Acquisition complete HashiCorp officially joins the IBM family. Learn more
Vault
Vault Home

You are viewing documentation for pre-release version v1.20.0 (rc). View latest version.

Item recovery from a snapshot

Enterprise

Appropriate Vault Enterprise  license required

Overview

With Vault Enterprise you can recover individual items from an integrated storage snapshot without needing to restore your entire cluster to the state in the snapshot.

Item recovery is a two-step process:

  1. Load a snapshot into Vault so Vault can access the data and assign a snapshot ID.
  2. Use that snapshot ID to read, list, and recover individual paths from the snapshot.

Supported Paths

Not all paths support snapshot operations. The following paths are currently supported:

PluginPathSnapshot operations supportedVault version
cubbyhole/:secret_namerecover, read, list1.20.0
kv (v1)/:secret_namerecover, read, list1.20.0

Loading snapshots

Load a snapshot using the vault operator raft snapshot load command. The snapshot can either be a file on disk or a snapshot created from Vault's automated snapshot feature and stored in cloud storage.

Vault will return you information about the loaded snapshot, including a snapshot_id which you will reference to perform operations from the snapshot. Vault sets the initial status of the loaded snapshot to loading, indicating that it is extracting the data within the snapshot and preparing it for use. Once Vault fully loads the snapshot, it updates the status to ready. You can query your loaded snapshot at the API endpoint sys/storage/raft/snapshot-load/:snapshot_id.

If something goes wrong during the loading process, Vault will set the status of the loaded snapshot to error and return a new field called error describing the problem. Snapshots with an error status cannot be used for any snapshot operations.

Restrictions for loading snapshots

  • The snapshot must be from the same cluster and have the same unseal keys as the current cluster.
  • You can only load one snapshot into a cluster at a time.
  • Vault automatically unloads snapshots 72 hours after they are loaded.
  • If your cluster's active node changes, the loaded snapshot's status updates to error and it cannot be used for any recover operations. You must unload and reload the snapshot to use it again.
  • You cannot load a snapshot if your cluster has mlock enabled in its Vault configuration.

Replication

Performance primaries and performance secondaries can each load their own snapshots. However, a performance secondary will not be able to perform snapshot operations on any shared paths. Performance secondaries can only perform snapshot operations on paths corresponding to local mounts.

Disaster recovery secondaries cannot load snapshots.

Snapshot operations

Once you have loaded a snapshot, you can specify the snapshot ID read, list, and recover operations.

To read a secret at a specific path from the snapshot:

$ vault read -snapshot-id <snapshot_id> secret/my-secret

To list the secrets at a specific path from the snapshot:

$ vault list -snapshot-id <snapshot_id> secret/

Reading and listing use the same API endpoints as the normal read and list, but have an extra query parameter to specify the snapshot ID. Vault will perform the operation on the backend, but use the snapshot's stored data instead of the live data.

Note

A path cannot be read, listed, or recovered from a snapshot if the path's mount has been disabled! Even if you later re-enable the same plugin at the same path, the underlying identifiers for the plugin will be different and Vault will not be able to find the underlying storage entries for the mount within the snapshot.

To recover a secret at a specific path from the snapshot:

$ vault recover -snapshot-id <snapshot_id> secret/my-secret

To perform a recover command, Vault will first read the secret at the path from the snapshot to retrieve the snapshot's version of the data. Then, Vault will send the data to the plugin backend to perform the recover operation. The plugin backend will use this data (along with potentially its own information) to create or update the data at the specified path in live storage.

Policies

Reading and listing from a snapshot are guarded by the same read and list capabilities as the normal read and list operations. This means that if a user has read or list on the path, by default they will be allowed to read or list from a snapshot on that path.

If you would like to disallow reading or listing from a snapshot, you can create a policy that denies the read_snapshot_id parameter. For example, to disallow reading/listing from a snapshot on the secrets/* path, you can create the policy:

path "secrets/*" {
  capabilities = ["read", "list"]
  denied_parameters = {
    read_snapshot_id = []
  }
}

Users must have the recover capability on a path to recover that path from a snapshot. The user does not need to have any other capabilities to allow this operation.

path "secrets/*" {
  capabilities = ["recover"]
}