Skip to main content
In this guide, you’ll configure performance replication between two Vault clusters—a primary and a secondary. After completing these steps, any changes made on the primary will automatically mirror to the secondary. What You’ll Achieve:
  1. Enable performance replication on the primary cluster
  2. Generate a secondary-token for bootstrapping
  3. Activate the secondary cluster
  4. Verify replication health
  5. Demonstrate configuration propagation

Prerequisites

ClusterAddressRoot Token
Primary Vault10.1.102.170hvs.KYjTNrIdzAoPkriOuDStfClA
Secondary Vault10.1.102.156hvs.AVecCoMzQSmLYTQ9ufdpRAZ
  • Both clusters must be initialized and unsealed.
  • Vault CLI installed and pointing to the correct VAULT_ADDR.

1. Enable Performance Replication on the Primary

  1. Authenticate to the primary cluster 
    export VAULT_ADDR=https://10.1.102.170:8200
vault login hvs.KYjTNrIdzAoPkriOuDStfClA
  2. Turn on performance replication 
    vault write -f sys/replication/performance/primary/enable
Enabling primary replication will make Vault briefly unavailable. Plan for a short maintenance window.

2. Generate a Secondary Bootstrap Token

Create a wrapped token to securely initialize the secondary: 
vault write sys/replication/performance/primary/secondary-token \
    id=hcvop-performance
Example output: 
Key                          Value
---                          -----
wrapping_token               eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
wrapping_token_ttl           30m
wrapping_token_creation_time 2022-06-02T01:19:11.387715359 +0000 UTC
Copy the wrapping_token to use in the next step.

3. Activate the Secondary Cluster

  1. Authenticate to the secondary cluster 
    export VAULT_ADDR=https://10.1.102.156:8200
vault login hvs.AVecCoMzQSmLYTQ9ufdpRAZ
  2. Enable performance replication on the secondary using the wrapped token 
    vault write sys/replication/performance/secondary/enable \
    token=<WRAPPING_TOKEN>
Vault will be unavailable until the initial sync and setup tasks complete.

4. Verify Replication Status

On the secondary cluster, confirm health and connectivity: 
vault read sys/replication/performance/status
Expected fields:
KeyExample Value
modesecondary
connection_stateready
known_primary_cluster_addrs[https://10.1.102.170:8201]
statestream-wal
A ready state with stream-wal indicates that performance replication is healthy.

5. Demonstrate Configuration Propagation

Make a change on the primary to prove replication works:
  1. On the primary, enable the userpass auth method and create a user: 
    vault auth enable userpass
vault write auth/userpass/users/bryan \
    password=bryan policies=default
  2. Within seconds, log in on the secondary using that user: 
    vault login -method=userpass username=bryan
Success confirms that auth methods, users, and policies (along with future secrets engines, audit devices, KV data, etc.) propagate automatically.

Watch Video