HashiConf 2024 Now streaming live from Boston! Attend for free
Vault
Vault Home

Destroy key/value data

The standard vault kv delete command performs soft deletes. Use the CLI or GUI to permanently delete (destroy) data so Vault purges the underlying data and sets the destroyed metadata field to true.

Assumptions

  • You have set up a kv v2 plugin.
  • Your authentication token has delete and metadata permissions for the kv v2 plugin.

Use vault kv destroy with the -versions flag to permanently delete one or more version of key/value data:

$ vault kv destroy              \
   -mount <mount_path>          \
   -versions <target_versions>  \
   <secret_path>

For example:

$ vault kv destroy -mount shared -versions 2,3 dev/square-api

Success! Data written to: shared/destroy/dev/square-api

The destroyed metadata field for versions 2 and 3 is now true

$ vault kv metadata get -mount shared dev/square-api

======== Metadata Path ========
shared/metadata/dev/square-api

========== Metadata ==========
Key                     Value
---                     -----
cas_required            false
created_time            2024-11-13T21:51:50.898782695Z
current_version         4
custom_metadata         <nil>
delete_version_after    0s
max_versions            5
oldest_version          0
updated_time            2024-11-14T22:32:42.29534643Z

...

====== Version 2 ======
Key              Value
---              -----
created_time     2024-11-13T21:52:10.326204209Z
deletion_time    n/a
destroyed        true

====== Version 3 ======
Key              Value
---              -----
created_time     2024-11-13T21:58:32.128442898Z
deletion_time    n/a
destroyed        true
Edit this page on GitHub