/sys/rotate/(root|recovery)/verify
The /sys/rotate/(root|recovery)/verify endpoints are available from version v2.4.0.
Read rotation verification progress
This endpoint reads the configuration and progress of the current rotation verification attempt.
| Method | Path |
|---|---|
GET | /sys/rotate/(root|recovery)/verify |
Sample requests
$ curl \
http://127.0.0.1:8200/v1/sys/rotate/root/verify
or
$ curl \
http://127.0.0.1:8200/v1/sys/rotate/recovery/verify
Sample response
{
"request_id": "9311c844-6be7-3c00-d2bc-e97fa8345338",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10",
"t": 3,
"n": 5,
"progress": 1
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Where n is the total number of new shares that were generated and t is the
threshold required for the new shares to pass verification. progress is how
many of the new unseal keys have been provided for this verification operation.
The nonce for the current rotation is also displayed.
Cancel rotation verification
This endpoint cancels any in-progress rotation verification operation. This
clears any progress made and resets the nonce. Unlike a DELETE against
sys/rotate/(root|recovery)/init, this only resets the current verification
operation, not the entire rotation attempt. The return value is the same as
GET along with the new nonce.
| Method | Path |
|---|---|
DELETE | /sys/rotation/(root|recovery)/verify |
Sample requests
$ curl \
--request DELETE \
http://127.0.0.1:8200/v1/sys/rotate/root/verify
or
$ curl \
--request DELETE \
http://127.0.0.1:8200/v1/sys/rotate/recovery/verify
Sample response
{
"nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
"t": 3,
"n": 5,
"progress": 0
}
Submit verification key
This endpoint is used to enter a single new key share to progress the rotation verification operation. If the threshold number of key shares is reached, OpenBao will complete the verification. Otherwise, this API call must be repeated until threshold is met. The nonce must be provided with each call.
When the operation is complete, response will be returned in the format of the
example below; otherwise the response will be the same as the GET method
against sys/rotate/(root|recovery)/verify, providing current operation status.
| Method | Path |
|---|---|
POST | /sys/rotate/(root|recovery)/verify |
Parameters
-
key(string: <required>)- Specifies a single root share key from the new set of shares. -
nonce(string: <required>)- Specifies the nonce of the rotation verification operation.
Sample payload
{
"key": "A58d...",
"nonce": "5a27bbc1..."
}
Sample requests
$ curl \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/rotate/root/verify
or
$ curl \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/rotate/recovery/verify
Sample response
{
"nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
"complete": true
}