Configure Vault cluster with Integrated Storage
Challenge
Vault supports many storage backends to persist its encrypted data (e.g. Consul, MySQL, DynamoDB, etc.).
These backends require:
- Their own administration; increasing complexity and total administration.
- Configuration to allow Vault as a client.
- Vault configuration to connect to the provider as a client.
Solution
Use Vault's Integrated Storage to persist the encrypted data. The integrated storage has the following benefits:
- Integrated into Vault (reducing total administration).
- All configuration within Vault.
- Supports failover and multi-cluster replication.
- Eliminates additional network requests.
- Lowers complexity when diagnosing issues (leading to faster time to recovery).
Tip
HashiCorp Cloud Platform (HCP) Vault clusters use Integrated Storage. To learn more about the managed Vault clusters, refer to the Getting Started with HCP Vault Dedicated tutorials. If you are a Kubernetes user, visit the Vault Installation to Minikube via Helm with Integrated Storage tutorial.
Prerequisites
This tutorial requires Vault, sudo access, and additional configuration to create the cluster.
- Install Vault v1.4.0 or later
Setup
The cluster.sh
script configures and starts four Vault servers. Here is a
diagram describing the architecture:
- vault_1 (
http://127.0.0.1:8200
) is initialized and unsealed. The root token creates a transit key that enables the other Vaults auto-unseal. This Vault does not join the cluster. - vault_2 (
http://127.0.0.2:8200
) is initialized and unsealed. This Vault starts as the cluster leader. An example K/V-V2 secret is created. - vault_3 (
http://127.0.0.3:8200
) is only started. You will join it to the cluster. - vault_4 (
http://127.0.0.4:8200
) is only started. You will join it to the cluster.
Open a terminal, and create a directory named
$HOME/vault-tutorial
, and set it as the working directory.$ mkdir $HOME/vault-tutorial && cd $HOME/vault-tutorial
Retrieve the configuration by cloning the
hashicorp-education/learn-vault-raft
repository from GitHub.$ git clone https://github.com/hashicorp-education/learn-vault-raft
Change the working directory to
learn-vault-raft/raft-storage/local
.$ cd learn-vault-raft/raft-storage/local
Set the
cluster.sh
file to executable:$ chmod +x cluster.sh
Set up the local loopback addresses for each Vault:
$ ./cluster.sh create network [vault_2] Enabling local loopback on 127.0.0.2 (requires sudo)Password: [vault_3] Enabling local loopback on 127.0.0.3 (requires sudo) [vault_4] Enabling local loopback on 127.0.0.4 (requires sudo)
Note
This operation requires a user with sudo access. You will be prompted to enter that user's password.
127.0.0.0/8
address block is assigned for use as the Internet host loopback address. (RFC3330)Create the configuration for each Vault node.
$ ./cluster.sh create config [vault_1] Creating configuration - creating <path_to_local>/config-vault_1.hcl[vault_2] Creating configuration - creating <path_to_local>/config-vault_2.hcl - creating <path_to_local>/raft-vault_2[vault_3] Creating configuration - creating <path_to_local>/config-vault_3.hcl - creating <path_to_local>/raft-vault_3[vault_4] Creating configuration - creating <path_to_local>/config-vault_4.hcl - creating <path_to_local>/raft-vault_4
Setup vault_1:
Watch out for VAULT_TOKEN
Before proceeding, make sure that you do not already have an existing
VAULT_TOKEN
environment variable exported in your shell session. If you do find that checking for it with a command likeprintenv | grep VAULT_TOKEN
returns a result, then you must unset it withunset VAULT_TOKEN
before proceeding or subsequent steps will likely not succeed.$ ./cluster.sh setup vault_1 [vault_1] starting Vault server @ http://127.0.0.1:8200 [vault_1] initializing and capturing the unseal key and root token [vault_1] Unseal key: NheD5HT4IaCjLB2gv7a5t9dfw7tEjoHMZ67DS+5nQ3A=[vault_1] Root token: hvs.YFkvurx85VPSfsEwS6mSnfWj [vault_1] unsealing and logging inKey Value--- -----Seal Type shamirInitialized trueSealed falseTotal Shares 1Threshold 1Version 1.14.0Build Date 2023-06-19T11:40:23ZStorage Type inmemCluster Name vault-cluster-74bee892Cluster ID d74ca2cf-a081-2918-b8a2-8a2ccd6c5b22HA Enabled falseSuccess! You are now authenticated. The token information displayed belowis already stored in the token helper. You do NOT need to run "vault login"again. Future Vault requests will automatically use this token. Key Value--- -----token hvs.YFkvurx85VPSfsEwS6mSnfWjtoken_accessor Ed0JMHdQGPyoDIrR7WbCGhrntoken_duration ∞token_renewable falsetoken_policies ["root"]identity_policies []policies ["root"] [vault_1] enabling the transit secrets engine and creating a key to auto-unseal vault clusterSuccess! Enabled the transit secrets engine at: transit/Key Value--- -----allow_plaintext_backup falseauto_rotate_period 0sdeletion_allowed falsederived falseexportable falseimported_key falsekeys map[1:1688151586]latest_version 1min_available_version 0min_decryption_version 1min_encryption_version 0name unseal_keysupports_decryption truesupports_derivation truesupports_encryption truesupports_signing falsetype aes256-gcm96
vault_1 (
http://127.0.0.1:8200
) is initialized and unsealed. The transit secrets engine is enabled and a key is created. This will be used to auto-unseal vault_2. The initial root token is stored in theroot_token-vault_1
file.Setup vault_2.
$ ./cluster.sh setup vault_2 [vault_2] starting Vault server @ http://127.0.0.2:8200 Using [vault_1] root token (hvs.YFkvurx85VPSfsEwS6mSnfWj) to retrieve transit key for auto-unseal [vault_2] initializing and capturing the recovery key and root token [vault_2] Recovery key: VV9QAfeD0DpSIEAyJhuBw9sH5ZSICW/dYeuf/XjVmV4=[vault_2] Root token: hvs.D9IGFnaaq0EQdGEIDMyMincn [vault_2] waiting to finish post-unseal setup (15 seconds) [vault_2] logging in and enabling the KV secrets engineSuccess! You are now authenticated. The token information displayed belowis already stored in the token helper. You do NOT need to run "vault login"again. Future Vault requests will automatically use this token. Key Value--- -----token hvs.D9IGFnaaq0EQdGEIDMyMincntoken_accessor WB7pM07o9oydE1DKepOSS2rKtoken_duration ∞token_renewable falsetoken_policies ["root"]identity_policies []policies ["root"]Success! Enabled the kv-v2 secrets engine at: kv/ [vault_2] storing secret 'kv/apikey' to demonstrate snapshot and recovery methods= Secret Path =kv/data/apikey ======= Metadata =======Key Value--- -----created_time 2023-06-30T19:00:29.354452Zcustom_metadata <nil>deletion_time n/adestroyed falseversion 1= Secret Path =kv/data/apikey ======= Metadata =======Key Value--- -----created_time 2023-06-30T19:00:29.354452Zcustom_metadata <nil>deletion_time n/adestroyed falseversion 1 ===== Data =====Key Value--- -----webapp ABB39KKPTWOR832JGNLS02
vault_2 (
http://127.0.0.2:8200
) is initialized and unsealed. K/V-V2 secrets engine is enabled with some test data atkv/apikey
. The initial root token is stored in therecovery_key-vault_2
file.Setup vault_3.
$ ./cluster.sh setup vault_3 [vault_3] starting Vault server @ http://127.0.0.3:8200 Using [vault_1] root token (hvs.S72Tuc0TOI17zoJolxhxZzba) to retrieve transit key for auto-unseal
Create an HA cluster
Currently vault_2 is initialized, unsealed, and has HA enabled. It is the only node in a cluster. The remaining nodes, vault_3 and vault_4, have not joined its cluster.
Examine the leader
Let's discover more about the configuration of vault_2 and how it describes the current state of the cluster.
Open the vault_2 server configuration file (
config-vault_2.hcl
) in a text editor.config-vault_2.hcl
storage "raft" { path = "<path_to_local>/raft-vault_2/" node_id = "vault_2"} listener "tcp" { address = "127.0.0.2:8200" cluster_address = "127.0.0.2:8201" tls_disable = true} seal "transit" { address = "http://127.0.0.1:8200" # token is read from VAULT_TOKEN env # token = "" disable_renewal = "false" // Key configuration key_name = "unseal_key" mount_path = "transit/"} disable_mlock = truecluster_addr = "http://127.0.0.2:8201"
To use the Integrated Storage, the
storage
stanza is set toraft
. Thepath
specifies the path where Vault data will be stored ($HOME/vault-tutorial/learn-vault-raft/raft-storage/local/raft-vault_2/
).Set the
VAULT_ADDR
to point to vault_2.$ export VAULT_ADDR="http://127.0.0.2:8200"
Examine the current raft peer set.
$ vault operator raft list-peersNode Address State Voter---- ------- ----- -----vault_2 127.0.0.2:8201 leader true
The cluster reports that vault_2 is the only node and is currently the leader.
Examine vault_2 root token.
$ cat root_token-vault_2hvs.tgWTO0NoZ1YxR89B4NULANQA
The cluster.sh
script captured the root token of vault_2 during its
setup and stored it in this file. This root token has privileged access to all
nodes within the cluster.
Although the listener stanza disables TLS for this tutorial, Vault should always be used with TLS in production to provide secure communication between clients and the Vault server. It requires a certificate file and key file on each Vault host.
Join nodes to the cluster
Add vault_3 to the cluster using the vault operator raft join
command.
Open a new terminal and set the working directory to the
learn-vault-raft/raft-storage/local
directory.$ cd $HOME/vault-tutorial/learn-vault-raft/raft-storage/local
Set the VAULT_ADDR to vault_3 API address.
$ export VAULT_ADDR="http://127.0.0.3:8200"
Join vault_3 to the vault_2 cluster.
$ vault operator raft join http://127.0.0.2:8200 Key Value--- -----Joined true
The
http://127.0.0.2:8200
is the vault_2 server address which has been already initialized and auto-unsealed. This makes vault_2 the active node and its storage behaves as the leader in this cluster.Tip
In this scenario, Transit auto-unseal is used; therefore, vault_3 is automatically unsealed once it successfully joins the cluster.
Next, configure the
vault
CLI to use vault_2 root token for requests.$ export VAULT_TOKEN=$(cat root_token-vault_2)
Examine the current raft peer set.
$ vault operator raft list-peers Node Address State Voter---- ------- ----- -----vault_2 127.0.0.2:8201 leader truevault_3 127.0.0.3:8201 follower true
Now, vault_3 is listed as a follower node.
Examine vault_3 log file (
vault_3.log
).$ cat vault_3.log...[TRACE] storage.raft: setting up raft cluster[TRACE] storage.raft: applying raft config: inputs="map[node_id:vault_3 path:/Users/yoko/vault-tutorial/learn-vault-raft/raft-storage/local/raft-vault_3/]" ...snip...[INFO] storage.raft: entering follower state: follower="Node at 127.0.0.3:8201 [Follower]" leader-address= leader-id=[TRACE] storage.raft: finished setting up raft cluster[INFO] core: successfully joined the raft cluster:leader_addr=http://127.0.0.2:8200
The log describes the cluster joining operations.
Finally, verify that you can read the secret at
kv/apikey
.$ vault kv get kv/apikey = Secret Path =kv/data/apikey ======= Metadata =======Key Value--- -----created_time 2022-05-11T23:57:41.394854Zcustom_metadata <nil>deletion_time n/adestroyed falseversion 1 ===== Data =====Key Value--- -----webapp ABB39KKPTWOR832JGNLS02
Retry join
You can use the vault operator raft join
command to join
vault_4 to the cluster in the same way you joined vault_3 to the cluster. However, if the connection details of all the nodes
are known beforehand, you can configure the retry_join
stanza in the server
configuration file to automatically join the cluster.
Modify the server configuration file,
config-vault_4.hcl
by adding theretry_join
block inside thestorage
stanza.retry_join { leader_api_addr = "http://127.0.0.2:8200" } retry_join { leader_api_addr = "http://127.0.0.3:8200" }
The resulting
config-vault_4.hcl
file should look like:config-vault_4.hcl
storage "raft" { path = "<path_to_local>/raft-vault_4/" node_id = "vault_4" retry_join { leader_api_addr = "http://127.0.0.2:8200" } retry_join { leader_api_addr = "http://127.0.0.3:8200" }} listener "tcp" { address = "127.0.0.4:8200" cluster_address = "127.0.0.4:8201" tls_disable = true} seal "transit" { address = "http://127.0.0.1:8200" # token is read from VAULT_TOKEN env # token = "" disable_renewal = "false" // Key configuration key_name = "unseal_key" mount_path = "transit/"} disable_mlock = truecluster_addr = "http://127.0.0.4:8201"
Since the address of vault_2 and vault_3 are known, you can predefine the possible cluster leader addresses in the
retry_join
block.Start vault_4.
$ ./cluster.sh start vault_4
Open a new terminal and set the working directory to the
$HOME/vault-tutorial/learn-vault-raft/raft-storage/local
directory.$ cd $HOME/vault-tutorial/learn-vault-raft/raft-storage/local
Set the VAULT_ADDR to vault_4 API address.
$ export VAULT_ADDR="http://127.0.0.4:8200"
List the peers and notice that vault_4 is listed as a follower node.
$ vault operator raft list-peers Node Address State Voter---- ------- ----- -----vault_2 127.0.0.2:8201 leader truevault_3 127.0.0.3:8201 follower truevault_4 127.0.0.4:8201 follower true
Configure the
vault
CLI, in this terminal, to use vault_2 root token for requests.$ export VAULT_TOKEN=$(cat root_token-vault_2)
Patch the secret at
kv/apikey
.$ vault kv patch kv/apikey expiration="365 days" = Secret Path =kv/data/apikey ======= Metadata =======Key Value--- -----created_time 2022-05-12T04:07:32.488199Zcustom_metadata <nil>deletion_time n/adestroyed falseversion 2
Return to the terminal you used to configure vault_3 and read the secret again.
$ vault kv get kv/apikey = Secret Path =kv/data/apikey ======= Metadata =======Key Value--- -----created_time 2022-05-12T04:07:32.488199Zcustom_metadata <nil>deletion_time n/adestroyed falseversion 2 ======= Data =======Key Value--- -----expiration 365 dayswebapp ABB39KKPTWOR832JGNLS02
Tip
If you are running Vault in a public cloud, the retry_join
stanza supports
auto_join
parameter which takes cloud provider specific configurations as a
string (e.g. provider=aws tag_key=... tag_value=...
). Refer to the Vault
documentation to
learn more.
Data snapshots for recovery
Integrated Storage provides an interface to take snapshots of its data. These snapshots can be used later to restore data if it ever becomes necessary.
Take a snapshot
Return to the terminal where VAULT_ADDR is set to vault_2 address
(http://127.0.0.2:8200
), and then execute the following command to take a
snapshot of the data.
$ vault operator raft snapshot save demo.snapshot
Automated snapshots
Vault Enterprise feature
Automated snapshots require Vault Enterprise 1.6.0 or later.
Instead of taking a snapshot manually, you can schedule snapshots to be taken automatically at your desired interval. You can create multiple automatic snapshot configurations.
Create an automatic snapshot configuration named, daily
which takes a snapshot
every 24 hours. The snapshots are stored locally in a directory named,
raft-backup
and retain 5 snapshots before one can be deleted to make room
for the next snapshot. The local disk space available to store the snapshot is
1GB. This means that raft-backup
retains up to 5 snapshots or 1GB of data
whichever the condition meets first.
$ vault write sys/storage/raft/snapshot-auto/config/daily interval="24h" retain=5 \ path_prefix="raft-backup" storage_type="local" local_max_space=1073741824
In absence of a specific file_prefix
value, the snapshot files will have a
prefix of vault-snapshot
.
Read and verify the automatic snapshot configuration.
$ vault read sys/storage/raft/snapshot-auto/config/daily Key Value--- -----file_prefix vault-snapshotinterval 86400local_max_space 1073741824path_prefix raft-backupretain 5storage_type local
Available snapshot storage types are: local
, aws-s3
, azure-blob
, and
google-gcs
. Depending on the target location, the configuration parameters
differ.
View the path help on the sys/storage/raft/snapshot-auto/config
endpoint.
$ vault path-help sys/storage/raft/snapshot-auto/config/my-config Request: storage/raft/snapshot-auto/config/my-configMatching Route: ^storage/raft/snapshot-auto/config/(?P<name>\w(([\w-.]+)?\w)?)$ Configure automatic snapshotting ## PARAMETERS aws_access_key_id (string) AWS access key ID aws_s3_bucket (string) AWS bucket aws_s3_disable_tls (bool) Disable TLS for the AWS endpoint, intended only for testing ## ...snip...
Simulate loss of data
First, verify that a secrets exists at kv/apikey
.
$ vault kv get kv/apikey
Next, delete the secrets at kv/apikey
.
$ vault kv metadata delete kv/apikeySuccess! Data deleted (if it existed) at: kv/metadata/apikey
Finally, verify that the data has been deleted.
$ vault kv get kv/apikeyNo value found at kv/data/apikey
Restore data from a snapshot
First, recover the data by restoring the data found in demo.snapshot
.
$ vault operator raft snapshot restore demo.snapshot
Optional: You can tail the server log of the active node (vault_2).
$ grep -B3 'snapshot installed' vault_2.log [TRACE] storage.raft.snapshot: snapshot write: writing keys: num_written=39[INFO] storage.raft: copied to local snapshot: bytes=19213[INFO] storage.raft.fsm: installing snapshot to FSM[INFO] storage.raft.fsm: snapshot installed
Verify that the data has been recovered.
$ vault kv get kv/apikey = Secret Path =kv/data/apikey ======= Metadata =======Key Value--- -----created_time 2022-05-12T04:07:32.488199Zcustom_metadata <nil>deletion_time n/adestroyed falseversion 2 ======= Data =======Key Value--- -----expiration 365 dayswebapp ABB39KKPTWOR832JGNLS02
Resign from active duty
Currently, vault_2 is the active node. Experiment to see what happens if vault_2 steps down from its active node duty.
In the terminal where VAULT_ADDR is set to http://127.0.0.2:8200
, execute the
step-down
command.
$ vault operator step-downSuccess! Stepped down: http://127.0.0.2:8200
In the terminal where VAULT_ADDR is set to http://127.0.0.3:8200
, examine the raft peer set.
$ vault operator raft list-peers Node Address State Voter---- ------- ----- -----vault_2 127.0.0.2:8201 follower truevault_3 127.0.0.3:8201 leader truevault_4 127.0.0.4:8201 follower true
Notice that vault_3 is now promoted to be the leader and vault_2 became a follower.
Remove a cluster member
It may become important to remove nodes from the cluster for maintenance, upgrades, or to preserve compute resources.
Remove vault_4 from the cluster.
$ vault operator raft remove-peer vault_4Peer removed successfully!
Verify that vault_4 has been removed from the cluster by viewing the raft cluster peers.
$ vault operator raft list-peers Node Address State Voter---- ------- ----- -----vault_2 127.0.0.2:8201 follower truevault_3 127.0.0.3:8201 leader true
Add vault_4 back to the cluster
If you wish to add vault_4 back to the HA cluster, return to the terminal
where VAULT_ADDR is set to vault_4 API address (http://127.0.0.4:8200
),
and stop vault_4.
$ ./cluster.sh stop vault_4
Delete the data directory.
$ rm -r raft-vault_4
Now, create a raft-vault_4
directory again because the raft storage
destination must exist before you can start the server.
$ mkdir raft-vault_4
Start the vault_4 server.
$ ./cluster.sh start vault_4
You can again examine the peer set to confirm that vault_4 successfully joined the cluster as a follower.
$ vault operator raft list-peers Node Address State Voter---- ------- ----- -----vault_2 127.0.0.2:8201 follower truevault_3 127.0.0.3:8201 leader truevault_4 127.0.0.4:8201 follower true
Recovery mode for troubleshooting
In the case of an outage caused by corrupt entries in the storage backend, an operator might need to start Vault in recovery mode. In this mode, Vault runs with minimal capabilities and exposes a subset of its API.
Start in recovery mode
Use the setup script to stop all remaining cluster members to simulate an outage.
Stop vault_2.
$ ./cluster.sh stop vault_2 Found 1 Vault service(s) matching that name[vault_2] stopping
Stop vault_4 if you added it back to the cluster.
$ ./cluster.sh stop vault_4 Found 1 Vault service(s) matching that name[vault_4] stopping
Stop vault_3.
$ ./cluster.sh stop vault_3 Found 1 Vault service(s) matching that name[vault_3] stopping
Start vault_3 in recovery mode.
$ VAULT_TOKEN=$(cat root_token-vault_1) VAULT_ADDR=http://127.0.0.3:8200 \ vault server -recovery -config=config-vault_3.hcl
Output example:
==> Vault server configuration: Seal Type: transit Transit Address: http://127.0.0.1:8200 Transit Key Name: unseal_key Transit Mount Path: transit/ Cluster Address: http://127.0.0.3:8201 Go Version: go1.20.5 Log Level: Recovery Mode: true Storage: raft Version: Vault v1.14.0, built 2023-06-19T11:40:23Z Version Sha: 13a649f860186dffe3f3a4459814d87191efc321==> Vault server started! Log data will stream in below:2023-06-30T12:50:34.915-0700 [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""2023-06-30T12:50:34.976-0700 [INFO] storage.raft.snapshot: reaping snapshot: path=/Users/yoko/vault-tutorial/learn-vault-raft/raft-storage/local/raft-vault_3/raft/snapshots/3-58-1688154202022
Create a recovery operational token
Open a new terminal and set the working directory to the
$HOME/vault-tutorial/learn-vault-raft/raft-storage/local
directory.$ cd $HOME/vault-tutorial/learn-vault-raft/raft-storage/local
Set the VAULT_ADDR to vault_3 API address.
$ export VAULT_ADDR="http://127.0.0.3:8200"
Generate a temporary one-time password (OTP).
$ vault operator generate-root -generate-otp -recovery-tokendpj9OMJ2N4DoFu0bmq1EbPqASGij
Start the generation of the recovery token with the OTP.
Example:
$ vault operator generate-root -init \ -otp=dpj9OMJ2N4DoFu0bmq1EbPqASGij -recovery-token
Output example:
Nonce f0454dce-b46d-70d1-5ae0-9f7ac9dc1e9fStarted trueProgress 0/1Complete falseOTP Length 28
View the recovery key that was generated during the setup of vault_3.
$ cat recovery_key-vault_2JRiV5VGrzlB9JVXhfHSunSELfY+pQsqUTxGI8+Hjtpk=
Note
Recovery key is used instead of unseal key since this cluster has Transit auto-unseal configured.
Create an encoded token.
$ vault operator generate-root -recovery-token Operation nonce: b7411535-8c68-9905-97fc-d7b36dcb1a80Unseal Key (will be hidden):
Enter the recovery key when prompted. The output looks similar to below.
Operation nonce: f0454dce-b46d-70d1-5ae0-9f7ac9dc1e9fUnseal Key (will be hidden):Nonce f0454dce-b46d-70d1-5ae0-9f7ac9dc1e9fStarted trueProgress 1/1Complete trueEncoded Token DAYYFxcUKVN9XXYNDx9IDSEwXnFSMzt5AzUHCw
Finally, complete the creation of a recovery token with the
encoded token
andotp
.Example:
$ vault operator generate-root \ -decode=DAYYFxcUKVN9XXYNDx9IDSEwXnFSMzt5AzUHCw \ -otp=dpj9OMJ2N4DoFu0bmq1EbPqASGij \ -recovery-token
Output example:
hvr.XYca3i2bIjxoLAo40cJ8Prna
In recovery mode, Vault launches with a minimal API enabled. In this mode you are able to interact with the raw system backend. Use the recovery operational token to list the contents at
sys/raw/sys
.Example:
$ VAULT_TOKEN=hvr.XYca3i2bIjxoLAo40cJ8Prna vault list sys/raw/sys Keys----policy/token/
Fix the issue using the recovery token.
Resume normal operations
First, stop the Vault server running in recovery mode by pressing Ctrl+C in the terminal where vault_3 is started in recovery mode.
Start Vault service for vault_3.
$ ./cluster.sh start vault_3
Start vault_2.
$ ./cluster.sh start vault_2
Cluster reset
When a node is brought up in recovery mode, it resets the list of cluster members. This means that when resuming normal operations, each node will need to rejoin the cluster.
Clean up
When you are done you can quickly stop all services, remove all configuration
and remove all modifications to your local system with the same cluster.sh
script you used the setup.
Clean up your local workstation.
$ ./cluster.sh clean...Found 4 Vault services Each node in the Vault cluster required: - local loopback address - a configuration file - a directory to store the contents of the Raft storage. Removing local loopback address: 127.0.0.2 (sudo required)Removing local loopback address: 127.0.0.3 (sudo required)Removing local loopback address: 127.0.0.4 (sudo required)Removing configuration file <path_to_local>/config-vault_1.hclRemoving configuration file <path_to_local>/config-vault_2.hclRemoving configuration file <path_to_local>/config-vault_3.hclRemoving configuration file <path_to_local>/config-vault_4.hclRemoving raft storage file <path_to_local>/raft-vault_2Removing raft storage file <path_to_local>/raft-vault_3Removing raft storage file <path_to_local>/raft-vault_4Removing key <path_to_local>/unseal_key-vault_1Removing key <path_to_local>/recovery_key-vault_2Removing key <path_to_local>/root_token-vault_1Removing key <path_to_local>/root_token-vault_2Removing log file <path_to_local>/vault_1.logRemoving log file <path_to_local>/vault_2.logRemoving log file <path_to_local>/vault_3.logRemoving log file <path_to_local>/vault_4.logRemoving demo.snapshotClean complete