Documentation is confusing over mlock configuration

Storage Migration tutorial - Consul to Integrated Storage | Vault - HashiCorp Learn makes it very clear to disable mlock:

NOTE: When using the Raft storage backend, it is strongly recommended to set disable_mlock to true , and to disable memory swapping on the system.

Server Configuration | Vault by HashiCorp (vaultproject.io) says the same thing:

Disabling mlock is strongly recommended if using integrated storage due to the fact that mlock does not interact well with memory mapped files such as those created by BoltDB, which is used by Raft to track state.

However, Vault Deployment Guide with Integrated Storage | Vault - HashiCorp Learn says:

Give vault the ability to use the mlock syscall without running the process as root . The mlock syscall prevents memory from being swapped to disk.

Given that this page is actually titled “Vault Deployment Guide with Integrated Storage” (my emphasis) then shouldn’t this page not have that recommendation? Or am I misunderstanding the whole mlock thing?

Hi! Yeah, it’s a bit confusing, even at its clearest (which, in my mind, is probably where the config option itself is discussed):

Basically, in an ideal world, Vault with mlock'd memory is ideal. However, in the case of BoltDB, it gets very sad in that environment. (As pointed out in a previous post, BoltDB does a lot of what could be deemed odd things for the sake of speed.) Therefore, disable mlock in this specific case, and then put some other measures in place to compensate for the fact that your deployment is now vulnerable to certain attacks normally mitigated by the reference architecture.