Migrating secrets from one vault(standalone) to new kubernetes vault

Hi All,

In our project we have old vault running with integrated storage.

We have created new vault on kubernetes environment with consul as a storage backend.

Now we have a blocker for migrating secrets from old vault to new kubernetes vault.

Can you please provide me steps to resolve the issue?

Thanks in Advance

That’s a pretty unusual migration path. The Consul storage backend for Vault is not exactly deprecated, but it provides no benefit over Integrated Storage that I’m aware of, and makes your deployment architecture more complicated. It’s fairly clear from the way features are getting implemented these days, that HashiCorp considers Integrated Storage the most strongly supported storage backend these days.

I would not recommend anyone migrate a Vault to Consul storage these days.

Vault provides no support for copying individual secrets from one Vault to another.

If you’re looking to “start fresh” in a new Vault instance, it comes down to just manually assessing the kinds of secrets you have, and reconfiguring appropriate things in the new Vault.

On the other hand, if you want to take a backup snapshot of your entire Vault old instance and restore it, overwriting anything already in the new Vault instance, that is supported - but only if both source and destination are Integrated Storage.

That’s the way I think you should probably do this.

Snapshots can be managed via the CLI https://developer.hashicorp.com/vault/docs/commands/operator/raft#snapshot or even via the web UI if logged in with a sufficiently administrative permissions.