How to securely export and import data from different vault instances?

Question

What if :

1. I want to replicate the data contained in dev vault to my local vault?

2. I want to export my local vault data to dev vault up to prod vault?

What is the ideal way of doing this securely and versioned? I am thinking of some export/import mechanism.. Fairly new to vault

Answer 1

Medusa is a open source cli tool that does exactly what you need. The tool can handle a full tree structure in both import and export. It also supports end to end encryption of your secrets between export and import between Vault instances so that your secrets are always secure.
https://github.com/jonasvinther/medusa

export VAULT_ADDR=https://192.168.86.41:8201
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=00000000-0000-0000-0000-000000000000

./medusa export kv/path/to/secret --format="yaml" --output="my-secrets.txt"
./medusa import kv/path/to/new/secret ./my-secrets.txt

Answer 2

Vault stores everything in the backends and encrypts them with the unseal keys.

If you wanted, you could copy the data else where, and then 'import' them to the next environment (and by copy, i mean db dump if you are using a database to store stuff, copy s3 buckets if you are using s3, etc).

That would require downtime as you would need to seal your cluster to make sure all the writes happen before you copy your data.

If you want something more automatic, you could upgrade to the enterprise version and use replication - there are various different replication options.