HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.20.x. View latest version.

Destroy key/value data

The standard vault kv delete command performs soft deletes. Use the CLI or GUI to permanently delete (destroy) data so Vault purges the underlying data and sets the destroyed metadata field to true.

Assumptions

  • You have set up a kv v2 plugin.
  • Your authentication token has create and update permissions for the kv v2 plugin.

Use vault kv destroy with the -versions flag to permanently delete one or more version of key/value data:

$ vault kv destroy              \
   -mount <mount_path>          \
   -versions <target_versions>  \
   <secret_path>

For example:

$ vault kv destroy -mount shared -versions 2,3 dev/square-api

Success! Data written to: shared/destroy/dev/square-api

The destroyed metadata field for versions 2 and 3 is now true

$ vault kv metadata get -mount shared dev/square-api

======== Metadata Path ========
shared/metadata/dev/square-api

========== Metadata ==========
Key                     Value
---                     -----
cas_required            false
created_time            2024-11-13T21:51:50.898782695Z
current_version         4
custom_metadata         <nil>
delete_version_after    0s
max_versions            5
oldest_version          0
updated_time            2024-11-14T22:32:42.29534643Z

...

====== Version 2 ======
Key              Value
---              -----
created_time     2024-11-13T21:52:10.326204209Z
deletion_time    n/a
destroyed        true

====== Version 3 ======
Key              Value
---              -----
created_time     2024-11-13T21:58:32.128442898Z
deletion_time    n/a
destroyed        true
Edit this page on GitHub