Re: [vault] Vault HA and Key Replication

[Jason Martin]

HA works by using a storage backend that supports HA, such as
Consul or DynamoDB. The (encrypted) keys are persisted in this
storage. The slaves use this data to pick up where the leader
left off.

-Jason Martin

On Thu, Sep 20, 2018 at 10:25:00PM -0700, Salvador Salazar wrote:
> Reading through
> https://www.vaultproject.io/docs/internals/high-availability.html
> documentation, it is unclear to me how a HA set up works. I
> understand it's a master-slave scheme, where only the master
> will process all incoming request (reads and writes).
>
> However, if I understood correctly, when using the transit
> secret engine, encryption keys are stored within Vault's
> server. In the eventual scenario of the server going down, how
> do the "slave" vault servers learn about the pre-existent
> encryption keys? Do I need to set keys as "exportable", as
> https://www.vaultproject.io/api/secret/transit/index.html#exportable,
> and copy the keys to the slave servers?
>

[Chris Hoffman]

Vault HA mode works where all server instances are using the same shared storage but only one is active at a given time.  You can read more about HA here https://www.vaultproject.io/guides/operations/vault-ha-consul.html and https://www.vaultproject.io/docs/concepts/ha.html.

As a point of clarification, the exportable flag is only valid for API requests from Vault.  Server to server communication through Vault’s replication modes found in Vault Enterprise will still pass this information to secondary servers.

Chris

On Sep 21, 2018, 1:25 AM -0400, Salvador Salazar <ssal...@gmail.com>, wrote:

Reading through https://www.vaultproject.io/docs/internals/high-availability.html documentation, it is unclear to me how a HA set up works. I understand it's a master-slave scheme, where only the master will process all incoming request (reads and writes).

However, if I understood correctly, when using the transit secret engine, encryption keys are stored within Vault's server. In the eventual scenario of the server going down, how do the "slave" vault servers learn about the pre-existent encryption keys? Do I need to set keys as "exportable", as https://www.vaultproject.io/api/secret/transit/index.html#exportable, and copy the keys to the slave servers?

If there is any deeper documentation that you can point me to, I will be happy to go through everything. :)

Thank you

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9578523c-c528-4dc7-beb3-a82bb2765f87%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vikrant Dubey]

Hello All,

I am all set with my

 

--> 2 Vault servers: 1 active and 1 standby 

 --> Cluster of 3 Consul servers. 

But Vault URL for its UI is not working. Error 404 is coming. What needs to be done to get UI open using  http://IPADDRESS:8200/ui

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f47cf0a0-5cfe-43f5-9264-12a0aba015aa%40Spark.

[Jeff Mitchell]

Hi,

You may need to set
https://www.vaultproject.io/docs/configuration/index.html#ui to true.

Best,
Jeff

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CA%2Bj_%2BkGNkAQnFiLe10pj5mVDR31R4eGE7FP_SLUfTXEq8ePxLw%40mail.gmail.com.