HashiDays One conference. Three cities. Find a city near you
Vault
Vault Home

Soft delete key/value data

Use soft deletes to flag data at a secret path as unavailable while leaving the data recoverable. You can revert soft deletes as long as the destroyed field is false in the metadata.

Assumptions

  • You have set up a kv v2 plugin.
  • Your authentication token has create and update permissions for the kv v2 plugin.

Use vault kv delete with the -versions flag to soft delete one or more version of key/value data and set deletion_time in the metadata:

$ vault kv delete               \   -mount <mount_path>          \   -versions <target_versions>  \   <secret_path>

For example:

$ vault kv delete -mount shared -versions 1,4 dev/square-apiSuccess! Data deleted (if it existed) at: shared/data/dev/square-api

The deletion_time metadata field for versions 1 and 4 now has the timestamp of when Vault marked the versions as deleted:

$ vault kv metadata get -mount shared dev/square-api======== Metadata Path ========shared/metadata/dev/square-api========== Metadata ==========Key                     Value---                     -----cas_required            falsecreated_time            2024-11-13T21:51:50.898782695Zcurrent_version         4custom_metadata         <nil>delete_version_after    0smax_versions            5oldest_version          0updated_time            2024-11-14T22:32:42.29534643Z====== Version 1 ======Key              Value---              -----created_time     2024-11-13T21:51:50.898782695Zdeletion_time    2024-11-15T00:45:04.057772212Zdestroyed        false...====== Version 4 ======Key              Value---              -----created_time     2024-11-14T22:32:42.29534643Zdeletion_time    2024-11-15T00:45:04.057772712Zdestroyed        false
Edit this page on GitHub