How to reset or "un-initialize" vault?

Question

I'm trying to automate vault v0.8.0 deployment (vaultproject from Hashicorp) with a consul v0.9.1 backend.

Because it is a trial and error process I need to run "vault init" a couple of times (until I get it right) and get the keys.

Unfortunately I lost the keys and the root token.

I tried to stop vault and consul service - nothing "* Vault is already initialized" and "* Vault is sealed"

I stopped vault, removed the vault path from consul, started vault - same result - and at "vault init" I receive this error:

* expiration state restore failed: failed to scan for leases: list failed at path '': Unexpected response code: 403

and it's creating the vault/ path again in consul and remain sealed.

How can I "reset" vault or make it UN-initialized and start over with "vault init" ?

This is the log:

Aug 10 05:01:49 TSLASOWROMM01 vault[9156]: ==> Vault server started! Log data will stream in below:
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.238436 [INFO ] core: security barrier not initialized
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.271844 [INFO ] core: security barrier initialized: shares=5 threshold=3
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.320363 [INFO ] core: post-unseal setup starting
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.342931 [INFO ] core: loaded wrapping token key
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.356895 [INFO ] core: successfully mounted backend: type=generic path=secret/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.357342 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.357736 [INFO ] core: successfully mounted backend: type=system path=sys/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.358293 [INFO ] rollback: starting rollback manager
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.381808 [INFO ] expiration: restoring leases
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.383943 [INFO ] core: pre-seal teardown starting
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384154 [INFO ] core: cluster listeners not running
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384365 [INFO ] rollback: stopping rollback manager
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384633 [INFO ] core: pre-seal teardown complete
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384909 [ERROR] core: post-unseal setup failed during init: error=expiration state restore failed: failed to scan for leases: list failed at path '': Unexpected response code: 403

Answer 1

Per the discussion of this same question here: https://groups.google.com/forum/#!msg/vault-tool/xuO8IInubDg/SBHMP2PKAwAJ, the answer is:

Vault is storing its state in Consul, so if you shut down Vault and delete Vault's key prefix in Consul things should start clean again.

Answer 2

Just in case someone reads this post with the same intention as I did -> looking for "file"-backend or "database"-backend

file backend:

If you look into the vault configuration file (e.g. /etc/vault.d/vault.hcl)

There is a directive storage "file" { path = "/some/file/name" ......

Just empty the directory /some/file/name (do not remove, just emtpy).

database backend:

you just have to truncate the "vault_kv_store" table and restart vault:

psql -U myvaultdbuser -h myvaultDB.host.name -p5432 vaultdatabasname -c 'truncate table vault_kv_store';

... and to initialize again:

Then direct your Browser to e.g. http://localhost:8820/ui/vault/init to initialize it again