We are intending to use the community edition of HashiCorp Vault in a HA cluster. All of our nodes are, therefore, in a single data centre. How do we bring the cluster back up if the data centre has a failure of all of our nodes? Where should we be storing our keys and root tokens as a best practice in order to bring up the nodes in the cluster without third party cloud providers (AWS, Azure, etc)? We are hosting our servers at OVH.
If all of the nodes storing your live data fail, then you restore from a previous backup stored separately from the production infrastructure - there isn’t really any other option in a case like that - it’s fairly axiomatic.
You already asked this in Best Practice for Securely Storing Vault Key Shares and Initial Root Tokens so I won’t repeat my answer here.
This is fairly typical for a starting production instance. There is a built-in “snapshot” tool built into consul and the integrated storage options of Vault – depending on what you’re using as your storage (those are the only two that are also supported by Hashicorp Support in case you do need to open a case).
For our lab infrastructure where we don’t have a DR cluster, we use AWS S3 to store the snapshots and they are available for restoring elsewhere if need be – assuming timing is not a factor.
There is a nice best practice on learn for dealing with keys and root tokens.