storage stanza

The storage stanza configures the storage backend, which represents the location for the durable storage of Vault's information. Each backend has pros, cons, advantages, and trade-offs. For example, some backends support high availability while others provide a more robust backup and restoration process. For information about a specific backend, choose one from the navigation on the left.

Configuration

Storage backend configuration is done through the Vault configuration file using the storage stanza:

storage [NAME] {
  [PARAMETERS...]
}

For example:

storage "file" {
  path = "/mnt/vault/data"
}

For configuration options which also read an environment variable, the environment variable will take precedence over values in the configuration file.

Integrated storage vs. external storage

HashiCorp recommends using Vault's integrated storage for most use cases rather than configuring another system to store Vault data externally. (Integrated Storage is an embedded Vault data storage available in Vault 1.4 or later.) Prior to Vault 1.4, Consul was the recommended Vault storage.

NOTE: HCP Vault clusters use Integrated Storage as their storage backend.

The table below compares the characteristics of Integrated Storage and External Storage. Suppose you decide that the additional operational complexity of external storage is worth it for your use case. In that case, there are several external storage options to choose from (e.g., Consul, DynamoDB, etc.).

	Integrated Storage	External Storage
HashiCorp Supported	Yes	Limited support
Operation	Operationally simpler with no additional software installation required.	Must install and configure the external storage environment outside of Vault. For high availability, the external storage should be clustered.
Networking	One less network hop.	Extra network hop between Vault and the external storage system (e.g., Consul cluster).
Troubleshooting and monitoring	Integrated Storage is a part of Vault; therefore, Vault is the only system you need to monitor and troubleshoot.	The source of failure could be the external storage; therefore, you need to check the health of both Vault and the external storage. This requires expertise in the chosen storage backend and additional monitoring of that storage.
Data location	The encrypted Vault data is stored on the same host where the Vault server process runs.	The encrypted Vault data is stored where the external storage is located. Therefore, the Vault server and the data storage are hosted on physically separate hosts.
System requirements	Avoid "burstable" CPU and storage options. SSDs should be used for the hard drive. See the Reference Architecture guide.	Follow the system requirements given by your chosen storage backend.

Integrated storage vs. consul as Vault storage

HashiCorp Consul is a comprehensive multi-cloud service networking solution including service mesh, service discovery, and network infrastructure automation. Vault can leverage Consul's KV Store to persist Vault data.

The table below highlights the differences between Integrated Storage and Consul.

	Integrated Storage	Consul
Deployment	Vault cluster is all you need.	Vault cluster & Consul cluster. Use a dedicated Consul cluster for Vault storage, and it should not be used for other purposes (e.g., service discovery, service mesh). See the Vault with Consul Storage Reference Architecture guide.
Data location	Data is on disk.	All data is in memory.
System requirements	System requirements	System requirements
Snapshots	Normal data backup strategy of your organization.	More frequent snapshots are necessary since data is in memory.
Max message size	1 MiB (Configurable using the `max_entry_size` parameter)	512 KiB (Configurable using the `kv_max_value_size` parameter)

If you have a Vault cluster using Consul as its storage backend and wish to migrate to Integrated Storage, read the following tutorials:

Tutorial

Refer to the Integrated Storage tutorials to learn more about Integrated Storage.