Hashicorp Vault
===============

+---------------+----------------------------------------------------------------------+
| Metric        | Target                                                               |
+===============+======================================================================+
| RPO           | 2 hours (backup every 2 hours)                                       |
+---------------+----------------------------------------------------------------------+
| RTO           | 4 hours                                                              |
+---------------+----------------------------------------------------------------------+

.. note:: Vault is currently being migrated from Bregenz to Hetzner.

We use Hashicorp Vault to store secrets. It is available at `https://vault.bregenz.a1.cr8.net:8200 <https://vault.bregenz.a1.cr8.net:8200>`_.
Note that the DNS will stay the same even when it is migrated to Hetzner.

Vault uses Consul as the storage mechanism.

The backup procedure for Vault/Consul is well documented in the `infrastructure docs`_.
tldr: the backups are in the ``cr8-backup-us-east-1`` s3 bucket and use the standard Consul
backup mechanism, as described in the `infrastructure docs`_.

.. _infrastructure docs: https://github.com/crate/infrastructure/blob/master/docs/vault.rst#backup