---
layout: docs
page_title: Custom Plugin Backends
sidebar_title: Plugin Backends
description: >-
  Plugin backends are mountable backends that are implemented using Vault's
  plugin system.
---

# Custom Plugin Backends

Plugin backends are the components in Vault that can be implemented separately from Vault's
builtin backends. These backends can be either authentication or secrets engines.

The [`api_addr`][api_addr] must be set in order for the plugin process to establish
communication with the Vault server during mount time. If the storage backend
has HA enabled and supports automatic host address detection (e.g. Consul),
Vault will automatically attempt to determine the `api_addr` as well.

Detailed information regarding the plugin system can be found in the
[internals documentation](/docs/internals/plugins).

# Enabling/Disabling Plugin Backends

Before a plugin backend can be mounted, it needs to be registered via the
[plugin catalog](/docs/internals/plugins#plugin-catalog). After
the plugin is registered, it can be mounted by specifying the registered plugin name:

```shell-session
$ vault secrets enable -path=my-secrets passthrough-plugin
Success! Enabled the passthrough-plugin secrets engine at: my-secrets/
```

Listing secrets engines will display secrets engines that are mounted as
plugins:

```shell-session
$ vault secrets list
Path         Type       Accessor            Plugin              Default TTL  Max TTL  Force No Cache  Replication Behavior  Description
my-secrets/  plugin     plugin_deb84140     passthrough-plugin  system       system   false           replicated
```

Disabling a plugin backend is the identical to disabling internal secrets engines:

```shell-session
$ vault secrets disable my-secrets
```

# Upgrading Plugins

Upgrade instructions can be found in the [Upgrading Plugins - Guides][upgrading_plugins]
page.

[api_addr]: /docs/configuration#api_addr
[upgrading_plugins]: /docs/upgrading/plugins