Vault
Upgrade Vault
Vault supports in-place upgrades and automatically handles most tasks when you unseal Vault after the upgrade.
Upgrading from Community to Enterprise edition
If you plan to move from Vault Community to Vault Enterprise during your upgrade, make sure to download an enterprise binary and apply your license file during the upgrade.
Before you start
- You must have
sudo
permissions on the Vault server. Make sure you have can install binaries on the Vault server. - You must have admin permissions for Vault. Make sure you can stop and start the Vault process.
- Identify unseal candidates. Identify and notify enough people with unseal shards to meet the unseal threshold after restart.
Basic upgrade process
To perform an in-place upgrade of a single Vault instance:
Back up your Vault data. Vault does not make backward-compatibility guarantees for the Vault data store and the upgrade process may make changes to the data store.
Back up your current Vault configuration.
Review recent deprecation notices. If you use deprecated or ended functionality, make a plan to move away from those features before upgrading.
Use the doc version selector to review the important changes for each major version between your current version and the upgrade target.
Perform any prerequisites noted in the important changes documentation.
Use
SIGINT
orSIGTERM
to shut down Vault.$ kill <vault_pid>
Install the latest version of Vault over your existing instance.
Start Vault.
Verify the current version:
$ vault status | grep Version
Unseal Vault.
Test the upgrade. The best way to test an upgrade is to take a snapshot of the Vault data store after upgrading and load the backup into a test instance.
Isolate your test instance
If you use Vault to coordinate secrets with third party resources (cloud credentials, database credentials, etc.) make sure you isolate the test instance from external network connectivity during testing. Isolating the test instance prevents it from trying to revoke 3rd party resources. Otherwise, the third party resource credentials may expire and prevent access from the production cluster.