Vault supports in-place upgrades and automatically handles most tasks when you unseal Vault after the upgrade.

• You must have sudo permissions on the Vault server. Make sure you have can install binaries on the Vault server.
• You must have admin permissions for Vault. Make sure you can stop and start the Vault process.
• Identify unseal candidates. Identify and notify enough people with unseal shards to meet the unseal threshold after restart.

To perform an in-place upgrade of a single Vault instance:

1. Back up your Vault data. Vault does not make backward-compatibility guarantees for the Vault data store and the upgrade process may make changes to the data store.

   Backup and restore data

   All Vault editions support snapshot save and restore features for data backup and restoration. Vault Enterprise users benefit from automated snapshots to local or cloud storage, and individual secret recovery.

   See the manage snapshots system administration guides for more information.

2. Back up your current Vault configuration.

3. Review recent deprecation notices. If you use deprecated or ended functionality, make a plan to move away from those features before upgrading.

4. Use the doc version selector to review the important changes for each major version between your current version and the upgrade target.

5. Perform any prerequisites noted in the important changes documentation.

6. Use SIGINT or SIGTERM to shut down Vault.

7. Install the latest version of Vault over your existing instance.

8. Start Vault.

9. Verify the current version:

   $ vault status | grep Version
   

10. Unseal Vault.

11. Test the upgrade. The best way to test an upgrade is to take a snapshot of the Vault data store after upgrading and load the backup into a test instance.