• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Integrations
  • Try Cloud(opens in new tab)
  • Sign up
Vault Home

Documentation

Skip to main content
  • Documentation
  • What is Vault?
  • Use Cases

  • Browser Support
  • Installing Vault
    • Overview
    • replication
    • sentinel
      • Overview
      • Aerospike
      • Alicloud OSS
      • Azure
      • Cassandra
      • CockroachDB
      • Consul
      • CouchDB
      • DynamoDB
      • Etcd
      • Filesystem
      • FoundationDB
      • Google Cloud Spanner
      • Google Cloud Storage
      • In-Memory
      • Manta
      • MSSQL
      • MySQL
      • OCI Object Storage
      • PostgreSQL
      • Integrated Storage (Raft)
      • S3
      • Swift
      • Zookeeper
    • telemetry
    • ui
    • Log Completed Requests
    • Entropy Augmentation
      ENTENT
    • kms_library
      ENTENT

  • Vault Integration Program
  • Vault Interoperability Matrix
  • Troubleshoot






  • Glossary


  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Documentation
  4. Configuration
  5. storage
  • Vault
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x
  • v1.7.x
  • v1.6.x
  • v1.5.x
  • v1.4.x

»storage Stanza

The storage stanza configures the storage backend, which represents the location for the durable storage of Vault's information. Each backend has pros, cons, advantages, and trade-offs. For example, some backends support high availability while others provide a more robust backup and restoration process. For information about a specific backend, choose one from the navigation on the left.

Configuration

Storage backend configuration is done through the Vault configuration file using the storage stanza:

storage [NAME] {
  [PARAMETERS...]
}

For example:

storage "file" {
  path = "/mnt/vault/data"
}

For configuration options which also read an environment variable, the environment variable will take precedence over values in the configuration file.

Integrated Storage vs. External Storage

HashiCorp recommends using Vault's integrated storage for most use cases rather than configuring another system to store Vault data externally. (Integrated Storage is an embedded Vault data storage available in Vault 1.4 or later.) Prior to Vault 1.4, Consul was the recommended Vault storage.

NOTE: HCP Vault clusters use Integrated Storage as their storage backend.

The table below compares the characteristics of Integrated Storage and External Storage. Suppose you decide that the additional operational complexity of external storage is worth it for your use case. In that case, there are several external storage options to choose from (e.g., Consul, DynamoDB, etc.).

Integrated StorageExternal Storage
HashiCorp SupportedYesLimited support
OperationOperationally simpler with no additional software installation required.Must install and configure the external storage environment outside of Vault. For high availability, the external storage should be clustered.
NetworkingOne less network hop.Extra network hop between Vault and the external storage system (e.g., Consul cluster).
Troubleshooting and monitoringIntegrated Storage is a part of Vault; therefore, Vault is the only system you need to monitor and troubleshoot.The source of failure could be the external storage; therefore, you need to check the health of both Vault and the external storage. This requires expertise in the chosen storage backend and additional monitoring of that storage.
Data locationThe encrypted Vault data is stored on the same host where the Vault server process runs.The encrypted Vault data is stored where the external storage is located. Therefore, the Vault server and the data storage are hosted on physically separate hosts.
System requirementsAvoid "burstable" CPU and storage options. SSDs should be used for the hard drive.

See the Reference Architecture guide.
Follow the system requirements given by your chosen storage backend.

Integrated Storage vs. Consul as Vault Storage

HashiCorp Consul is a comprehensive multi-cloud service networking solution including service mesh, service discovery, and network infrastructure automation. Vault can leverage Consul's KV Store to persist Vault data.

The table below highlights the differences between Integrated Storage and Consul.

Integrated StorageConsul
DeploymentVault cluster is all you need.Vault cluster & Consul cluster.

Use a dedicated Consul cluster for Vault storage, and it should not be used for other purposes (e.g., service discovery, service mesh).

See the Vault with Consul Storage Reference Architecture guide.
Data locationData is on disk.All data is in memory.
System requirementsSystem requirementsSystem requirements
SnapshotsNormal data backup strategy of your organization.More frequent snapshots are necessary since data is in memory.
Max message size1 MiB (Configurable using the max_entry_size parameter)512 KiB (Configurable using the kv_max_value_size parameter)

If you have a Vault cluster using Consul as its storage backend and wish to migrate to Integrated Storage, read the following tutorials:

  1. Preflight Checklist - Migrating to Integrated Storage
  2. Storage Migration tutorial - Consul to Integrated Storage

Tutorial

Refer to the Integrated Storage tutorials to learn more about Integrated Storage.

Edit this page on GitHub

On this page

  1. storage Stanza
  2. Configuration
  3. Integrated Storage vs. External Storage
  4. Tutorial
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)