Destroy key/value data
The standard vault kv delete
command performs soft deletes. Use the CLI or GUI
to permanently delete (destroy) data so Vault purges the underlying data and
sets the destroyed
metadata field to true
.
Assumptions
- You have set up a
kv
v2 plugin. - Your authentication token has
create
andupdate
permissions for thekv
v2 plugin.
Use vault kv destroy
with the -versions
flag to
permanently delete one or more version of key/value data:
$ vault kv destroy \ -mount <mount_path> \ -versions <target_versions> \ <secret_path>
For example:
$ vault kv destroy -mount shared -versions 2,3 dev/square-api Success! Data written to: shared/destroy/dev/square-api
The destroyed
metadata field for versions 2 and 3 is now true
$ vault kv metadata get -mount shared dev/square-api ======== Metadata Path ========shared/metadata/dev/square-api ========== Metadata ==========Key Value--- -----cas_required falsecreated_time 2024-11-13T21:51:50.898782695Zcurrent_version 4custom_metadata <nil>delete_version_after 0smax_versions 5oldest_version 0updated_time 2024-11-14T22:32:42.29534643Z ... ====== Version 2 ======Key Value--- -----created_time 2024-11-13T21:52:10.326204209Zdeletion_time n/adestroyed true ====== Version 3 ======Key Value--- -----created_time 2024-11-13T21:58:32.128442898Zdeletion_time n/adestroyed true