mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 15:11:07 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/sysadmin/snapshots/restore.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

158 lines
4.5 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: Restore a snapshot
description: >-
Restore a Vault snapshot.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# Restore a Vault snapshot
Manually restore data for a Vault cluster leader node with a saved snapshot.
## Before you start
- **You must a working knowledge of how Vault saves data**.
- **You must have a valid Vault cluster configuration using integratd storage**.
- **You must know, and be able to contact your unseal/recovery key holders**. In
addition to the new root token generated during reinitalization, you need the
original cluster unseal keys to unseal Vault after restoring the snapshot.
- **You must have permission to access encrypted data in backed storage**.
## Step 1: Bring your Vault cluster back online
Your Vault cluster must be online to restore a snapshot.
Resolve the circumstances that required you to restore from backup, reinitialize
your Vault cluster with new storage, and authenticate with the new initial root
token generated during re-initialization. The new root token is temporary as you
will overwrite the cluster state with the snapshot data.
## Step 2: Copy the snapshot file to the cluster
You must save your snapshot file as a local file on the cluster to restore the
data.
To restore a snapshot to a disaster recovery replication cluster, you must copy
your Vault snapshot files for the primary and DR replica clusters onto restored
members of the respective clusters.
To restore a snapshot to a performance replication cluster, you must copy
your Vault snapshot files for the primary and secondary performance replica
clusters onto restored members of the respective clusters.
## Step 3: Force a snapshot restore
You must use force the snapshot restore since the auto-unseal or Shamir keys are
not consistent with the snapshot data, which came from a different cluster.
<Tabs>
<Tab heading="CLI" group="cli">
Run
[`vault operator raft snapshot restore`](/vault/docs/commands/operator/raft#snapshot-restore)
with the local snapshot file path and the `-force` flag:
```shell-session
$ vault operator raft snapshot restore -force <local_file_path>
```
For example:
<CodeBlockConfig hideClipboard>
```shell-session
$ vault operator raft snapshot restore -force /tmp/snapshots/backup.snap
```
</CodeBlockConfig>
</Tab>
<Tab heading="API" group="api">
Call the
[`/v1/sys/storage/raft/snapshot-force`](/vault/api-docs/system/storage/raft#force-restore-raft-using-a-snapshot)
endpoint with the local snapshot file path:
```shell-session
$ curl \
--request POST \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--data-binary @<local_file_path> \
${VAULT_ADDR}/v1/sys/storage/raft/snapshot-force
```
For example:
<CodeBlockConfig hideClipboard>
```shell-session
$ curl \
--request POST \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--data-binary /tmp/snapshots/backup.snap \
${VAULT_ADDR}/v1/sys/storage/raft/snapshot-force
```
</CodeBlockConfig>
</Tab>
</Tabs>
## Step 4: Unseal Vault
<Tabs>
<Tab heading="CLI" group="cli">
Have each person with an unseal key share run
`vault operator unseal` with their original unseal
key until reaching the number of key shares required by your origial quroum
configuration to unseal your Vault cluster:
```shell-session
$ vault operator unseal
```
Enter the unseal key when prompted:
<CodeBlockConfig hideClipboard>
```plaintext
Unseal Key (will be hidden):
```
</CodeBlockConfig>
</Tab>
<Tab heading="API" group="api">
Have each person with an unseal key share run
[`v1/sys/unseal`](/vault/api-docs/system/unseal) with their original unseal
key until reaching the number of key shares required by your origial quorum
configuration to unseal your Vault cluster:
```shell-session
$ curl \
--request POST \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--data '{"key": "<unseal_key>"}' \
${VAULT_ADDR}/v1/sys/unseal
```
</Tab>
</Tabs>
Reference in New Issue View Git Blame Copy Permalink