HashiConf 2024 Now streaming live from Boston! Attend for free
Vault
Vault Home

Soft delete key/value data

Use soft deletes to flag data at a secret path as unavailable while leaving the data recoverable. You can revert soft deletes as long as the destroyed field is false in the metadata.

Assumptions

Use vault kv delete with the -versions flag to soft delete one or more version of key/value data and set deletion_time in the metadata:

$ vault kv delete               \
   -mount <mount_path>          \
   -versions <target_versions>  \
   <secret_path>

For example:

$ vault kv delete -mount shared -versions 1,4 dev/square-api

Success! Data deleted (if it existed) at: shared/data/dev/square-api

The deletion_time metadata field for versions 1 and 4 now has the timestamp of when Vault marked the versions as deleted:

$ vault kv metadata get -mount shared dev/square-api

======== Metadata Path ========
shared/metadata/dev/square-api

========== Metadata ==========
Key                     Value
---                     -----
cas_required            false
created_time            2024-11-13T21:51:50.898782695Z
current_version         4
custom_metadata         <nil>
delete_version_after    0s
max_versions            5
oldest_version          0
updated_time            2024-11-14T22:32:42.29534643Z

====== Version 1 ======
Key              Value
---              -----
created_time     2024-11-13T21:51:50.898782695Z
deletion_time    2024-11-15T00:45:04.057772212Z
destroyed        false

...

====== Version 4 ======
Key              Value
---              -----
created_time     2024-11-14T22:32:42.29534643Z
deletion_time    2024-11-15T00:45:04.057772712Z
destroyed        false
Edit this page on GitHub