Skip to main content
In this guide, we cover Vault’s Integrated Storage: what it is, why it matters, and how to configure and operate it. Introduced in Vault 1.4, Integrated Storage embeds a Raft-based backend directly within Vault for high availability and durability—without any external storage system.
The image is an informational graphic about Vault Integrated Storage, highlighting its use of the Raft protocol and locally stored data for high availability and durability without external systems.

Why Integrated Storage?

Prior to Vault 1.4, enterprise deployments required Consul or another external backend—adding complexity, network hops, and extra operational overhead. Integrated Storage solves this by:
  • Storing all Vault data on each node’s local disk
  • Replicating data across nodes via Raft
  • Eliminating any external dependency for storage
In a three- or five-node cluster, every node maintains the same dataset. If nodes fail, remaining members serve requests as long as a quorum exists.

Key Benefits

The image is a slide titled "Introduction to Integrated Storage," highlighting benefits such as replicated data copies in a Vault cluster, eliminating network hops, and reducing administrative overhead. It includes a certification badge and a cartoon character at the bottom.
  • No external backend: Run Vault without Consul or other storage.
  • Reduced latency: Reads and writes occur on local disk.
  • Simplified operations: Troubleshoot only Vault, not two systems.
For best performance, use storage-optimized volumes with high IOPS.
The image is a slide titled "Introduction to Integrated Storage," recommending the use of storage-optimized, high IOPS volumes for local disk data storage. It features a Vault certification badge and a cartoon character at the bottom.

Feature Evolution

Since version 1.4, Vault’s Integrated Storage has gained:
FeatureAvailability
Raft ReplicationOSS & Enterprise
Auto SnapshotsEnterprise
Cloud Auto-JoinEnterprise
Autopilot (cleanup, upgrades)Enterprise
The image describes integrated storage features for Vault Enterprise, highlighting replication, auto snapshots, cloud autojoin, and autopilot functionalities. It includes a certification badge and a cartoon character at the bottom.

Comparative Advantages

The image outlines the benefits of integrated storage over other solutions, highlighting reduced complexity, decreased costs, and easier troubleshooting. It includes icons and a character illustration, with a focus on Vault's integrated storage features.
  • Lower complexity: Single system for secrets and storage
  • Cost savings: No additional Consul cluster or VMs
  • Easier troubleshooting: Inspect only Vault logs and metrics
  • Disk-backed: No in-memory bottlenecks
The image outlines the benefits of integrated storage, highlighting similar architecture, fewer networking requirements, not being memory-bound, and no network hops required. It includes icons and brief descriptions for each benefit.
  • Familiar Raft if you know Consul
  • Only two ports: 8200 (API), 8201 (Raft RPC)
  • Durable writes to disk

Reference Architectures

ArchitectureNodesFault ZonesQuorumPorts
Development Cluster33 (AZs or racks)2/38200 & 8201
Production Cluster53 (AZs or racks)3/58200 & 8201
Enterprise ReplicationPrimary/DRMulti-regionN/A8200 & 8201

Development Cluster (3 Nodes)

The image illustrates a reference architecture for a development cluster, showing three nodes (A, B, C) across different fault zones with data replication between them. Node B is the Raft leader, while Nodes A and C are Raft followers.
  • Three nodes in separate fault zones
  • Local disk on each node
  • Leader handles replication to followers

Production Cluster (5 Nodes)

The image illustrates a reference architecture for a production cluster with nodes distributed across three fault zones, highlighting a RAFT leader and followers.
  • Five nodes across three zones
  • Tolerates up to two node failures (quorum of three)
  • TCP 8201 for Raft RPC; 8200 remains API

Enterprise Replication

The image illustrates a replicated environment for enterprise-level deployments, showing a map of the United States with data centers for performance and disaster recovery replication. It includes a diagram of primary and DR clusters, emphasizing high availability and disaster recovery.
Use Integrated Storage in primary, performance, and DR clusters—replicate data across regions or data centers for disaster recovery.

Performance Requirements

ResourceRecommendation
CPU & MemoryConsolidate Vault + Raft; monitor & scale
StorageHigh-IOPS, ample capacity (disk full → Vault stops)
NetworkingLow latency, high throughput between nodes
The image outlines performance requirements for CPU & Memory, Storage, and Networking, emphasizing resource consolidation, high-performing disks, and low latency connectivity.
If storage fills up, Vault will halt. Monitor disk usage closely.

Configuration Overview

Add an Integrated Storage stanza to your Vault HCL configuration (see Vault Raft Storage Docs): 
listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable     = true
}

storage "raft" {
  path                   = "/opt/vault/data"
  node_id                = "vault-node-a.hcvop.com"

  retry_join {
    auto_join = "provider=aws region=us-east-1 tag_key=vault tag_value=us-east-1"
  }

  performance_multiplier = 1
}

api_addr     = "https://vault.hcvop.com:8200"
cluster_addr = "https://vault-node-a.hcvop.com:8201"

Common storage "raft" Parameters

  • path: Local directory for Raft data (use high-performance disk)
  • node_id: Unique identifier for this node
  • retry_join: Discovery and join strategy (static or cloud auto-join)
  • performance_multiplier: Adjust election & heartbeat intervals

Retry Join Options

Vault supports two methods to join a Raft cluster:
  1. Static Join: Specify leader_api_addr for existing nodes.
  2. Cloud Auto-Join: Use auto_join with cloud tags (AWS, Azure, GCP).
If using TLS between nodes, configure certificate files: 
retry_join {
  leader_api_addr         = "https://vault-node-b.hcvop.com:8200"
  leader_ca_cert_file     = "/opt/vault.d/ca.pem"
  leader_client_cert_file = "/opt/vault.d/cert.pem"
  leader_client_key_file  = "/opt/vault.d/pri.key"
}
The image is a slide titled "Configuring Integrated Storage" with instructions on setting up a leader node in a cluster, including parameters like leader_api_addr, auto_join, and certificate file paths. It also features a Vault certification badge and a cartoon character at the bottom.
You can include multiple retry_join blocks to cover diverse discovery methods: 
storage "raft" {
  path    = "/opt/vault/data"
  node_id = "vault-node-a.hcvop.com"

  retry_join {
    leader_api_addr         = "https://vault-node-b.hcvop.com:8200"
    leader_ca_cert_file     = "/opt/vault.d/ca.pem"
    leader_client_cert_file = "/opt/vault.d/cert.pem"
    leader_client_key_file  = "/opt/vault.d/pri.key"
  }

  retry_join {
    leader_api_addr         = "https://vault-node-c.hcvop.com:8200"
    leader_ca_cert_file     = "/opt/vault.d/ca.pem"
    leader_client_cert_file = "/opt/vault.d/cert.pem"
    leader_client_key_file  = "/opt/vault.d/pri.key"
  }

  performance_multiplier = 1
}

Cluster Initialization & Day-2 Operations

1. Initialize and Unseal the First Node

vault operator init        # Generates unseal keys & root token
vault operator unseal      # Use Shamir keys or auto-unseal

2. Join Additional Nodes

On each follower: 
vault operator raft join https://vault-node-a.hcvop.com:8200

3. Remove a Node Gracefully

vault operator raft leave vault-4
# Peer removed successfully!
Always remove nodes via CLI to maintain quorum.

4. View Cluster Membership

vault operator raft list-peers
# Node     Address            State     Voter
# vault-0  vault-0.hcvop:8201 leader    true
# vault-1  vault-1.hcvop:8201 follower  true
# vault-2  vault-2.hcvop:8201 follower  true
# vault-3  vault-3.hcvop:8201 follower  true
# vault-4  vault-4.hcvop:8201 follower  true

5. Raft Snapshots

The image describes "Raft Snapshots," highlighting that integrated storage allows for manual or scheduled snapshot creation, which serves as a point-in-time backup including configuration data and KV store data. It also features a Vault certification badge.

Manual Snapshot

vault operator raft snapshot save daily.snap
# [INFO] storage.raft: snapshot complete up to: index=389

Restore from Snapshot

vault operator raft snapshot restore daily.snap
# [INFO] storage.raft.fsm: snapshot installed
Automate these commands via cron or your preferred scheduler—even in open source.
Integrated Storage is now the default choice for Vault clusters, offering durability, high availability, and simplified operations without sacrificing performance. Use these guidelines to plan, configure, and manage your Vault Integrated Storage deployments effectively.

Watch Video