False. The vault operator rekey command updates unseal/recovery keys, not the master key (often confused with “root key”). The Vault documentation states:
"The operator rekey command generates a new set of unseal keys. This can optionally change thetotal number of key shares or the required threshold of those key shares to reconstruct the master key. This operation is zero downtime, but it requires that Vault is unsealed and a quorum of existing unseal keys are provided."
—Vault Commands: operator rekey
B: Correct. Only unseal keys are recreated:
"When performing a rekey operation using the vault operator rekey command, new unseal/recovery keys are generated, but the root key remains the same."
—Vault Commands: operator rekey
A: Incorrect; the master key persists.
[References:, Vault Commands: operator rekey, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit