token. +Vault's `operator generate-root` command only when absolutely necessary. This +guide demonstrates regenerating a root token. 1. Unseal the vault using the existing quorum of unseal keys. You do not need to be authenticated to generate a new root token, but the Vault must be unsealed @@ -120,7 +120,7 @@ In this method, an OTP is XORed with the generated token on final output. operation. ```text - $ echo $UNSEAL_KEY | vault generate-root -nonce=f67f4da3... - + $ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... - ``` 1. When the quorum of unseal keys are supplied, the final user will also get