open-vault/website/source/guides/operations/index.html.md

---
layout: "guides"
page_title: "Vault Operations - Guides"
sidebar_title: "Vault Operations"
sidebar_current: "guides-operations"
description: |-
  Vault architecture guide covers Vault infrastructure discussions including
  installation.   
---

# Vault Operations

Vault Operations guides address Vault infrastructure discussions.  These
guides are designed to help the operations team to plan and install a Vault
cluster that meets your organization's needs.

- [Vault Reference Architecture](/guides/operations/reference-architecture.html)
guide provides guidance in the best practices of _Vault Enterprise_ implementations
through use of a reference architecture. This example is to convey a general
architecture, which is likely to be adapted to accommodate the specific needs of
each implementation.

- [Vault Deployment Guide](/guides/operations/deployment-guide.html) covers the
steps required to install and configure a single HashiCorp Vault cluster as
defined in the Vault Reference Architecture.

- [Vault HA with Consul](/guides/operations/vault-ha-consul.html) guide
walks you through a simple Vault HA cluster implementation which is backed by
[HashiCorp Consul](https://www.consul.io/intro/index.html).

- [Production Hardening](/guides/operations/production.html) guide provides
guidance on best practices for a production hardened deployment of Vault.
The recommendations are based on the [security model](/docs/internals/security.html)
and focus on defense in depth.

- [Root Token Generation](/guides/operations/generate-root.html) guide
demonstrates the workflow of regenerating root tokens. It is considered to be a
best practice not to persist the initial **root** token. If a root token needs
to be regenerated, this guide helps you walk through the task.

- [Rekeying & Rotating](/guides/operations/rekeying-and-rotating.html) guide
provides a high-level overview of Shamir's Secret Sharing Algorithm, and how to
perform _rekey_ and _rotate_ operations in Vault.

- [Building Plugin Backends](/guides/operations/plugin-backends.html) guide
provides steps to build, register, and mount non-database external plugin
backends.


## Vault Enterprise

- [Replication Setup & Guidance](/guides/operations/replication.html)
walks you through the commands to activate the Vault servers in replication mode.
Please note that [Vault Replication](/docs/vault-enterprise/replication/index.html)
is a Vault Enterprise feature.

- [Disaster Recovery Replication Setup](/guides/operations/disaster-recovery.html)
guide provides step-by-step instruction of setting up a disaster recovery (DR)
cluster.

- [Mount Filter](/guides/operations/mount-filter.html)
guide demonstrates how to selectively filter out secret engines from being
replicated across clusters. This feature can help organizations to comply with
***General Data Protection Regulation (GDPR)***.

- [Performance Standby Nodes](/guides/operations/performance-nodes.html) guide
describes how Vault HA works with performance standby nodes.

- [Multi-Tenant Pattern with Namespaces](/guides/operations/multi-tenant.html)
guide discuss a pattern to isolate secrets using ACL Namespaces.

- [Vault Auto-unseal using AWS Key Management Service (KMS)](/guides/operations/autounseal-aws-kms.html) guide demonstrates an example of
how to use Terraform to provision an instance that utilizes an encryption key
from AWS Key Management Service (KMS).

- [Seal Wrap / FIPS 140-2](/guides/operations/seal-wrap.html)
guide demonstrates how Vault's seal wrap feature works to encrypt your secrets
leveraging FIPS 140-2 certified HSM.

- [Vault Cluster Monitoring Guide](/guides/operations/monitoring.html) walks
you through Vault cluster monitoring with telemetry collected by
[Telegraf](https://www.influxdata.com/time-series-platform/telegraf/) and
forwarded to
[InfluxDB](https://www.influxdata.com/time-series-platform/influxdb/) and
[Grafana](https://grafana.com/) for analysis.
Re-categorized the guides on the navigation 2018-01-26 23:13:15 +00:00			`---`
			`layout: "guides"`
Incorporated review comments 2018-02-01 17:50:59 +00:00			`page_title: "Vault Operations - Guides"`
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads 2018-10-19 15:40:11 +00:00			`sidebar_title: "Vault Operations"`
Re-categorized the guides on the navigation 2018-01-26 23:13:15 +00:00			`sidebar_current: "guides-operations"`
			`description: \|-`
			`Vault architecture guide covers Vault infrastructure discussions including`
			`installation.`
			`---`

Incorporated review comments 2018-02-01 17:50:59 +00:00			`# Vault Operations`
Re-categorized the guides on the navigation 2018-01-26 23:13:15 +00:00
Incorporated review comments 2018-02-01 17:50:59 +00:00			`Vault Operations guides address Vault infrastructure discussions. These`
Re-categorized the guides on the navigation 2018-01-26 23:13:15 +00:00			`guides are designed to help the operations team to plan and install a Vault`
			`cluster that meets your organization's needs.`

Transit rewrap (#4091) * Adding new guides * Replaced backend with engine * Grammar for the encryption guide * Grammar and Markdown style for the Transite Rewrap guide See https://github.com/hashicorp/engineering-docs/blob/master/writing/markdown.md for notes on numbered Markdown lists. * grammar and wording updates for ref arch guide * Updating replication diagram * Removing multi-tenant pattern guide * Added a note 'Enterprise Only' * Removing multi-tenant pattern guide * Modified the topic order * Grammar and Markdown formatting * Grammar, Markdown syntax, and phrasing * Grammar and Markdown syntax * Replaced 'backend' with appropriate terms * Added a note clarifying that replication is an enterprise-only feature * Updated the diagram & added additional resource links * update some grammar and ordering * Removed the inaccurate text in index for EaaS 2018-03-19 21:56:45 +00:00			`- [Vault Reference Architecture](/guides/operations/reference-architecture.html)`
			`guide provides guidance in the best practices of _Vault Enterprise_ implementations`
			`through use of a reference architecture. This example is to convey a general`
			`architecture, which is likely to be adapted to accommodate the specific needs of`
			`each implementation.`
Vault HA with Consul guide (#4187) * Vault HA guide draft * Fixed node_id to say node_name based on Brian's input * Fixed the unwanted hyperlink * Vault HA guide * Updated the description of the Vault HA guide * Typo fixes * Added a reference to Vault HA with Consule guide * Incorporated Teddy's feedback * Fixed an env var name * Vault configuration has been updated: 'api_addr' 2018-04-04 15:25:06 +00:00
Added Deployment Guide in the index (#5211) 2018-08-28 17:55:30 +00:00			`- [Vault Deployment Guide](/guides/operations/deployment-guide.html) covers the`
			`steps required to install and configure a single HashiCorp Vault cluster as`
			`defined in the Vault Reference Architecture.`

Vault HA with Consul guide (#4187) * Vault HA guide draft * Fixed node_id to say node_name based on Brian's input * Fixed the unwanted hyperlink * Vault HA guide * Updated the description of the Vault HA guide * Typo fixes * Added a reference to Vault HA with Consule guide * Incorporated Teddy's feedback * Fixed an env var name * Vault configuration has been updated: 'api_addr' 2018-04-04 15:25:06 +00:00			`- [Vault HA with Consul](/guides/operations/vault-ha-consul.html) guide`
			`walks you through a simple Vault HA cluster implementation which is backed by`
			`[HashiCorp Consul](https://www.consul.io/intro/index.html).`

Fixing docs links and adding redirects for new guides (#3939) * updating links * updating links * updating links * updating links * updating links * adding redirects 2018-02-08 00:29:07 +00:00			`- [Production Hardening](/guides/operations/production.html) guide provides`
			`guidance on best practices for a production hardened deployment of Vault.`
Re-categorized the guides on the navigation 2018-01-26 23:13:15 +00:00			`The recommendations are based on the [security model](/docs/internals/security.html)`
			`and focus on defense in depth.`
Vault HA with Consul guide (#4187) * Vault HA guide draft * Fixed node_id to say node_name based on Brian's input * Fixed the unwanted hyperlink * Vault HA guide * Updated the description of the Vault HA guide * Typo fixes * Added a reference to Vault HA with Consule guide * Incorporated Teddy's feedback * Fixed an env var name * Vault configuration has been updated: 'api_addr' 2018-04-04 15:25:06 +00:00
Vault DR Replication Setup Guide (#4790) * WIP DR setup guide * Fix typos * Added the steps to demote & disable primary * Clarified some of the explanation 2018-06-21 15:42:35 +00:00			`- [Root Token Generation](/guides/operations/generate-root.html) guide`
			`demonstrates the workflow of regenerating root tokens. It is considered to be a`
			`best practice not to persist the initial root token. If a root token needs`
			`to be regenerated, this guide helps you walk through the task.`

			`- [Rekeying & Rotating](/guides/operations/rekeying-and-rotating.html) guide`
			`provides a high-level overview of Shamir's Secret Sharing Algorithm, and how to`
			`perform _rekey_ and _rotate_ operations in Vault.`

			`- [Building Plugin Backends](/guides/operations/plugin-backends.html) guide`
			`provides steps to build, register, and mount non-database external plugin`
			`backends.`



			`## Vault Enterprise`

			`- [Replication Setup & Guidance](/guides/operations/replication.html)`
Re-categorized the guides on the navigation 2018-01-26 23:13:15 +00:00			`walks you through the commands to activate the Vault servers in replication mode.`
			`Please note that [Vault Replication](/docs/vault-enterprise/replication/index.html)`
			`is a Vault Enterprise feature.`
Vault HA with Consul guide (#4187) * Vault HA guide draft * Fixed node_id to say node_name based on Brian's input * Fixed the unwanted hyperlink * Vault HA guide * Updated the description of the Vault HA guide * Typo fixes * Added a reference to Vault HA with Consule guide * Incorporated Teddy's feedback * Fixed an env var name * Vault configuration has been updated: 'api_addr' 2018-04-04 15:25:06 +00:00
Vault DR Replication Setup Guide (#4790) * WIP DR setup guide * Fix typos * Added the steps to demote & disable primary * Clarified some of the explanation 2018-06-21 15:42:35 +00:00			`- [Disaster Recovery Replication Setup](/guides/operations/disaster-recovery.html)`
			`guide provides step-by-step instruction of setting up a disaster recovery (DR)`
			`cluster.`

			`- [Mount Filter](/guides/operations/mount-filter.html)`
Mount Filters guide (#4536) * WIP: Mount filter guide * WIP * Mount filter guide for CLI, API, and UI * updated the next step * Updated the verification steps * Added a note about the unseal key on secondaries * Added more details * Added a reference to mount filter guide * Added a note about generating a new root token * Added a note about local secret engine 2018-05-22 15:57:36 +00:00			`guide demonstrates how to selectively filter out secret engines from being`
			`replicated across clusters. This feature can help organizations to comply with`
Seal Wrap / FIPS 140-2 Compliance guide (#4558) * WIP - Seal Wrap guide * WIP: Seal Wrap guide * Added a brief description about the Seal Wrap guide * Incorporated feedbacks * Updated FIPS language Technically everything looks great. I've updated some of the language here as "compliance" could be interpreted to mean that golang's crypto and xcrypto libraries have been certified compliant with FIPS. Unfortunately they have not, and Leidos' cert is only about how Vault can operate in tandem with FIPS-certified modules. It's a very specific update, but it's an important one for some VE customers. Looks great - thanks! * Removed 'Compliance' from title * typo fix 2018-05-22 18:23:11 +00:00			`*General Data Protection Regulation (GDPR)*.`
Mount Filters guide (#4536) * WIP: Mount filter guide * WIP * Mount filter guide for CLI, API, and UI * updated the next step * Updated the verification steps * Added a note about the unseal key on secondaries * Added more details * Added a reference to mount filter guide * Added a note about generating a new root token * Added a note about local secret engine 2018-05-22 15:57:36 +00:00
[Guide] Performance Standby Nodes (#5272) * Performance Standby Nodes guide * Added a link in the Vault HA guide * Added links * Clarified the node selection info * Incorporated feedback * Added 'when the Enterprise license includes this feature' * Fixed the label: server 8 -> VM8 * Incorporated the feedback 2018-09-11 22:22:36 +00:00			`- [Performance Standby Nodes](/guides/operations/performance-nodes.html) guide`
			`describes how Vault HA works with performance standby nodes.`

			`- [Multi-Tenant Pattern with Namespaces](/guides/operations/multi-tenant.html)`
			`guide discuss a pattern to isolate secrets using ACL Namespaces.`
[Guide] Multi-Tenant Pattern with ACL Namespaces (0.11) (#5103) * WIP - ACL Namespace * WIP - ACL Namepaces * WIP * WIP * WIP * WIP * WIP * Added UI screenshots * Added summary at the end * Added the Web UI steps in Step 5 * Update multi-tenant.html.md Updated text to ensure that we use the final "ship" name of namespaces (namespaces vs. ACL Namespaces) and introduced some industry-specific terminology (highlighting this is about Secure Multi-Tenancy) 2018-08-16 23:51:53 +00:00
Vault DR Replication Setup Guide (#4790) * WIP DR setup guide * Fix typos * Added the steps to demote & disable primary * Clarified some of the explanation 2018-06-21 15:42:35 +00:00			`- [Vault Auto-unseal using AWS Key Management Service (KMS)](/guides/operations/autounseal-aws-kms.html) guide demonstrates an example of`
Versioned KV secret engine (kv-v2) tutorial (#4367) * Added versioned kv secret engine tutorial * Added check-and-set feature * Fixed archived -> deleted * Incorporated all suggested changes 2018-04-17 21:42:14 +00:00			`how to use Terraform to provision an instance that utilizes an encryption key`
Auto Unseal with AWS KMS guide (#4277) * WIP * Added auto unseal * Converting to a guide * Added little more explanations * Minor fixes * Fixed a typo * Fixed a typo * Changed auto unseal to auto-unseal * Found more typo... fixed 2018-04-05 20:28:39 +00:00			`from AWS Key Management Service (KMS).`

Vault DR Replication Setup Guide (#4790) * WIP DR setup guide * Fix typos * Added the steps to demote & disable primary * Clarified some of the explanation 2018-06-21 15:42:35 +00:00			`- [Seal Wrap / FIPS 140-2](/guides/operations/seal-wrap.html)`
Seal Wrap / FIPS 140-2 Compliance guide (#4558) * WIP - Seal Wrap guide * WIP: Seal Wrap guide * Added a brief description about the Seal Wrap guide * Incorporated feedbacks * Updated FIPS language Technically everything looks great. I've updated some of the language here as "compliance" could be interpreted to mean that golang's crypto and xcrypto libraries have been certified compliant with FIPS. Unfortunately they have not, and Leidos' cert is only about how Vault can operate in tandem with FIPS-certified modules. It's a very specific update, but it's an important one for some VE customers. Looks great - thanks! * Removed 'Compliance' from title * typo fix 2018-05-22 18:23:11 +00:00			`guide demonstrates how Vault's seal wrap feature works to encrypt your secrets`
			`leveraging FIPS 140-2 certified HSM.`
[Guide] Vault Cluster Monitoring Guide (#5084) * Vault cluster monitoring guide * Updated the download link * Fixed broken link 2018-08-10 20:52:02 +00:00
			`- [Vault Cluster Monitoring Guide](/guides/operations/monitoring.html) walks`
			`you through Vault cluster monitoring with telemetry collected by`
			`[Telegraf](https://www.influxdata.com/time-series-platform/telegraf/) and`
			`forwarded to`
			`[InfluxDB](https://www.influxdata.com/time-series-platform/influxdb/) and`
			`[Grafana](https://grafana.com/) for analysis.`