Vault can be started using the
-recovery flag to bring it up in Recovery Mode.
In recovery mode, Vault:
- is automatically unsealed once a recovery token is issued
- apart from recovery token operations, only supports the
rawrequests must be authenticated using a recovery token
- won't form clusters or handle requests forwarded by standbys
Recovery tokens are issued in much the same way as root tokens are generated: the API is basically the same, only using a different endpoint. Unlike root tokens, the recovery token is not persisted, so if Vault is restarted into recovery mode a new one must be generated.
Only a single recovery token can be generated. If lost, restart Vault and generate a new one.
Requests can be issued to
sys/raw in just the same way as in regular Vault
server mode. The only difference is that in recovery mode,
must contain a recovery token instead of a service or batch token.
Raft integrated storage is the immediate motivation for recovery mode. With other backends it was always possible to delete data directly from a storage backend, but that's impractical with a Raft backend. That said, recovery mode works with any backend.
In order to bring the Vault server up reliably, using any node's raft data, recovery mode Vault automatically resizes the cluster to size 1. This means that after having used recovery mode, part of the procedure for returning to active service must include rejoining the raft cluster.
If Raft is used exclusively for
ha_storage, recovery mode will not allow for
changes to the Raft data but instead allow for modification of the underlying
physical data that is associated with Vault's storage backend.