2017-03-15 18:31:14 +00:00
---
2020-01-18 00:18:09 +00:00
layout: docs
page_title: Replication - Vault Enterprise
description: >-
Vault Enterprise has support for Replication, allowing critical data to be
replicated across clusters to support horizontally scaling and disaster
recovery workloads.
2017-03-15 18:31:14 +00:00
---
2017-09-13 01:48:52 +00:00
# Vault Enterprise Replication
2017-03-15 18:31:14 +00:00
## Overview
2020-01-25 00:18:22 +00:00
-> **Note**: All versions of [Vault Enterprise](https://www.hashicorp.com/products/vault/)
2022-05-09 21:38:35 +00:00
have support for Disaster Recovery replication. Performance Replication requires
2021-09-09 21:36:15 +00:00
Vault Enterprise Premium.
2020-01-25 00:18:22 +00:00
2017-03-15 18:31:14 +00:00
Many organizations have infrastructure that spans multiple datacenters. Vault
provides the critical services of identity management, secrets storage, and
2020-01-18 00:18:09 +00:00
policy management. This functionality is expected to be highly available and
2017-03-15 18:31:14 +00:00
to scale as the number of clients and their functional needs increase; at the
same time, operators would like to ensure that a common set of policies are
enforced globally, and a consistent set of secrets and keys are exposed to
2017-09-13 01:48:52 +00:00
applications that need to interoperate.
2017-03-15 18:31:14 +00:00
2017-09-13 01:48:52 +00:00
Vault replication addresses both of these needs in providing consistency,
scalability, and highly-available disaster recovery.
2017-03-15 18:31:14 +00:00
2023-01-26 00:12:15 +00:00
Note: Using replication requires a storage backend that supports transactional updates, such as [Integrated Storage](/vault/docs/concepts/integrated-storage) or Consul.
2019-09-18 21:19:32 +00:00
2017-03-15 18:31:14 +00:00
## Architecture
2017-09-13 01:48:52 +00:00
The core unit of Vault replication is a **cluster**, which is comprised of a
collection of Vault nodes (an active and its corresponding HA nodes). Multiple Vault
2017-08-15 02:02:02 +00:00
clusters communicate in a one-to-many near real-time flow.
2017-03-15 18:31:14 +00:00
2017-09-13 01:48:52 +00:00
Replication operates on a leader/follower model, wherein a leader cluster (known as a
**primary**) is linked to a series of follower **secondary** clusters. The primary
2017-08-15 02:02:02 +00:00
cluster acts as the system of record and asynchronously replicates most Vault data.
2017-03-15 18:31:14 +00:00
All communication between primaries and secondaries is end-to-end encrypted
2017-08-15 02:02:02 +00:00
with mutually-authenticated TLS sessions, setup via replication tokens which are
2017-03-15 18:31:14 +00:00
exchanged during bootstrapping.
2017-08-15 02:02:02 +00:00
What data is replicated between the primary and secondary depends on the type of
replication that is configured between the primary and secondary. These types
of relationships are either **disaster recovery** or **performance**
relationships.
2021-12-15 01:19:31 +00:00
![](/img/replication-overview.png)
2022-05-09 21:38:35 +00:00
The following table shows a capability comparison between Disaster Recovery and Performance Replication.
2021-12-15 01:19:31 +00:00
2022-05-09 21:38:35 +00:00
| Capability | Disaster Recovery | Performance Replication |
2021-12-15 01:19:31 +00:00
| -------------------------------------------------------------------------------------------------------------------- | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Mirrors the configuration of a primary cluster | Yes | Yes |
| Mirrors the configuration of a primary cluster’ s backends (i.e., auth methods, secrets engines, audit devices, etc.) | Yes | Yes |
| Mirrors the tokens and leases for applications and users interacting with the primary cluster | Yes | No. Secondaries keep track of their own tokens and leases. When the secondary is promoted, applications must reauthenticate and obtain new leases from the newly-promoted primary. |
2022-05-09 21:38:35 +00:00
| Allows the secondary cluster to handle client requests | No | Yes |
2021-12-15 01:19:31 +00:00
## Performance Replication
2017-08-15 02:02:02 +00:00
2022-05-09 21:38:35 +00:00
In Performance Replication, secondaries keep track of their own tokens and leases
2017-08-15 02:02:02 +00:00
but share the underlying configuration, policies, and supporting secrets (K/V values,
2017-09-13 01:48:52 +00:00
encryption keys for `transit`, etc).
2017-08-15 02:02:02 +00:00
2017-09-13 01:48:52 +00:00
If a user action would modify underlying shared state, the secondary forwards the request
to the primary to be handled; this is transparent to the client. In practice, most
2017-09-20 20:05:00 +00:00
high-volume workloads (reads in the `kv` backend, encryption/decryption operations
2017-08-15 02:02:02 +00:00
in `transit`, etc.) can be satisfied by the local secondary, allowing Vault to scale
2017-09-13 01:48:52 +00:00
relatively horizontally with the number of secondaries rather than vertically as
2017-08-15 02:02:02 +00:00
in the past.
2022-05-09 21:38:35 +00:00
### Paths Filter
2021-12-15 01:19:31 +00:00
The primary cluster's mount configuration gets replicated across its secondary
2022-05-09 21:38:35 +00:00
clusters when you enable Performance Replication. In some cases, you may not
2021-12-15 01:19:31 +00:00
want all data to be replicated. For example, your primary cluster is in the EU
region, and you have a secondary cluster outside of the EU region. [General Data
Protection Regulation (GDPR)](https://www.eugdpr.org/) requires that personally
identifiable data not be physically transferred to locations outside the
European Union unless the region or country has an equal rigor of data
protection regulation as the EU.
To comply with GDPR, leverage Vault's **paths filter** feature to abide by
data movements and sovereignty regulations while ensuring performance access
2022-05-09 21:38:35 +00:00
across geographically distributed regions.
2021-12-15 01:19:31 +00:00
You can set filters based on the mount path of the secrets engines and
namespaces.
![Performance Replication - primary](/img/vault-mount-filter-7.png)
In the above example, the `EU_GDPR_data/` path and `office_FR` namespace will
not be replicated and remain only on the primary cluster.
On a similar note, if you want to avoid secondary cluster's data to be
replicated, you can mark those secrets engine and/or auth methods **local**.
Local secrets engines and auth methods are not replicated or removed by
replication.
**Example:** When you enable a secrets engine on a secondary cluster, use the
2022-05-09 21:38:35 +00:00
`-local` flag.
2021-12-15 01:19:31 +00:00
2022-05-09 21:38:35 +00:00
```shell-session
2021-12-15 01:19:31 +00:00
$ vault secrets enable -local -path=us_west_data kv-v2
```
-> **Learn:** Refer to the [Performance Replication with Paths
2023-01-26 00:12:15 +00:00
Filter](/vault/tutorials/enterprise/paths-filter) tutorial for
2021-12-15 01:19:31 +00:00
step-by-step instructions.
## Disaster Recovery (DR) Replication
2017-08-15 02:02:02 +00:00
In disaster recovery (or DR) replication, secondaries share the same underlying configuration,
2020-01-18 00:18:09 +00:00
policy, and supporting secrets (K/V values, encryption keys for `transit`, etc) infrastructure
2017-08-15 02:02:02 +00:00
as the primary. They also share the same token and lease infrastructure as the primary, as
they are designed to allow for continuous operations with applications connecting to the
2017-09-13 01:48:52 +00:00
original primary on the election of the DR secondary.
2017-08-15 02:02:02 +00:00
2017-09-13 01:48:52 +00:00
DR is designed to be a mechanism to protect against catastrophic failure of entire clusters.
They do not forward service read or write requests until they are elected and become a new primary.
2017-08-15 02:02:02 +00:00
2022-07-12 17:17:12 +00:00
-> **Note**: Unlike with Performance Replication, local secret engines, auth methods and audit devices are replicated to a DR secondary.
2017-08-15 02:02:02 +00:00
2023-01-26 00:12:15 +00:00
For more information on the capabilities of performance and disaster recovery replication, see the Vault Replication [API Documentation](/vault/api-docs/system/replication).
2017-03-15 18:31:14 +00:00
2021-01-04 13:35:17 +00:00
## Primary and Secondary Cluster Compatibility
### Storage engines
There is no requirement that both clusters use the same storage engine.
### Seals
There is no requirement that both clusters use the same seal type, but see
2023-01-26 00:12:15 +00:00
[sealwrap](/vault/docs/enterprise/sealwrap#seal-wrap-and-replication) for the full
2021-01-04 13:35:17 +00:00
details.
Also note that enabling replication will modify the secondary seal.
If the secondary uses an auto seal, its recovery configuration and keys
will be replaced; if it uses shamir, its seal configuration and unseal
2021-04-06 17:49:04 +00:00
keys will be replaced. Here seal/recovery configuration means the number of
2021-01-04 15:31:36 +00:00
seal/recovery key fragments and the required threshold of those
fragments.
2021-01-04 13:35:17 +00:00
2021-07-22 19:41:36 +00:00
| Primary Seal | Secondary Seal (before) | Secondary Seal (after) | Secondary Recovery Key (after) | Impact on Secondary of Enabling Replication |
|--------------|-------------------------|----------------------------------------|--------------------------------|-----------------------------------------------------------------------------|
| Shamir | Shamir | Primary's shamir config & unseal keys | N/A | Seal config and unseal keys replaced with primary's |
| Shamir | Auto | Unchanged | Receives primary seal | Seal recovery config and keys replaced with primary's seal config and keys |
| Auto | Auto | Unchanged | Receives primary recovery | Seal recovery config and recovery keys replaced with primary's |
| Auto | Shamir | Receives primary recovery | N/A | Seal config and keys replaced with primary's recovery seal config and keys |
Note: Clusters with Shamir seal config do not have separate recovery keys. Auto includes HSM, Cloud KMS, and Transit auto-unseal.
2021-01-04 13:35:17 +00:00
### Vault versions
Vault changes are designed and tested to ensure that the
2023-01-26 00:12:15 +00:00
[upgrade instructions](/vault/docs/upgrading#replication-installations) are viable, i.e.
2021-01-04 13:35:17 +00:00
that a secondary can run a newer Vault version than its primary.
That said, we do not recommend running replicated Vault clusters with different
versions any longer than necessary to perform the upgrade.
2017-03-15 18:31:14 +00:00
## Internals
Details on the internal design of the replication feature can be found in the
2023-01-26 00:12:15 +00:00
[replication internals](/vault/docs/internals/replication) document.
2017-03-15 18:31:14 +00:00
## Security Model
Vault is trusted all over the world to keep secrets safe. As such, we have put
extreme focus to detail to our replication model as well.
### Primary/Secondary Communication
When a cluster is marked as the primary it generates a self-signed CA
certificate. On request, and given a user-specified identifier, the primary
uses this CA certificate to generate a private key and certificate and packages
these, along with some other information, into a replication bootstrapping
bundle, a.k.a. a secondary activation token. The certificate is used to perform
TLS mutual authentication between the primary and that secondary.
This CA certificate is never shared with secondaries, and no secondary ever has
access to any other secondary’ s certificate. In practice this means that
revoking a secondary’ s access to the primary does not allow it continue
replication with any other machine; it also means that if a primary goes down,
there is full administrative control over which cluster becomes primary. An
attacker cannot spoof a secondary into believing that a cluster the attacker
controls is the new primary without also being able to administratively direct
the secondary to connect by giving it a new bootstrap package (which is an
ACL-protected call).
Vault makes use of Application Layer Protocol Negotiation on its cluster port.
This allows the same port to handle both request forwarding and replication,
even while keeping the certificate root of trust and feature set different.
### Secondary Activation Tokens
A secondary activation token is an extremely sensitive item and as such is
protected via response wrapping. Experienced Vault users will note that the
wrapping format for replication bootstrap packages is different from normal
response wrapping tokens: it is a signed JWT. This allows the replication token
to carry the redirect address of the primary cluster as part of the token. In
most cases this means that simply providing the token to a new secondary is
enough to activate replication, although this can also be overridden when the
token is provided to the secondary.
Secondary activation tokens should be treated like Vault root tokens. If
disclosed to a bad actor, that actor can gain access to all Vault data. It
2020-01-18 00:18:09 +00:00
should therefore be treated with utmost sensitivity. Like all
2017-03-15 18:31:14 +00:00
response-wrapping tokens, once the token is used successfully (in this case, to
activate a secondary) it is useless, so it is only necessary to safeguard it
2020-01-18 00:18:09 +00:00
from one machine to the next. Like with root tokens, HashiCorp recommends that
2017-03-15 18:31:14 +00:00
when a secondary activation token is live, there are multiple eyes on it from
generation until it is used.
Once a secondary is activated, its cluster information is stored safely behind
its encrypted barrier.
2022-10-27 19:14:24 +00:00
## Mutual TLS and Load Balancers
Vault generates its own certificates for cluster members. All replication traffic
uses the cluster port using these Vault-generated certificates after initial
bootstrapping. Because of this, the cluster traffic can NOT be terminated at the
cluster port at a load balancer level.
2022-05-20 01:04:46 +00:00
## Tutorial
2019-10-14 17:31:03 +00:00
Refer to the following tutorials replication setup and best practices:
2023-02-07 04:34:51 +00:00
- [Setting up Performance Replication](/vault/tutorials/enterprise/performance-replication)
- [Disaster Recovery Replication Setup](/vault/tutorials/enterprise/disaster-recovery)
2023-01-26 00:12:15 +00:00
- [Performance Replication with Paths Filters](/vault/tutorials/enterprise/paths-filter)
2023-02-07 04:34:51 +00:00
- [Monitoring Vault Replication](/vault/tutorials/monitoring/monitor-replication)
2017-03-15 18:31:14 +00:00
## API
2017-04-10 13:46:25 +00:00
The Vault replication component has a full HTTP API. Please see the
2023-01-26 00:12:15 +00:00
[Vault Replication API](/vault/api-docs/system/replication) for more
2017-03-16 18:57:06 +00:00
details.