Soft delete key/value data
Use soft deletes to flag data at a secret path as unavailable while leaving the
data recoverable. You can revert soft deletes as long as the destroyed
field
is false
in the metadata.
Assumptions
- You have set up a
kv
v2 plugin. - Your authentication token has
create
andupdate
permissions for thekv
v2 plugin.
Use vault kv delete
with the -versions
flag to
soft delete one or more version of key/value data and set deletion_time
in the
metadata:
$ vault kv delete \ -mount <mount_path> \ -versions <target_versions> \ <secret_path>
For example:
$ vault kv delete -mount shared -versions 1,4 dev/square-api Success! Data deleted (if it existed) at: shared/data/dev/square-api
The deletion_time
metadata field for versions 1 and 4 now has the timestamp
of when Vault marked the versions as deleted:
$ vault kv metadata get -mount shared dev/square-api ======== Metadata Path ========shared/metadata/dev/square-api ========== Metadata ==========Key Value--- -----cas_required falsecreated_time 2024-11-13T21:51:50.898782695Zcurrent_version 4custom_metadata <nil>delete_version_after 0smax_versions 5oldest_version 0updated_time 2024-11-14T22:32:42.29534643Z ====== Version 1 ======Key Value--- -----created_time 2024-11-13T21:51:50.898782695Zdeletion_time 2024-11-15T00:45:04.057772212Zdestroyed false ... ====== Version 4 ======Key Value--- -----created_time 2024-11-14T22:32:42.29534643Zdeletion_time 2024-11-15T00:45:04.057772712Zdestroyed false