Nomad 1.4 introduces Native Secure Variables. This allows a user to store encrypted configuration values securely and natively within Nomad. Whereas previously, configuration values had to be stored in external services such as Hashicorp Consul or Vault.
Nomad servers maintain an encryption keyring to encrypt the Secure Variables. The servers store key metadata in raft, but the encryption key material is stored in a separate file in the keystore subdirectory of the Nomad data directory. These files have the extension of .nks.json. This encryption key, not to be confused with the gossip encryption key, should be part of your organization's backup and recovery strategy.
Backing up the secure variables:
You can use the nomad operator snapshot save command to save the current cluster state and backup the secure variables in raft.
Restoring from backup:
Similarly, to restore a snapshot, you would use the nomad operator snapshot restore command. It is important to know that when restoring the cluster from a snapshot, you need to provide the keystore directory with the .nks.json file in at least one of the servers.