What is a snapshot

Hello

My question is very simple : what is the content of a snapshot ?
I saw on this part of the documentation /sys/storage/raft - HTTP API | Vault by HashiCorp

Is the snapshot a copy of my actual vault ( inclunding, users, secrets etc…)?

Like if tomorow someone deletes whole path of secrets if today I created a “snapshot” of my vault I’m will be able to get back my path ?

I don’t know if my question if very clear don’t hesistate to ask for clarification.

Thanks in advance for your help

Yes

The details would depend on what kind of secrets you’re talking about, but in general yes, but it may be not be easy or convenient.

As an example, let’s say you mean data in a KV secrets engine.

The data would be there, but there is no way to read just the secrets you’re interested in out of the snapshot. The only thing you can use the snapshot for, is to restore into a new instance of Vault.

If you set up a new instance of Vault, restore your snapshot into it, and authenticate to the new Vault, you can read the old values of your secrets from the new Vault.

However, if you want to restore them, you now have to write your own program to read from the new temporary Vault and copy them back to the main production Vault.

Also, starting up a new Vault and restoring a snapshot requires precautions, if your Vault has any secrets engines for which it manages external resources with leases. For example, let’s imagine you are using the Database or AWS secrets engines to manage dynamic credentials. You may have applications in production, which are using those credentials, and periodically extending their validity with the production Vault instance.

If you now start up a new Vault instance, and restore an older snapshot, the new Vault instance may now consider some of those dynamic credentials to have expired (as it does not receive the renewal requests from the applications using them). It will then connect to your databases or AWS (for example) and delete the credentials whilst they’re still being used.

For this reason, it’s necessary to ensure a restored Vault has no outbound network access, if you make use of any secrets engines for which this may be an issue.

So in conclusion - snapshots are a useful backup strategy should the worst happen - but be prepared for a somewhat complex procedure to make use of them.

2 Likes

It’s a copy of your Vault data – but there is a catch it doesn’t include any leases or auth values (secret_id). So you could recover your data if there was a major issue and needed to recover but any applications/tools/db/users would need to reauth to get a new lease.

I disagree, a snapshot is a backup at the level of the storage, so would include these.

Oh thanks a lot for this clear answer it’s perfect have a wonderful week !

Hello,

Thanks for that’s clear informations.
I’m refreshing this topic with the hope to have more informations about snapshot security.

My observation is: I can take a snapshot without logged in, when two conditions are satisfied.

  • I have access to Vault API endpoint
  • I have vault cli tool to perform vault operator raft snapshot save vault.snapshot

In addition, in the documentation I saw we are able to restore a snapshot in other Vault Cluster with force option even if seals keys are differents.

So with this observation, I afraid about my data security. I think as an attacker it’s possible to take a snapshot without any authentication on my vault, next restore it in is own cluster and exploit my data by using root token to workaround my authentications methodes.

Somebody know why it’s so easy to take a snapshot, and there is a problem for security or I’m afraid for nothing because I didn’t understand the process?

Have a good day