1

I have a small instance of Hashicorp Vault, running the Open Source edition. I am using the 'file' storage backend for my configuration. I do not have a need for high-availability and to simplify things, the file backend is adequate for my needs.

/etc/vault.d/vault.hcl

storage "file" {
  path = "/opt/vault/data"
}

However, I do want to take periodic backups of the database state. The documentation on their website demo how to configure backups for the raft and console backends, but not for the 'file' backend. Also, it looks like the "automatic" backup option is only available for the Enterprise Edition.

https://learn.hashicorp.com/tutorials/vault/sop-backup

What is the recommended way to create backups of Vault using the "file" storage backend? Are there any good tools or approaches to automate this? Is it sufficient to just backup the "data" directory, or will that directory be occasionally in an inconstant "non-synced" state as Vault operates?

Joe J
  • 9,985
  • 16
  • 68
  • 100

2 Answers2

1

Since you have a single instance in your Vault server cluster, then with the default configuration you can indeed simply backup the filesystem location where the file storage backend is configured. Other storage backends e.g. Raft have API endpoints for backups, because they require considerably more complexity for reasons such as the gossip protocol and replication across the quorum members.

Automatic backups with Vault Enterprise center around the fact that the software comes packaged with a robust tool for backups. This removes the need for you to develop your own tool for automatic backups. For example, I developed a software tool to periodicially backup the Raft storage backend in Vault with the Golang bindings and ship it to a S3 bucket. Vault Enterprise removes the need for you to develop something like this yourself.

To directly answer the question at the end of the question: something like a "snapshot" at the filesystem location that is scheduled with your scheduling tool of choice (cron, pipeline, etc.), and automated with normal software tools, or something small that you can develop yourself.

Matthew Schuchard
  • 25,172
  • 3
  • 47
  • 67
  • Thank you for your thoughts. I wondered if I would have to go with cron or similar, but wondered if there were a better way. I suppose that's the up-sell for the enterprise version with the nice auto-backup feature. – Joe J Apr 05 '22 at 19:03
  • 1
    I think that honestly creating my own automatic backup tool for Vault Raft storage was an interesting experience, and it was not a huge effort. It is indeed less convenient to create your own, but I think there are advantages to the learning process and the potential customization. – Matthew Schuchard Apr 05 '22 at 21:03
1

If it's not too late, I would advise againts using the file storage backend. The problem is that you can't guarantee that the backup you take will be atomic. You could end up backuping a file that Vault has not yet flushed to, or capture some intermediate state leaving you with backups that are "corrupted" randomly.

Use the raft integrated storage instead. It still ends up in the file system (as a hierarchy of files), but Vault has a command to generate a snapshot of the storage:

vault operator raft snapshot save my-backup.raft

Raft will also ease the migration to multi-node failover and automated backups (Vault Enterprise) if the need arises.

ixe013
  • 9,559
  • 3
  • 46
  • 77
  • 1
    Thanks for the information on this. I'll see if I can go with the raft storage. I was wondering about the atomicity of changes with the file backend. – Joe J Apr 05 '22 at 19:01