Vault makes use of Shamir’s secret sharing scheme to split a master key into *n* pieces, requiring at least *k* of them to be presented at ‘unseal’ time. At initialisation time, the user specifies what values *n* and *k* should take. Vault does not make it possible to change the number of shares after initialisation without recreating new shares for existing shareholders, despite Shamir’s scheme allowing it. I decided to raise a pull request implementing this functionality to make it easier to create more shares.

### How can we create a new share without recreating the master key?

I’ve written in detail how Shamir’s scheme works in this post but as a quick overview:

- a polynomial of degree
*k*-1 that passes through the point (0,*S*) is randomly selected, where*S*is the secret to split *n*non-zero points on this curve are selected as shares- In order to recreate the curve and find
*S*,*k*points must be provided - A collection of fewer than
*k*points cannot provide enough information to recreate the curve (and therefore*S*).

As the shares take the form of points along a curve, a new share can be added simply by selecting another point on the same curve. During initialisation Vault selects the first *n* points on the curve, so it is easy to track which points are already in use.

The implementation is as follows:

- provide
*k*shares in order to recreate the secret curve along with a PGP key for encrypting the new share - generate a new share by taking the (
*n*+1)th point on the curve - update Vault so that it knows there are now
*n*+1 shares - return encrypted share

**How can I use the generate-share endpoint?**

To kick off the process of generating a new share, call generate-share with the **init** flag and pass in the path to a PGP public key:

$ vault generate-share -init -pgp-key=

Then call generate-share *k* times, each with a different share of the master key:

$ vault generate-share

After providing the final share, a new share encrypted with the provided PGP public key will be returned. This can then be used to unseal Vault!

You can use the **status** flag to check how many shares have already been provided:

$ vault generate-share -status

The **cancel** flag is also available to cancel the share generation process:

$ vault generate-share -cancel

The fork can be found here: https://github.com/jam-pot/vault

The pull request can be found here: https://github.com/hashicorp/vault/pull/2523