What is the recommended storage backend for Vault?

There’s a long list here and I’m not sure which one to choose.

Consul would be top of mind as its a HashiCorp product and there are synergies with Vault. However, one should use a decision criteria to choose the most suitable one. Below are some key considerations:

  • Using Vault Enterprise?
    • Consul is officially supported and tested by HashiCorp. Remaining backends are mostly Community supported with the exception of In-Memory and Filesystem.
    • Vault Enterprise replication: Use a transactional backend for replication. Vault Replication Internals documentation states:

“Using replication requires a storage backend that supports transactional updates, such as Consul.”

  • Load balancing approach:
    • Clients may be using a Load balancer to reach Vault as documented in Reference Architecture; this approach will work with any backend.
    • When using Consul, Vault clients can also look up endpoints via Consul’s DNS or Catalog API interface such as: active.vault.service.consul, performance-standby.vault.service.consul and so on (host names may vary based on configuration). These names are auto-registered by Consul. Applications can benefit from Consul service discovery using this approach.
  • High Availability (HA): when using Vault in production, choose a backend that supports HA capability. Note that Databases such as MSSQL and MySQL may themselves support HA, but when used as Vault backend, HA for Vault is not supported.
  • Platform: As an example, if deploying Vault on AWS, then Consul, S3, DynamoDB, MySQL etc. are all valid candidates. When running on-prem, choices with HA may be more limited: Etcd, Consul, MySQL etc.
  • Scale: Ensure that the backend can be operationalized to ensure scaling in capacity and performance.