Upgrade Vault

Vault supports in-place upgrades and automatically handles most tasks when you unseal Vault after the upgrade.

Before you start

• You must have sudo permissions on the Vault server. Make sure you have can install binaries on the Vault server.
• You must have admin permissions for Vault. Make sure you can stop and start the Vault process.
• Identify unseal candidates. Identify and notify enough people with unseal shards to meet the unseal threshold after restart.

Basic upgrade process

To perform an in-place upgrade of a single Vault instance:

1. Back up your Vault data. Vault does not make backward-compatibility guarantees for the Vault data store and the upgrade process may make changes to the data store.

2. Back up your current Vault configuration.

3. Review recent deprecation notices. If you use deprecated or ended functionality, make a plan to move away from those features before upgrading.

4. Use the doc version selector to review the important changes for each major version between your current version and the upgrade target.

5. Perform any prerequisites noted in the important changes documentation.

6. Use SIGINT or SIGTERM to shut down Vault.

   BashPowershell

   $ kill <vault_pid>
   

   Stop-Process <vault_pid>
   

7. Install the latest version of Vault over your existing instance.

8. Start Vault.

9. Verify the current version:

   $ vault status | grep Version
   

10. Unseal Vault.

11. Test the upgrade. The best way to test an upgrade is to take a snapshot of the Vault data store after upgrading and load the backup into a test instance.

Additional resources