Vault
Recover to a non-replicated cluster
Enterprise
Appropriate Vault Enterprise license required
Recover and restore a discrete secret from an integrated storage snapshot to a single, non-replicated cluster.
Cannot recover discrete data from disabled mounts
You cannot read, list, or recover information from a snapshot for disabled mount paths. Even if you re-enable the same plugin at the same path, Vault treats it as a new mount with different internal identifiers and cannot associate the re-enabled mount with the underlying storage entries within the snapshot.
Before you start
- You must have an integrated storage snapshot. You can only restore data from automatically or manually saved snapshots for integrated storage.
- You must have a snapshot from the cluster targeted for restoration.
- The cluster must have mlock disabled.
- The cluster cannot have another snapshot loaded.
- You must have
recoverpermissions for the secret path you want to recover. - You must be restoring from a supported plugin. Not all secret paths support snapshot operations. Refer to the table below for supported plugins and paths.
| Plugin | Path | Supported snapshot operations | Vault version |
|---|---|---|---|
| cubbyhole | /:secret_name | recover, read, list | 1.20.0 |
| kv (v1) | /:secret_name | recover, read, list | 1.20.0 |
| ssh | /config/ca | recover, read | 1.20.3 |
Step 1: Load a snapshot
Load the snapshot holding the secret you want to recover.
Before you can load a manual snapshot, you must transfer the snapshot file from secure storage to a local path Vault can access.
Use vault operator raft snapshot load to load the snapshot data from a local
file and assign a snapshot ID:
$ vault operator raft snapshot load <local_file_path>
For example:
$ vault operator raft snapshot load /tmp/snapshots/20250624-1.snap
Key Value
--- -----
cluster_id 990195d2-9f10-4e5c-84c5-543b4c250dc6
expires_at 2025-06-14T09:00:00.675319+05:00
snapshot_id e57cd0cf-c3fa-4e5e-96ea-4a68fa8f3269
status loading
Once you start a snapshot load, you can check the load status using
vault read and the /sys/storage/raft/snapshot-load endpoint:
$ vault read /sys/storage/raft/snapshot-load/<snapshot_id>
For example:
$ vault read \
/sys/storage/raft/snapshot-load/9465df92-8236-4af9-8cc8-b7460d882e41
Key Value
--- -----
auto_config_name paris-primary
cluster_id 7430fa38-8fb6-4b35-b2a7-27ed4c831a44
expires_at 2025-07-16T03:24:42.867531+05:00
snapshot_id 9465df92-8236-4af9-8cc8-b7460d882e41
status ready
| Status key | Description |
|---|---|
loading | Vault is in the process of loading the snapshot and extracting data |
ready | Loading completed successfully. You can read data from the snapshot. |
error | Loading failed. Refer to the logs and error field for details. |
Step 2: Recover the secret
When the snapshot status is ready, you can recover the secret by specifying
the snapshot ID and the secret path you want to read from.
Vault reads the secret at the specified path from the snapshot and writes that data to the associated path in Vault to recover the secret. The associated plugin then creates or updates the data at the specified path in live cluster storage.
Use vault read with the snapshot ID to read from the secret path and write
the recovered data to the corresponding mount path on the Vault server:
$ vault read \
-snapshot-id <snapshot_id> \
<mount_path>/<secret_path>
For example:
$ vault read \
-snapshot-id 9465df92-8236-4af9-8cc8-b7460d882e41s \
kv/telemetry-systems/api-key
Step 3: Verify secret recovery
To verify secret recovery, read the secret from the expected path. For example,
if you recovered a secret from a kv plugin at telemetry-systems/api-key:
$ vault kv get telemetry-systems/api-key
=== Data ===
Key Value
--- -----
key 9C016BB3-F574-4A24-B8A7-8CE1F1CE2128