What is the recommended storage backend for Vault?

There’s a long list here and I’m not sure which one to choose.

Consul would be top of mind as its a HashiCorp product and there are synergies with Vault. However, one should use a decision criteria to choose the most suitable one. Below are some key considerations:

  • Using Vault Enterprise?
    • Consul is officially supported and tested by HashiCorp. Remaining backends are mostly Community supported with the exception of In-Memory and Filesystem.
    • Vault Enterprise replication: Use a transactional backend for replication. Vault Replication Internals documentation states:

“Using replication requires a storage backend that supports transactional updates, such as Consul.”

  • Load balancing approach:
    • Clients may be using a Load balancer to reach Vault as documented in Reference Architecture; this approach will work with any backend.
    • When using Consul, Vault clients can also look up endpoints via Consul’s DNS or Catalog API interface such as: active.vault.service.consul, performance-standby.vault.service.consul and so on (host names may vary based on configuration). These names are auto-registered by Consul. Applications can benefit from Consul service discovery using this approach.
  • High Availability (HA): when using Vault in production, choose a backend that supports HA capability. Note that Databases such as MSSQL and MySQL may themselves support HA, but when used as Vault backend, HA for Vault is not supported.
  • Platform: As an example, if deploying Vault on AWS, then Consul, S3, DynamoDB, MySQL etc. are all valid candidates. When running on-prem, choices with HA may be more limited: Etcd, Consul, MySQL etc.
  • Scale: Ensure that the backend can be operationalized to ensure scaling in capacity and performance.

In my opinion - the recommended choice is whatever you’ve proven to perform best and with the most reliance and resilience for your given use-case and available resources. The reference architecture @kawsark has linked with Consul is pretty typical - Raft can also be a good option. For a complete list see: docs/configuration/storage as well.

Now that Raft Storage is available which would be better for High Availability? Consul or Raft?

I could not find a definitive answer as both seem to be documented as deployment patterns. I am assuming Consul was the preferred before Raft came along. Both are supported by HashiCorp, but is there some use cases where Consul is more suited than Raft?


IMO, Raft is the best choice, but always this decision will depend on your use cases. Here’s a table comparing both https://developer.hashicorp.com/vault/docs/configuration/storage#integrated-storage-vs-consul-as-vault-storage