feat: add vault restore doc

2026-05-22 14:25:38 -05:00
parent d73f2639ed
commit a7ab7b398a
3 changed files with 121 additions and 2 deletions
@@ -2,7 +2,7 @@
 title: OpenBao SSH Certificate Authority
 description: Steps followed to enable using OpenBao as a CA for ssh login
 hero:
-  tagline: Steps followed for the v1.12.0 upgrade process
+  tagline: Steps followed to enable using OpenBao as a CA for ssh login
  image:
    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/openbao.webp
 ---
@@ -2,7 +2,7 @@
 title: Using Secret Store CSI with OpenBao
 description: Mounting secrets inside pods using Secret Store CSI driver and OpenBao
 hero:
-  tagline: Steps followed to mount the secrets
+  tagline: Mounting secrets inside pods using Secret Store CSI driver and OpenBao
  image:
    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/openbao.webp
 ---
@@ -0,0 +1,119 @@
+---
+title: Restore Vault Snapshot
+description: Steps followed to restore a raft snapshot of Vault
+hero:
+  tagline: Steps followed to restore a raft snapshot of Vault
+  image:
+    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/vault.webp
+---
+
+import { Aside } from '@astrojs/starlight/components';
+import { Steps } from '@astrojs/starlight/components';
+
+<Aside type="tip">Reference Vault official documentation [here](https://developer.hashicorp.com/vault/docs/sysadmin/snapshots/restore).</Aside>
+
+This guide assumes the snapshot file has already been retrieved from the backup and the purpose is specifically to recover the secrets in the snapshot. These steps can be modified for a full recovery when initializing a new permanent instance.
+
+Along with the snapshot file the unseal keys and root token must also be retrieved to access the data.
+
+## Steps
+
+<Steps>
+1. Create a temp folder to use. Then add a 'snapshot' and 'data' folder inside.
+
+2. Place the '\<name>.snap' file of the snapshot into a 'snapshot' folder.
+
+2. Create a docker compose for running Vault locally using the following example. Place this in the root of the temp folder.
+    ````yaml
+    services:
+        vault:
+        image: hashicorp/vault:latest
+        container_name: vault
+        restart: unless-stopped
+        environment:
+            VAULT_ADDR: "http://127.0.0.1:8200"
+            VAULT_API_ADDR: "http://127.0.0.1:8200"
+            VAULT_CLUSTER_ADDR: "http://127.0.0.1:8201"
+            VAULT_LOCAL_CONFIG: |
+            {
+                "listener": [{
+                    "tcp": {
+                        "address": "0.0.0.0:8200",
+                        "cluster_address": "0.0.0.0:8201",
+                        "tls_disable": 1,
+                    }
+                }],
+                "storage": {
+                    "raft": {
+                        "path": "/vault/data"
+                    }
+                },
+                "disable_mlock": true,
+                "default_lease_ttl": "168h",
+                "max_lease_ttl": "720h",
+                "ui": true
+            }
+        ports:
+            - "8200:8200"
+        volumes:
+            - ./data:/vault/data
+            - ./snapshot:/vault/snapshot
+        cap_add:
+            - IPC_LOCK
+        command: "vault server -config vault/config/local.json"
+    ````
+
+4. The temp folder should now look like the following.
+    ````
+    /temp
+        /snapshot
+            <name>.snap
+        /data
+    ````
+
+5. Open a terminal and change directory to the temp folder.
+
+6. Start the docker container.
+    ````bash
+    docker compose up -d
+    ````
+
+7. Open a shell inside the container.
+    ````bash
+    docker exec -it vault /bin/sh
+    ````
+
+8. First the current Vault instance must be initialized, unsealed, and authenticated to restore the snapshot. Init the instance now.
+    ````bash
+    vault operator init
+    ````
+    The output above will give the unseal keys and the root token. Keep these nearby, but are not necessary to save.
+
+10. Unseal with 3 of the keys by running the following and entering a different key at the prompt each time.
+    ````bash
+    vault operator unseal
+    ````
+
+11. With Vault unsealed now login with the root token.
+    ````bash
+    vault login
+    ````
+
+12. Now with an operational Vault it can accept the restore command.
+    ````bash
+    vault operator raft snapshot restore -force /vault/snapshot/<name>.snap
+    ````
+
+13. The restore will override the previously sealed Vault with the new data. Unseal the restored snapshot with 3 of the snapshot's unseal keys.
+    ````bash
+    vault operator unseal
+    ````
+
+14. With restored Vault unsealed now login with the root token.
+    ````bash
+    vault login
+    ````
+
+15. The UI should be available at 'http://127.0.0.1:8200' and can be logged in with the root token.
+</Steps>
+