Can I create a new cluster and load the data from existing cluster?


I’m wondering if it’s possible to create a new HA vault cluster, and import all the data from an existing HA cluster?
(I want both new cluster and existing cluster can work independently, but not just migrate backend from a database to another database)

btw, my backend storage is MySQL


Vault does not have this feature.

Depending on the secrets engines you have in use, it may not even make sense - for example, anything managing ephemeral credentials in other systems.

There is a snapshot save/restore feature that is specific to Raft storage, but even that I would expect to behave more like creating a clone of the current cluster than what you want.

Given the typical nature of secrets, I would recommend just starting a new blank cluster and adding what you need. If you feel this doesn’t make sense for your use case, you’d have to tell us more about it for us to understand.

Hi @maxb,

Thanks for your reply.
I’m wondering if I use raft storage, and clone the whole cluster as my second cluster, can I make these two cluster work independently? Like when I enable HA, there would be two cluster with their own active nodes instead of only one active node for the two cluster?

I think that could work - that is:

  1. Migrate existing cluster to Raft
  2. Download snapshot from existing cluster
  3. Create new blank separate cluster also using Raft
  4. Load snapshot

I’ve not actually tried it though.

Isn’t this just “backup/snapshot and restore” - Then Unseal with the same keys ? The big question is what happens after. What are you trying to do ?

This may be solved with the Enterprise edition’s replication : Replication - Vault Enterprise | Vault | HashiCorp Developer.

You end up with a 3 node HA that stream data to Another 3 node HA cluster - much like MySQL Active-Passive pair. The difference between “performance” and “disaster-recovery” - tokens are also replicated to the DR, so you can fail-over.

If you want to test - you can do it with version 1.7 - it had enterprise keys valid for 6 hours before it sealed up, prior to that it was 30 minutes. After - you need to ask for an evaluation license.

hello @alain,

our use case is deploying a new vault cluster in another region to serve the clients in that region so that they can have better local vault server access performance. To make this change backward compatible, we just want to make a copy of data from existing vault server to the new vault server.
I know this might not be that security to do something like this, but considering the secret might expire after a period of time, and we really don’t want to break any existing prod services, we feel it’s would be a workable solution if we can just copy a data from existing vault server and load it to the new cluster.

or any suggestion about what we can do in our use case? thanks

There is a lot going on in what you are saying. There is no “generic bulk copy” in vault. Vault is not just used to keep secrets encrypted, but also to control access to them. You can set something up that streams - but that is the point of cluster replication in the enterprise release.

As was mentioned before, the only way I know to do what you want is to shutdown - “backup, copy, restore, and unseal” - and that last “unseal” step is the one that guaratees some security (IE: that in the backup is encrypted.) . But that new Vault has no link back to the original. Its still not clear if that is OK or not. The way you mention “new region … the clients… closer for performance” makes me think that it is NOT OK.

This is the use case that cluster replication was built for in the enterprise product.

If this cluster IS fully independent, then it may be more effective to create your own mini push scripts - but this is still not as simple as it seems.

1 Like