Data storage paths when Consul used as vault storage backend

Vault
1

All

I wanted to create persistent storage backend for vault to store secrets in file system that survives reboots. In addition, I might need HA in future and hence thought of Consul to serve the two purposes.

Based on https://learn.hashicorp.com/vault/operations/ops-vault-ha-consul - tried the following Vault config,

storage “consul” {
address = “127.0.0.1:8500”
path = “vault/”
}

and:

consul’s config:

“data_dir”: “/var/consul/data”,

I don’t see any directory called ‘vault’ created under ‘/var/consul/data’ when I used ‘vault write’ or ‘vault kv put’ commands…I did not expect to see the actual data itself but thought a directory might be created…

Is the expectation not correct or is there more configuration to be done?

Thanks
SR

2

The path in the configuration of consul is not a path on disk, but the path in the k/v store. You could use hashifuse (https://github.com/jboero/hashifuse) to mount the k/v storage as disk/ partition if you want to kind of browse it with traditional os tools. :slight_smile:

1 Like
3

Thanks much for the quick reply. Hopefully, one final query.

Does that mean that the Consul based disk FS storage backend (as in /var in disk here…) for Vault’s application data is not durable or are those stored encrypted in some fashion under the /var/consul/data directory on disk?

Thanks

4

-data-dir - This flag provides a data directory for the agent to store state. This is required for all agents. The directory should be durable across reboots. This is especially critical for agents that are running in server mode as they must be able to persist cluster state. Additionally, the directory must support the use of filesystem locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may not be suitable. Note: both server and non-server agents may store ACL tokens in the state in this directory so read access may grant access to any tokens on servers and to any tokens used during service registration on non-servers. On Unix-based platforms the files are written with 0600 permissions so you should ensure only trusted processes can execute as the same user as Consul. On Windows, you should ensure the directory has suitable permissions configured as these will be inherited.