Skip to content

Hashicorp Vault CLI Part 2: Operation Commands

By Sebastian Günther

Posted in Hashicorp_vault

Hashicorp Vault is a flexible and highly configurable tool for RBAC-based access and management of secrets. Similarly, flexible is the Vault CLI binary, a tool for effective managing both single Vault instances or whole clusters.

This article is the second part of a series about the Vault CLI commands. It details the root-level vault operator command, with which actions such as sealing and unsealing, root and encryption key generation, cluster management, and additional metainformation can be provided. All commands will be explained as well as used in the context of a locally running cluster.

The technical context of this article is hashicorp_vault_v.1.20, published 2025-06-25. All provided information and command examples should be valid with newer versions too, baring update to the syntax of CLI commands.

The background material for this article stems from the official Hashicorp Vault documentation about Vault CLI and subsequent pages, as well as information from the binary itself.

Vault CLI Overview

The Vault CLI provides more than 30 commands. For systematically explaining and contextualizing each command, they can be structured as follows:

  • Initialization
    • server: Starts a server process
    • agent: Starts an agent process, a utility to communicate with a vault server to gain access to tokens
    • proxy: Starts a vault proxy process
  • Authentication
    • login: Authenticates access to a Vault server, supporting different authentication methods like user credentials, token, certificates and even external services like GitHub
  • Plugin Management
    • plugin: Manage and install additional plugins
  • Operation
    • operator: Cluster management operations, including memberships, encryption and unseal keys
    • runtime: Show runtime information
    • status: Show status information of the vault server
    • debug: Shows debug information of the connected Vault server
    • events: Subscribe to the event stream of a running vault instance
    • monitor: Print vault log messages
    • print: Detailed view of the vault’s server runtime configuration
    • version-history: Shows detailed version information about the vault server
  • Special Purpose Configuration
    • audit: Interact with connected audit devices
    • auth: Interact with configured authentication options
  • Multi Purpose Configuration
    • read / list: Access stored configuration and secrets
    • write / patch: Modify or create any data
    • delete: Delete stored secrets and data
  • Secrets Management
    • secrets: General configuration of secret engines
    • kv: Access to the essential key-value store
    • pki: Access the private key infrastructure secrets engine
    • policies: Manage policy definitions (governing mostly secrets, but also other vault operations)
    • lease: Manage current token leases, including renewal, revocation and TTL modification
    • tokens: General token management
    • transform: Interact with rate the transform secrets engine
    • transit: Interact with the Vaults transit secrets engine
    • ssh: Initiates SSH sessions via the SSH secrets engine
  • Misc:
    • unwrap: Work with encrypted data to unwrap
    • hcp: Operate a managed Hashicorp Vault Cluster
    • namespace: Interact with configured namespaces of the cluster
    • path-help: Additional examples for using the patch command

In this blog article, only the command vault operator is explored.

Vault Operator CLI

A freshly started Vault instance is a single, sealed node. The operator commands get the instance operational, allow the formation of a cluster, and output metainformation about operational health. Operator subcommands can be grouped as shown:

  • Startup
    • init: Initializes a vault instance with root key and encryption keys
    • seal: Removes the encryption key from memory, stopping all secret management processes
    • unseal: Reconstructs the root key, then load the encryption key into memory
  • Key Management
    • generate-root: Generate a new root token
    • rekey: Generates new unseal keys or encryption keys, with configured type, key shares and key thresholds
    • rotate: Create and append a new encryption key to the internal keyring
  • Storage Management
    • raft snapshot: Generate and apply backups of the raft storage backend
    • migrate: Migrates Vault data between different storage backends
  • Raft Cluster Management
    • list-peers: Show the status and role of all registered members
    • join: Adds a configured member to the cluster, making it an active node
    • remove-peer: Removes a registered member, changing it to an inactive node
    • autopilot: A special purpose configuration and process that ensures leader-follower roles of all configured nodes
  • General Cluster Management
    • members: Returns the list of nodes in the cluster
    • step-down: Changes the currently active node with the leader role, and triggers a new leader election among all nodes
  • Information
    • diagnose: Checks the physical and logical directory storage
    • key-status: Usage statistics about the currently active encryption key
    • usage: Statistics about token generation for different clients
    • utilization: Vault enterprise function to create a license utilization report

Startup Commands

init

The essential command to start a new Vault instance.

When called without any additional flags, it will default to Shamir unseal keys, creating 5 key shares a threshold of three key shares to unseal the vault. Also, a root token will be created. These options can be tweaked at will with additional flags.

> vault operator init       

# Log messages
Unseal Key 1: R6hz5iAr3oJo2ZFWCGLhdDoiZ7jT4B484gZah31o/3m/
Unseal Key 2: pP0ov5glEql+JJElikDPKcHC1celjCvMFBSMJwBDBj0J
Unseal Key 3: d4qVXwIrNx8bd+dK/7HDoeN6HrNBM+OV/QKg0pbfac12
Unseal Key 4: Wlc/mCkQZdPqH4lIToEWRbYFIqxJjOJ5cq6D0g1++IdV
Unseal Key 5: 3MTAMDEOQePqPHZsmzDZ6DS3kXADaXWJ7bIi6svG1QAV

Initial Root Token: hvs.Hxik8PHjAlw0IOk0PgSRBen4

Other options are to use self-provided PGP keys. A vault server can only be initialized once. The state backend stores the key shares and the master key used for encrypting all data. The only option is to manually delete the state, which obvious is something to only do in the first minutes of setup before any other configuration data is added.

seal

Immediately unloads the master key from memory, which is used for encryption and decryption of all secrets data in a Vault instance.

A sealed Vault offers only limited functionality. Access to secrets of other configuration items are barred, the HTTP Endpoints returning an error as shown in the following:

> curl --header "X-Vault-Token: hvs.uzEHZBQpWuWKlmeUYx4KY6UZ" -I http://127.0.0.1:8200/v1/kv2/data/apps

# Log messages
HTTP/1.1 503 Service Unavailable
Cache-Control: no-store
Content-Type: application/json
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Sun, 20 Jul 2025 07:28:26 GMT
Content-Length: 31

{"errors":["Vault is sealed"]}

unseal

The contrary instruction to reload the master key into memory. The concrete unseal process is governed by the chosen unseal method, defaulting to Shamir key shares. For this default method, the unseal command needs to be called consecutively until the key share threshold value is reached.

Here is an example log of the final unseal command:

> vault operator unseal

# Log messages
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.20.0
Build Date              2025-06-23T10:21:30Z
Storage Type            raft
Cluster Name            vault
Cluster ID              a8c988d1-f2c6-eaec-80da-e2bef042dfef
Removed From Cluster    false
HA Enabled              true
HA Cluster              n/a
HA Mode                 standby
Active Node Address     <none>
Raft Committed Index    51
Raft Applied Index      51

Configuration Commands

generate-root

This command starts the process of generating a new root token. In early versions of vault, this process required successive commands for generating a new nonce for the root token, signing it with key shares or PGP tokens, generating OTPs for decrypting the generated nonce and for the final root token.

In the version used in this tutorial, all steps boil down to just one: vault operator generate-root -init. The following listing shows the complete root token regeneration process.

vault operator generate-root -init

# Log messages
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce         bfd01e24-1349-2579-d726-4ae2020ee7aa
Started       true
Progress      0/3
Complete      false
OTP           zWQSrrVYZwz9lGrgfZDahDP3S87T
OTP Length    28

Use the existing key shares and enter the command the same amount of times as key shares for majority rules are required:

> vault operator generate-root      

# Log messages  
Operation nonce: 6bb2d09a-0412-9f14-3bc6-266ed2f6e915
Unseal Key (will be hidden):

After completing all key shares, the final screen shows this:

Nonce            6bb2d09a-0412-9f14-3bc6-266ed2f6e915
Started          true
Progress         3/3
Complete         true
Encoded Token    HSE8YBsMOAcsKhk5dx01DRkvHyE8YmU6JGkeJg

Now the encoded token needs to be decided with the initial nonce.

> vault operator generate-root -decode=HSE8YBsMOAcsKhk5dx01DRkvHyE8YmU6JGkeJg -otp=uWONzDADGCLc0eYLnMRJJ0QxjQvm

# Log messages
hvs.aHyCkiUZGxlAwbMkvR4BN8hK

rekey

This command starts a similarly involved process to generate either new unseal keys or recovery keys.

The generation of unseal keys exposes the same options as the initial setup: Determining the number of key shares generated, the key share threshold, and the key type.

Here is an example to regenerate 5 keys and using 2 as the threshold:

> vault operator rekey -init -key-shares=5 -key-threshold=2

# Log messages
Key                      Value
---                      -----
Nonce                    eca9cb95-dd7a-93e6-4d65-7c8238ddc0ec
Started                  true
Rekey Progress           0/2
New Shares               5
New Threshold            2
Verification Required    false

Use the same command again and provide an old unseal key as the argument:

vault operator rekey R6hz5iAr3oJo2ZFWCGLhdDoiZ7jT4B484gZah31o/3m/

vault operator rekey pP0ov5glEql+JJElikDPKcHC1celjCvMFBSMJwBDBj0J

Once completed, the new unseal keys are shown:

# Log messages
Key 1: e86YF9bSIFhuXGuP9CveJMa06ze8xD0kuLZURxiAhVs9
Key 2: AhhIbezOQMPwfui+YqPqZXkLBLGN8K/gScndnz9PYIg0
Key 3: bciZj+c9UIM8cazNW58V9zdFUnn+D2E3Gqeau7zgNdS6
Key 4: waZ9Zl4mKHgI1kk7ZTUsbeGTwFMINlrCHIH6VdRaInV6
Key 5: Rl6gfgJ9TvsxHl592TjQXI/9+/5OyinBliOCDaZDdjeK

Operation nonce: 86354d34-d57d-92e0-31bf-a22681f3789d

Vault unseal keys rekeyed with 5 key shares and a key threshold of 2. Please
securely distribute the key shares printed above. When Vault is re-sealed,
restarted, or stopped, you must supply at least 2 of these keys to unseal it
before it can start servicing requests.

When using PGP keys, an interesting option is offered: The current PGP keys can be stored as backup decryption data in Vaults core data. If the newly generated keys should get lost, the old keys can be reused instead.

rotate

This command creates a new encryption key used for en- and decryption of all data stored in Vault. The new key is inserted into the keyring. When Vault targets decrypting a secret, it will check the applicable key from the keyring, then encrypt the data with the new key.

Here is an example:

> vault operator rotate

# Log messages
Success! Rotated key

Key Term            2
Install Time        21 Jul 25 15:50 UTC
Encryption Count    2

This operation does not incur any downtime to a Vault instance or Cluster. Furthermore, an internal, configurable timespan is applied after which the encryption key will be automatically rotated.

Storage Management

Vault support several different storage backends. Two commands can be found in this group.

migrate

Vault instances are configured with one specific backend. To improve the storage performance, or use advanced features of Vault that require a specific storage backend, data can be migrated with this command. The migrate command expects a new configuration file that includes the new storage target, and it exposes some flags controlling the parallelism of the copying, and to control which keys are copied.

Here is an example for copying from one raft location to another.

First, create a completely new configuration file, and add the two blocks storage_source and storage_destination.

storage_source "raft" {
  path    = "/Users/work/development/vault/backup/"
  node_id = "node01"
}

storage_destination "raft" {
  path    = "/Users/work/development/vault/node04/raft/"
  node_id = "node04"
}

Then, without starting the new server, execute the migrate command. Log message indicate how the copy is performed.

> vault operator migrate -config=./node04/vault_config.hcl

# Log messages
[INFO]  creating Raft: config="&raft.Config{ProtocolVersion:3, HeartbeatTimeout:5000000000, ElectionTimeout:5000000000, CommitTimeout:50000000, MaxAppendEntries:64, BatchApplyCh:true, ShutdownOnRemove:true, TrailingLogs:0x2800, SnapshotInterval:120000000000, SnapshotThreshold:0x2000, LeaderLeaseTimeout:2500000000, LocalID:\"node04\", NotifyCh:(chan<- bool)(0xc001222080), LogOutput:io.Writer(nil), LogLevel:\"DEBUG\", Logger:(*hclog.intLogger)(0xc001226000), NoSnapshotRestoreOnStart:true, PreVoteDisabled:false, NoLegacyTelemetry:false, skipStartup:false}"

[INFO]  initial configuration: index=1 servers="[{Suffrage:Voter ID:node04 Address:127.0.0.1:8241}]"

[INFO]  entering leader state: leader="Node at node04 [Leader]"

[INFO]  copied key: path=core/keyring
[INFO]  copied key: path=core/local-mounts
[INFO]  copied key: path=core/local-audit
[INFO]  copied key: path=core/index-header-hmac-key
...

Success! All of the keys have been migrated.

Once completed, in the configuration file, remove the storage_source block and modify storage_destination to storage, then start the new vault server.

raft snapshot

Raft is the integrated storage format that comes bundles with the vault binary. While other raft commands exist, its storage management variant is concerned with one task: Handling data snapshots. Examples for all available subcommands are shown in the following.

For saving a snapshot, a local file path must be provided.

> vault operator raft snapshot save 2025-07-22_raft_backup.bin

# Log messages
[INFO]  storage.raft: starting snapshot up to: index=163
[INFO]  storage.raft: snapshot complete up to: index=163

Inspecting the snapshot file reveals detailed information about the included backup files.

> vault operator raft snapshot inspect 2025-07-22_raft_backup.bin

# Log messages
ID           bolt-snapshot
Size         22661
Index        163
Term         7
Version      1


 Key Name                                          Count      Size
 ----                                              ----       ----
 logical/92c4f3fb-d41c-d7ff-493f-101147aa3266      10         3.2KB
 logical/a62a4624-543e-42c4-9f11-d7d71f0ee325      6          5.9KB
 sys/policy                                        3          3.2KB
 sys/token                                         3          904B
 core/cluster                                      2          219B
 core/raft                                         2          3.3KB
 core/audit                                        1          104B
 core/auth                                         1          298B
 core/canary-keyring                               1          75B
 core/hsm                                          1          112B
 core/index-header-hmac-key                        1          99B
 core/keyring                                      1          718B
 core/leader                                       1          1.5KB
 core/local-audit                                  1          110B
 core/local-auth                                   1          108B
 core/local-mounts                                 1          357B
 core/lock                                         1          49B
 core/master                                       1          163B
 core/mounts                                       1          604B
 core/seal-config                                  1          183B
 core/shamir-kek                                   1          84B
 core/versions                                     1          164B
 core/wrapping                                     1          560B
 sys/counters                                      1          81B
 ----                                              ----
 Total Size                                                22.1KB

Finally, during restoring the snapshot, detailed log messages

> vault operator raft snapshot restore 2025-07-22_raft_backup.bin

# Log messages
[INFO]  storage.raft: starting snapshot up to: index=163
[INFO]  core: shutting down prior to restoring snapshot
[INFO]  core: pre-seal teardown starting
...
[INFO]  core: pre-seal teardown complete
[INFO]  core: applying snapshot
[INFO]  storage.raft.snapshot: creating new snapshot: path=/etc/hashicorp_vault/raft_storage/raft/snapshots/7-164-1753199964065.tmp
[INFO]  storage.raft: copied to local snapshot: bytes=22661
[INFO]  storage.raft.fsm: installing snapshot to FSM
[INFO]  storage.raft: snapshot restore progress: id=7-164-1753199964065 last-index=164 last-term=7 size-in-bytes=0 read-bytes=0 percent-complete="NaN%"
...
[INFO]  expiration: lease restore complete
[INFO]  core: post-unseal setup complete

Raft Cluster Management

Vault instances can be joined to form a cluster. A key requirement is that its storage backend provides high-availability, which means that a shared data state can be synced between its members with a reliable, consistent and integrity-keeping process. The raft storage format provides these capabilities.

When several Vault instances are configured with the raft storage format, the same-named operator command can be used for cluster management.

As the context for the following commands, a local three node cluster is assumed to have been setup.

raft list-peers

Lists all configured cluster members, their status and their role,

Assuming that the example cluster has been setup, but only the leader node is active, the output will be as shown.

> vault operator list-peers

# Log messages
Node      Address           State       Voter
----      -------           -----       -----
node01    127.0.0.1:8211    leader      true
node02    127.0.0.1:8221    follower    false
node03    127.0.0.1:8231    follower    false

raft join

Add the current Vault instance to another Vault server. The target can be either a server instance identified by an URI, or in the case of auto-join configuration, several key-value pairs identifying a target server in a cloud environment.

To add the second node to the cluster, following command can be used:

> vault operator raft join "http://127.0.0.2:8220"

# Log messages
Key       Value
---       -----
Joined    true

This changes the peer overview as follows:

Node      Address           State       Voter
----      -------           -----       -----
node01    127.0.0.1:8211    leader      true
node02    127.0.0.1:8221    follower    true
node03    127.0.0.1:8231    follower    false

raft remove-peer

Remove a Vault instance from the cluster, providing the target as and URI or an ID that is via the instance’s configuration file.

Here is an example usage:

> vault operator raft remove-peer node02

# Log messages
Peer removed successfully!

This changes the peer overview as follows:

Node      Address           State       Voter
----      -------           -----       -----
node01    127.0.0.1:8211    leader      true
node02    127.0.0.1:8221    follower    false
node03    127.0.0.1:8231    follower    false

raft autopilot

The autopilot functionality of the raft storage backend simplifies peer management and data duplication between the peers. This feature requires an active configuration, and once setup, peer’s communication and exchange data automatically.

The autopilot command interacts with this configuration by three subcommands:

autopilot get-config

Print the current autopilot configuration used in the cluster.

> vault operator raft autopilot get-config

# Log messages
Key                                   Value
---                                   -----
Cleanup Dead Servers                  false
Last Contact Threshold                10s
Dead Server Last Contact Threshold    24h0m0s
Server Stabilization Time             10s
Min Quorum                            0
Max Trailing Logs                     1000
Disable Upgrade Migration             false

autopilot set-config

Patch the configuration with new values.

> vault operator raft autopilot set-config -server-stabilization-time 10s

# Log messages
storage.raft: updated autopilot configuration: config="CleanupDeadServers:false LastContactThreshold:10s DeadServerLastContactThreshold:24h0m0s MaxTrailingLogs:1000 MinQuorum:0 ServerStabilizationTime:10s DisableUpgradeMigration:false RedundancyZoneTag:redundancy_zone UpgradeVersionTag:upgrade_version"

state

See operational information about the autopilot status.

> vault operator raft autopilot state

# Log messages
Healthy:                         true
Failure Tolerance:               1
Leader:                          node01
Voters:
   node01
   node02
   node03
Servers:
   node01
      Name:              node01
      Address:           127.0.0.1:8211
      Status:            leader
      Node Status:       alive
      Healthy:           true
      Last Contact:      0s
      Last Term:         3
      Last Index:        47
      Version:           1.20.0
      Node Type:         voter
   node02
      Name:              node02
      Address:           127.0.0.1:8221
      Status:            voter
      Node Status:       alive
      Healthy:           true
      Last Contact:      2.60827123s
      Last Term:         3
      Last Index:        47
      Version:           1.20.0
      Node Type:         voter
   node03
      Name:              node03
      Address:           127.0.0.1:8231
      Status:            voter
      Node Status:       alive
      Healthy:           true
      Last Contact:      4.302644971s
      Last Term:         3
      Last Index:        47
      Version:           1.20.0
      Node Type:         voter

General Cluster Management

Vault instances can be joined into a cluster, and the commands in this group provide essential cluster management.

The context of the following examples continues the above cluster that was created via a joined raft storage backend.

members

Returns an overview of all cluster nodes, providing an easy way to see the API and cluster addresses, Vault version, and last connection timestamps.

> vault operator members

# Log messages
Host Name     API Address              Cluster Address           Active Node    Version    Upgrade Version    Redundancy Zone    Last Echo
---------     -----------              ---------------           -----------    -------    ---------------    ---------------    ---------
midi.local    http://127.0.0.1:8210    https://127.0.0.1:8211    true           1.20.0     1.20.0             n/a                n/a
midi.local    http://127.0.0.1:8220    https://127.0.0.1:8221    false          1.20.0     1.20.0             n/a                2025-07-26T12:45:26+02:00
midi.local    http://127.0.0.1:8230    https://127.0.0.1:8231    false          1.20.0     1.20.0             n/a                2025-07-26T12:45:25+02:00

step-down

In each cluster, one node acts as the leader. This command forces the active leader to become a voter, and another node inside the cluster will get promoted to leader status instead.

The following example shows the effect of this command as indicated in the logfiles.

> vault operator step-down

# Log messages
Success! Stepped down: http://127.0.0.1:8210

[WARN]  core: stepping down from active operation to standby
...
[INFO]  core: pre-seal teardown complete
...
[INFO]  storage.raft: entering follower state: follower="Node at 127.0.0.1:8211 [Follower]" leader-address= leader-id=

Information

The last group of commands provides general metainformation about a Vault instance, helping to diagnose and anticipate potential problems.

diagnose

This command provides an overview about the general health of the filesystem structure of the Vault server as well as the structure and integrity of the configured internal storage.

This command is intended to be run when the Vault server is not running, intending to diagnose problems that prevent starting

Here is an example:

> vault operator diagnose -config=node04/vault_config.hcl

# Log messages
[ warning ] Vault Diagnose: HCP link check will not run on OSS Vault.
  [ warning ] Check Operating System
    [ success ] Check Open File Limits: Open file limits are set to
      61440.
    [ success ] Check Disk Usage: / usage ok.
    [ warning ] Check Disk Usage: /dev is 100.00 percent full.
      It is recommended to have more than five percent of the partition
      free.
    [ success ] Check Disk Usage: /System/Volumes/VM usage ok.
    [ success ] Check Disk Usage: /System/Volumes/Preboot usage ok.
    [ success ] Check Disk Usage: /System/Volumes/Update usage ok.
    [ success ] Check Disk Usage: /System/Volumes/Data usage ok.
    [ warning ] Check Disk Usage: /System/Volumes/Data/home has 0 B
      free.
      It is recommended to have at least 1 GB of space free per
      partition.
  [ success ] Parse Configuration
  [ warning ] Check Telemetry: Telemetry is using default configuration
    By default only Prometheus and JSON metrics are available.  Ignore this
    warning if you are using telemetry or are using these metrics and are
    satisfied with the default retention time and gauge period.
  [ warning ] Check Storage
    [ success ] Create Storage Backend
    [ warning ] Check Raft Folder Permissions: too many permissions:
      perms are drwxr-xr-x
    [ warning ] Check For Raft Quorum: Only one server node found.
      Vault is not running in high availability mode.
  [ skipped ] Check Service Discovery: No service registration
    configured.
  [ success ] Create Vault Server Configuration Seals
  [ skipped ] Check Transit Seal TLS: No transit seal found in seal
    configuration.
  [ success ] Create Core Configuration
    [ success ] Initialize Randomness for Core
  [ success ] HA Storage
    [ success ] Create HA Storage Backend
    [ skipped ] Check HA Consul Direct Storage Access: No HA storage
      stanza is configured.
  [ success ] Determine Redirect Address
  [ success ] Check Cluster Address: Cluster address is logically valid
    and can be found.
  [ success ] Check Core Creation
  [ skipped ] Check For Autoloaded License: License check will not run
    on OSS Vault.
  [ warning ] Start Listeners
    [ warning ] Check Listener TLS: Listener at address 127.0.0.1:8240:
      TLS is disabled in a listener config stanza.
    [ success ] Create Listeners
  [ skipped ] Check Autounseal Encryption: Skipping barrier encryption
    test. Only supported for auto-unseal.
  [ success ] Check Server Before Runtime
  [ success ] Finalize Shamir Seal

key-status

When Vault is unsealed, the root-key is reconstructed, and this decrypts the current encryption key of the internal keyring. The key-status command shows a brief summary about this encryption key.

> vault operator key-status 

# Log messages
Key Term            1
Install Time        26 Jul 25 10:37 UTC
Encryption Count    12

utilization

The vault enterprise only command distills a report about the license utilization. When used with the community version, it merely produces an error because the internally used endpoint is not available.

usage

Vaults provides token-based access to secrets, credentials, and certificates. This command outputs a usage statistic of generated tokens for different client types.

Here is an example output - alas, on a non-production local cluster, the statistics are rather negligible.

> vault operator usage

# Log messages
Period start: 0001-01-01T00:00:00Z
Period end: 2025-06-30T23:59:59Z

Namespace path   Entity Clients   Non-Entity clients   Secret syncs   ACME clients   Active clients
--------------   --------------   ------------------   ------------   ------------   --------------
                                                                                      
Total            0                0                    0              0              0

Conclusion

The Vault CLIs operator command provides access to high-level configuration of a server instance or cluster. Commands are grouped into a) startup, for starting and getting a Vault instance operation, b) key management, allowing the generation of root, unseal and recovery keys, c) storage management, allowing the migration between storage backends and the generation of raft snapshots, d) raft cluster management, configuring members of a Vault cluster that use raft as their storage backend, e) general cluster management, showing cluster status and triggering leader voting, and finally f) information, commands that diagnose operational health and metainformation about encryption keys or the license. This article covered all subcommands with an explanation and output example, and should help you to get more familiar with operating a Vault instance or cluster.


Previous: Hashicorp Vault CLI Part 1: Initialization, Authentication & Plugin Management