open-vault/website/content/docs/concepts/recovery-mode.mdx

---
layout: docs
page_title: Recovery Mode
description: Recovery mode allows for doing surgery on a Vault that won't start.
---

# Recovery Mode

Vault can be started using the `-recovery` flag to bring it up in Recovery Mode.

In recovery mode, Vault:

- is automatically unsealed once a recovery token is issued
- apart from recovery token operations, only supports the `sys/raw` endpoint
- `raw` requests must be authenticated using a recovery token
- won't form clusters or handle requests forwarded by standbys

## Recovery tokens

Recovery tokens are issued in much the same way as root tokens are generated:
the API is basically the same, only using a different endpoint. Unlike root
tokens, the recovery token is not persisted, so if Vault is restarted into
recovery mode a new one must be generated.

Only a single recovery token can be generated. If lost, restart Vault and
generate a new one.

## Raw requests

Requests can be issued to `sys/raw` in just the same way as in regular Vault
server mode. The only difference is that in recovery mode, `X-Vault-Token`
must contain a recovery token instead of a service or batch token.

## Raft rejoin

Raft integrated storage is the immediate motivation for recovery mode. With
other backends it was always possible to delete data directly from a storage
backend, but that's impractical with a Raft backend. That said, recovery mode
works with any backend.

In order to bring the Vault server up reliably, using any node's raft data,
recovery mode Vault automatically resizes the cluster to size 1. This means
that after having used recovery mode, part of the procedure for returning to
active service must include rejoining the raft cluster.

If Raft is used exclusively for `ha_storage`, recovery mode will not allow for
changes to the Raft data but instead allow for modification of the underlying
physical data that is associated with Vault's storage backend.
Add recovery mode docs. (#7667) 2019-10-29 20:42:47 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: Recovery Mode`
			`description: Recovery mode allows for doing surgery on a Vault that won't start.`
Add recovery mode docs. (#7667) 2019-10-29 20:42:47 +00:00			`---`

			`# Recovery Mode`

			Vault can be started using the `-recovery` flag to bring it up in Recovery Mode.

			`In recovery mode, Vault:`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00
Add recovery mode docs. (#7667) 2019-10-29 20:42:47 +00:00			`- is automatically unsealed once a recovery token is issued`
			- apart from recovery token operations, only supports the `sys/raw` endpoint
			- `raw` requests must be authenticated using a recovery token
			`- won't form clusters or handle requests forwarded by standbys`

			`## Recovery tokens`

			`Recovery tokens are issued in much the same way as root tokens are generated:`
			`the API is basically the same, only using a different endpoint. Unlike root`
			`tokens, the recovery token is not persisted, so if Vault is restarted into`
			`recovery mode a new one must be generated.`

			`Only a single recovery token can be generated. If lost, restart Vault and`
			`generate a new one.`

			`## Raw requests`

			Requests can be issued to `sys/raw` in just the same way as in regular Vault
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			server mode. The only difference is that in recovery mode, `X-Vault-Token`
Add recovery mode docs. (#7667) 2019-10-29 20:42:47 +00:00			`must contain a recovery token instead of a service or batch token.`

			`## Raft rejoin`

New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`Raft integrated storage is the immediate motivation for recovery mode. With`
Add recovery mode docs. (#7667) 2019-10-29 20:42:47 +00:00			`other backends it was always possible to delete data directly from a storage`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`backend, but that's impractical with a Raft backend. That said, recovery mode`
Add recovery mode docs. (#7667) 2019-10-29 20:42:47 +00:00			`works with any backend.`

			`In order to bring the Vault server up reliably, using any node's raft data,`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`recovery mode Vault automatically resizes the cluster to size 1. This means`
Add recovery mode docs. (#7667) 2019-10-29 20:42:47 +00:00			`that after having used recovery mode, part of the procedure for returning to`
			`active service must include rejoining the raft cluster.`
raft: add support for using backend for ha_storage (#9193) * raft: initial work on raft ha storage support * add note on join * add todo note * raft: add support for bootstrapping and joining existing nodes * raft: gate bootstrap join by reading leader api address from storage * raft: properly check for raft-only for certain conditionals * raft: add bootstrap to api and cli * raft: fix bootstrap cli command * raft: add test for setting up new cluster with raft HA * raft: extend TestRaft_HA_NewCluster to include inmem and consul backends * raft: add test for updating an existing cluster to use raft HA * raft: remove debug log lines, clean up verifyRaftPeers * raft: minor cleanup * raft: minor cleanup * Update physical/raft/raft.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Update vault/ha.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Update vault/ha.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Update vault/logical_system_raft.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Update vault/raft.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Update vault/raft.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * address feedback comments * address feedback comments * raft: refactor tls keyring logic * address feedback comments * Update vault/raft.go Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com> * Update vault/raft.go Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com> * address feedback comments * testing: fix import ordering * raft: rename var, cleanup comment line * docs: remove ha_storage restriction note on raft * docs: more raft HA interaction updates with migration and recovery mode * docs: update the raft join command * raft: update comments * raft: add missing isRaftHAOnly check for clearing out state set earlier * raft: update a few ha_storage config checks * Update command/operator_raft_bootstrap.go Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com> * raft: address feedback comments * raft: fix panic when checking for config.HAStorage.Type * Update vault/raft.go Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com> * Update website/pages/docs/commands/operator/raft.mdx Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com> * raft: remove bootstrap cli command * Update vault/raft.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Update vault/raft.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft: address review feedback * raft: revert vendored sdk * raft: don't send applied index and node ID info if we're HA-only Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com> Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com> 2020-06-23 19:04:13 +00:00
			If Raft is used exclusively for `ha_storage`, recovery mode will not allow for
			`changes to the Raft data but instead allow for modification of the underlying`
			`physical data that is associated with Vault's storage backend.`