Clarify OpenBao rotation flow

2026-05-26 00:09:19 +02:00
parent 8520ae8d7d
commit d0c7ff9f3b
2 changed files with 15 additions and 2 deletions
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -1506,6 +1506,7 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
    rotate_init_command = interactive_token_command(
        "bao operator rotate-keys -init -key-shares=3 -key-threshold=2"
    )
+    rotate_status_command = interactive_token_command("bao operator rotate-keys -status")
    rotate_submit_command = interactive_token_command(
        'bao operator rotate-keys -nonce="$ROTATION_NONCE"',
        prompt_nonce=True,
@@ -1593,13 +1594,19 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
        ),
        action(
            "Start unseal-key rotation",
-            "Generate a new 3-share, threshold-2 Shamir split. Requires an OpenBao token with root or sudo capability.",
+            "Run once to start a new 3-share, threshold-2 rotation. If rotation is already in progress, do not rerun init; check status and submit existing shares.",
            rotate_init_command,
            compromise_taint,
        ),
+        action(
+            "Check unseal-key rotation status",
+            "Inspect the active rotation without submitting a share. Use after init or when OpenBao says rotation is already in progress.",
+            rotate_status_command,
+            compromise_taint,
+        ),
        action(
            "Submit current shares for rotation",
-            "Repeat by prompt until the required threshold completes. Enter the nonce from rotation init, then the token and share prompts.",
+            "Enter the nonce from rotation init, then token and existing unseal-share prompts. Repeat with distinct current shares until progress reaches the threshold.",
            rotate_submit_command,
            compromise_taint,
        ),