Hashicrop Vault Backup with file backend

Question

I have a small instance of Hashicorp Vault, running the Open Source edition. I am using the 'file' storage backend for my configuration. I do not have a need for high-availability and to simplify things, the file backend is adequate for my needs.

/etc/vault.d/vault.hcl

storage "file" {
  path = "/opt/vault/data"
}

However, I do want to take periodic backups of the database state. The documentation on their website demo how to configure backups for the raft and console backends, but not for the 'file' backend. Also, it looks like the "automatic" backup option is only available for the Enterprise Edition.

https://learn.hashicorp.com/tutorials/vault/sop-backup

What is the recommended way to create backups of Vault using the "file" storage backend? Are there any good tools or approaches to automate this? Is it sufficient to just backup the "data" directory, or will that directory be occasionally in an inconstant "non-synced" state as Vault operates?

Answer 1

Since you have a single instance in your Vault server cluster, then with the default configuration you can indeed simply backup the filesystem location where the file storage backend is configured. Other storage backends e.g. Raft have API endpoints for backups, because they require considerably more complexity for reasons such as the gossip protocol and replication across the quorum members.

Automatic backups with Vault Enterprise center around the fact that the software comes packaged with a robust tool for backups. This removes the need for you to develop your own tool for automatic backups. For example, I developed a software tool to periodicially backup the Raft storage backend in Vault with the Golang bindings and ship it to a S3 bucket. Vault Enterprise removes the need for you to develop something like this yourself.

To directly answer the question at the end of the question: something like a "snapshot" at the filesystem location that is scheduled with your scheduling tool of choice (cron, pipeline, etc.), and automated with normal software tools, or something small that you can develop yourself.

Answer 2

If it's not too late, I would advise againts using the file storage backend. The problem is that you can't guarantee that the backup you take will be atomic. You could end up backuping a file that Vault has not yet flushed to, or capture some intermediate state leaving you with backups that are "corrupted" randomly.

Use the raft integrated storage instead. It still ends up in the file system (as a hierarchy of files), but Vault has a command to generate a snapshot of the storage:

vault operator raft snapshot save my-backup.raft

Raft will also ease the migration to multi-node failover and automated backups (Vault Enterprise) if the need arises.