Summary
This article shows the configuration steps to enable replication using an alternative method to the method described in HashiCorp documentation that uses response wrapping to protect the secondary credentials.
Introduction
The method described in this article uses encryption to protect the secondary credentials instead of a response wrapped token. This method can be used to avoid the need to make an API call to the primary cluster on port 8200 during activation. The configuration for disaster recovery replication is using the following endpoints:
Similar endpoints are available for performance replication:
Architecture
The architecture consists of two Vault Enterprise clusters that are located in two different zones and are able to communicate between them.
Prerequisites
- Two Vault clusters running Vault Enterprise versions 1.3.0 or later
Configuration steps to enable disaster recovery using CLI
1. Enable DR replication on the primary cluster:
$ vault write -f sys/replication/dr/primary/enable
WARNING! The following warnings were returned from Vault:
* This cluster is being enabled as a primary for replication. Vault will be
unavailable for a brief period and will resume service shortly.
2. Generate secondary public key on the secondary cluster:
vault write -f /sys/replication/dr/secondary/generate-public-key
Key Value
--- -----
secondary_public_key eojeAMdbXeK2J8W6wIx5Id1kkiUhnFwcW4Pu1uizPFw
3. Generates a DR secondary activation token on the primary cluster using the unique identifier 'eu-west' and previously generated secondary_public_key:
vault write sys/replication/dr/primary/secondary-token secondary_public_key=eojeAMdbXeK2J8W6wIx5Id1kkiUhnFwcW4Pu1uizPFw id='eu-west'
Key Value
--- -----
token eyJjbHVzdGVyX2lkIjoiMTE2MjExNDItM...
4. Enable DR replication on the secondary cluster:
vault write sys/replication/dr/secondary/enable token=eyJjbHVzdGVyX2lkIjoiMTE2MjExNDItM...
WARNING! The following warnings were returned from Vault:
* Vault has successfully found secondary information; it may take a while to
perform setup tasks. Vault will be unavailable until these tasks and initial
sync complete.