open-vault/website/content/docs/concepts/storage.mdx

116 lines
5.0 KiB
Plaintext

---
layout: docs
page_title: Storage
sidebar_title: Storage
description: >-
Vault relies on external storage to save its durable information.
---
# Storage
As described on our [Architecture](/docs/internals/architecture) page, Vault's
storage backend is untrusted storage used purely to keep encrypted information.
## Supported Storage Backends
For enterprise customers, HashiCorp provides official support for Consul and
Vault's Integrated Storage as storage backends.
Many other options for storage are available with community support - see our
[Storage Configuration](/docs/configuration/storage) section for more
information.
-> **Choosing a storage backend:** Refer to the [integrated storage vs. external
storage](/docs/configuration/storage#integrated-storage-vs-external-storage)
section of the storage configuration page to help make a decision about which
storage backend to use.
## Backups
Due to the highly flexible nature of Vault's potential storage configurations,
providing exact guidance on backing up Vault is challenging.
When backing up Vault, there are two pieces to consider:
1. Vault's encrypted data in the storage backend
2. Configuration files and management scripts for running the Vault server
There's also a big question - what is the error case you're trying to guard
against by saving a backup?
### The Big Question - Why Take Backups?
It's important to consider the question of "why take a backup" while developing
your ongoing backup and disaster recovery strategy.
Taking a backup is recommended prior to upgrades, as downgrading Vault storage
is not always possible. Generally, a backup is recommended any time a major
change is planned for a cluster.
More specifically, we recommend taking backups **before**, but not during, write
operations to the `/sys` API (excluding the `/sys/leases`, `/sys/namespaces`,
`/sys/tools`, `/sys/wrapping`, `/sys/policies`, and `/sys/pprof` endpoints).
Some examples of workflows that write to the `/sys` API are upgrades and rekeys.
In the future, this guidance may change for the Integrated Storage backend.
Backups _can_ also help with accidental data deletions or modifications. In
this case, the story can get a little tricky. If you simply recover a backup
from 5AM with the correct data, but the current time is 10AM, you will lose data
written between 5 and 10AM. Lucy Davinhart gave a HashiConf talk that serves as
an interesting [case
study](https://www.hashicorp.com/resources/oh-no-i-deleted-my-vault-secret).
We do not recommend backups as protection against the failure of an individual
machine. Vault servers can run in clusters, so to protect against server
failure, we recommend running Vault in [HA
mode](/docs/internals/high-availability). With open source features, a
Vault cluster can extend across multiple availability zones within a region.
Vault Enterprise supports replicated clusters and disaster recovery for data
center failure. When using OSS Vault in [HA
Mode](/docs/internals/high-availability), a backup can help guard against the
failure of a data center.
Ultimately, backups are not a replacement for running in HA, or for using
replication with Vault Enterprise. As you develop a plan for recovering from or
guarding against failure, you should consider both backups and HA as critical
components of that plan.
### Backing up Vault's Persisted Data
Backups and restores are ideally performed while Vault is offline. If offline
backups are not feasible, we recommend using a storage backend that supports
atomic snapshots (such as
[Consul](https://www.consul.io/docs/commands/snapshot.html) or [Integrated
Storage](/docs/commands/operator/raft#snapshot)).
~> If your storage backend does not support atomic snapshots, we recommend only
taking offline backups.
To perform a backup or restore of Vault's encrypted data when using a
HashiCorp-supported storage backend, see the instructions linked below. For
other storage backends, follow the documentation of that backend for taking and
restoring backups.
- Integrated Storage [snapshots](/docs/commands/operator/raft#snapshot)
- Consul [snapshots](https://www.consul.io/docs/commands/snapshot.html)
#### Backing up Multiple Clusters
If you are using Vault Enterprise [Performance
Replication](/docs/enterprise/replication#performance-replication-and-disaster-recovery-dr-replication),
you should plan to take backups of the active node on each of your clusters.
### Configuration
In addition to backing up Vault's encrypted data via the storage backend, you
may also wish to save the server configuration files, any scripts for managing
the Vault service, and ensure you can reinstall any user-installed plugins. The
location of these files will be specific to your installation of Vault.
~> **NOTE**: Although a backup or snapshot of Vault's data from the storage
backend is encrypted, some of your configuration may be sensitive (a Vault token
for Transit Autounseal or a TLS private key in your configuration, for example).
The presence of this information in your backups will mean that they may need
to be carefully protected.