HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for pre-release version v1.21.x (rc). View latest version.

Automate Vault cluster snapshots

Enterprise

Appropriate Vault Enterprise  license required

You can configure Vault Enterprise to regularly save automated snapshots to local or cloud storage.

Before you start

  • You must have a working knowledge of how Vault saves data.
  • You must have a valid Vault cluster configuration using integrated storage.
  • You must know, and be able to contact your unseal/recovery key holders.
  • You must have permission to access encrypted data in backed storage.
  • You should have a secure location, away from your Vault cluster infrastructure, to save the snapshot file.

Step 1: Determine your snapshot settings

Vault can write snapshots to local storage and cloud storage. For longterm maintenance, we recommend saving your autosnapshot settings to a JSON file.

Local storage example

The following JSON file, local-snapshot.json, defines an automated snapshot configuration that uses local storage with custom file and path prefixes. The configuration also sets a 120 minute snapshot frequency, a retention window of 7 snapshots before deleting, and limits the amount of local storage consumed by the snapshot files so Vault stops writing snapshot data if the combined file size exceed 250 MB (262144000 bytes).

{
  "storage_type": "local",
  "file_prefix": "localsnappy",
  "interval": "120m",
  "retain": "7",
  "local_max_space": "262144000",
  "path_prefix": "/opt/vault/"
}

Cloud storage example

The following JSON file, aws-snapshot.json, defines an automated snapshot configuration that uses AWS S3 cloud storage, customizes AWS configuration options (bucket name, the region, and required credentials), and protects the snapshots with server side encryption.

{
  "storage_type": "aws-s3",
  "file_prefix": "paris",
  "interval": "8h",
  "retain": 30,
  "local_max_space": 2621440000,
  "path_prefix": "primary",
  "aws_s3_bucket": "vault-snapshots",
  "aws_s3_region": "eu-west-3",
  "aws_access_key_id": "ASI...COFFEE",
  "aws_secret_access_key": "wJalr...COFFEEKEY",
  "aws_session_token": "IQoJb3JpZ2luX2IQ...COFFEE",
  "aws_s3_server_side_encryption": "true"
}

Step 2: Apply the snapshot configuration

Note

For disaster recovery and performance replication environments, you must configure automated snapshots separately for the primary and secondary clusters.

Run vault write with the /sys/storage/raft/snapshot-auto path and your snapshot configuration to enable automated snapshots:

$ vault write                                                   \
    sys/storage/raft/snapshot-auto/config/<configuration_name>  \
    @<configuration_file>

For example, to configure automated snapshots with local storage in an unreplicated environment:

$ vault write                                         \
    sys/storage/raft/snapshot-auto/config/local-snaps \
    @local-snapshot.json

Or, to configure automated snapshots with AWS storage for a primary cluster located in Paris called paris-primary:

$ vault write                                           \
    sys/storage/raft/snapshot-auto/config/paris-primary \
    @aws-snapshot.json

Step 3 (Optional): Enable autoloading

You can configure Vault to automatically load the latest snapshot after it is written. This is useful if you want to quickly be able to recover individual secrets from a snapshot without having to manually load the snapshot.

Only one automated snapshot configuration can have autoloading enabled at a time. Automated snapshot configurations with their storage type set to local cannot have autoloading enabled.

If the interval for the automated snapshot configuration is set to less than 1 hour, Vault will only autoload snapshots every hour. This is to prevent excessive load on the cluster.

To enable autoloading, set the autoload_enabled parameter to true when creating or updating the automated snapshot configuration. For example, we can update the previous AWS S3 example to enable autoloading:

{
  "storage_type": "aws-s3",
  "file_prefix": "paris",
  "interval": "8h",
  "retain": 30,
  "autoload_enabled": true,
  "local_max_space": 2621440000,
  "path_prefix": "primary",
  "aws_s3_bucket": "vault-snapshots",
  "aws_s3_region": "eu-west-3",
  "aws_access_key_id": "ASI...COFFEE",
  "aws_secret_access_key": "wJalr...COFFEEKEY",
  "aws_session_token": "IQoJb3JpZ2luX2IQ...COFFEE",
  "aws_s3_server_side_encryption": "true"
}

and update the configuration in our Vault cluster:

Run vault write with the /sys/storage/raft/snapshot-auto path and your snapshot configuration to update an automated snapshot configuration:

$ vault write                                                   \
    sys/storage/raft/snapshot-auto/config/<configuration_name>  \
    @<configuration_file>

To update the previous AWS S3 example to enable autoloading:

$ vault write                                           \
    sys/storage/raft/snapshot-auto/config/paris-primary \
    @aws-snapshot.json
Edit this page on GitHub