Introduction
Re-initializing a Vault cluster using Integrated storage can be done by removing or renaming Vault's database on disk. This can be useful for resetting a node to re-join a Raft cluster.
Warning, these steps will remove all Vault data on the node. Please create a backup before removing data. |
Expected Outcome
Vault (using integrated storage) will be reset to its initial state, effectively stating with a clean slate.
Prerequisites
- A running Vault Server using integrated storage (raft)
Procedure
Locate your Integrated storage directory
The storage stanza within the vault configuration will show the path to the raft storage database.
- A common location for this configuration is in /etc/vault/vault.hcl
storage "raft" {
# --- Path to database --- #
path = "/var/raft/"
node_id = "node3"
retry_join {
leader_api_addr = "https://node1.vault.local:8200"
}
retry_join {
leader_api_addr = "https://node2.vault.local:8200"
}
}
Stop the Vault service
systemctl stop vault
Remove the contents or the raft/ directory
rm -rf /var/raft/*
Start the Vault service
systemctl start vault
Verify the process is running
systemctl status vault
Initialise Vault
The node will be in an uninitialised state and can be initialised or joined to an existing cluster.
vault status
Key Value
--- -----
Seal Type shamir
Initialized false Sealed true Total Recovery Shares 0 Threshold 0 Unseal Progress 0/0 Unseal Nonce n/a Version 1.9.4+ent
Storage Type raft
HA Enabled true
While the node is uninitialized, the logs will state the security barrier is not initialized.
[INFO] core: security barrier not initialized
Additional Information
- Vault Tutorial: Vault Integrated Storage
- Vault Tutorial: Standard Procedure for restoring a Vault cluster