Using AWS infrastructure to backup and restore your Vault
This guide shows you how to backup and restore your Vault using the AWS infrastructure.
Restoring a Vault is very similar to installing a new Vault. The difference is that when restoring, you restore the Vault state as it was at backup. So, to backup Vault, you need to store the Vault state in an accessible place.
Vault keeps most of its state in the Relational Database Service (RDS), with other parts in the Key Management Service (KMS). So, to backup Vault, you need to backup RDS and KMS.
Before starting to backup Vault, it's important to decide if the restore will be in place, replacing the existing Vault (same region, same VPC, and same RDS instance) or not (different region, different VPC, and different RDS instance). If the latter, then remember to select the multi-region option when setting up your KMS and backup.
Backup and restore process
The steps to performing a backup and restore are:
- Decide if the backup is multi-region or same-region
- Setup the KMS
- Backup the RDS
- Restore the RDS
Setup KMS keys
Keys cannot be backed up, but when created, you can choose the material origin for the key. In addition, if you want to create an instance of Vault in a different region (for example, when restoring Vault), when creating the key, under Advanced Options, Regionality select a multi-region key. This enables you to use the same key in multiple regions.
The best way to backup the RDS is using the built-in backup capability in AWS. This creates a snapshot of the RDS instance that may also be exported to S3. This backup can be configured when the database is created or later.
To modify a database, go to the RDS console, select the database, and click Modify. Then, in the Backup section, select the backup retention period and the backup window. You may choose replication in another region to create a copy of the backup in another region.
You can also create a manual backup by going to the RDS console, selecting the database, and clicking Actions and then Take snapshot.
Once the backup is configured, you see the backup in the Automated Backups section of the RDS console.
To restore RDS, go to the RDS console, select the database, and click Actions then Restore to point in time. Then, select the backup you want to restore from and click Restore DB instance.
Alternatively, you can go to Automated backups or Snapshots in the RDS console, select the snapshot you want to restore and click Actions then Restore snapshot. This creates a new database from the snapshot.