KV

Enable (KV v1)

vault secrets enable kv
Enable KV v1 secret engine (default is KV v1).
vault secrets enable kv -version=1
Enable KV v1 secret engine.

vault kv enable-versioning my_kv_path
Enable versioning for a KV v1 Secret Engine (convert to KV v2).

Enable (KV v2)

vault secrets enable kv-v2
Enable KV v2 secret engine.
vault secrets enable kv -version=2
Enable KV v2 secret engine.

List

vault kv list my_kv_path
List secrets in a kv secret engine.

Get

vault kv get my_secret
Read a secret.
vault kv get -format=json my_secret | jq -r .data
Read a secret and output in JSON.

vault kv get -field=password my_credentials
Read one field.
vault kv get -format=json my_credentials | jq -r .data.data.password
Read one field and output in JSON.

Put

vault kv put my_secret key=value
Create or replace a secret with one key value.
vault kv put my_credentials username=myUser password=myPass
Create or replace a new secret composed multiple key values.

Patch (KV v2)

vault kv patch my_credentials password=myNewPass
Create a new version by replacing only provided values (partial update) instead of replacing all values like kv put.

Rollback (KV v2)

vault kv rollback -versions=12 my_secret
Restore a non deleted version (create a new version with the values of the one to restore).

Delete

vault kv delete my_secret
Permanently delete the secret.

Delete (KV v2)

vault kv delete -versions=12 my_secret
Mark the version as deleted (soft delete).
It can be restored with vault kv undelete.

Undelete (KV v2)

vault kv undelete -versions=12 my_secret
Restore a version of a secret. Only works if secret was not destroyed (destroyed property set to false).

Destroy (KV v2)

vault kv destroy -versions=12 my_secret
Permanently delete specified version(s) of a secret (cannot be recovered).

Metadata (KV v2)

vault kv metadata delete my_secret
Permanently deletes the secret (thus all of it versions).

Transit

Enable

vault secrets enable transit
Enable Transit secret engine.

Keys

vault list transit/keys
List Keys in Transit engine.

vault write -f transit/keys/my-key
Create a new Key.
vault write -f transit/keys/my_key/rotate
Rotate the Key (create a new version).
Old versions of the key will still exist (they are managed by min_decryption_version).

Encryption

vault write transit/encrypt/my_key plaintext=$(echo "my secret data" | base64)
Encrypt data.
vault write -field=plaintext transit/decrypt/my_key ciphertext=vault:v1:qRuV... | base64 -d
Decrypt data (-field=plaintext to only get the base64 decrypted data).

vault write transit/rewrap/my-key ciphertext=vault:v1:8SDd...
Decrypt then re-encrypt data with a newer version of the key.

KV#

Enable (KV v1)#

Enable (KV v2)#

List#

Get#

Put#

Patch (KV v2)#

Rollback (KV v2)#

Delete#

Delete (KV v2)#

Undelete (KV v2)#

Destroy (KV v2)#

Metadata (KV v2)#

Transit#

Enable#

Keys#

Encryption#

KV

Enable (KV v1)

Enable (KV v2)

List

Get

Put

Patch (KV v2)

Rollback (KV v2)

Delete

Delete (KV v2)

Undelete (KV v2)

Destroy (KV v2)

Metadata (KV v2)

Transit

Enable

Keys

Encryption