Show List
Tutorials > Secrets Management > Storing Updating and Removing Secrets from Vault

Storing Updating and Removing Secrets from Vault

In this tutorial we will see how to add, retrieve, update, delete and remove secrets from Hashicorp using command line interface.

The Vault stores the secrets in key/value pairs. List of the key/value secret operations can be seen by running the command "vault kv -help"
mail2@sm15 MINGW64 ~
$ vault kv - help
Usage: vault kv <subcommand> [options] [args]

  This command has subcommands for interacting with Vault's key-value
  store. Here are some simple examples, and more detailed examples are
  available in the subcommands or the documentation.

  Create or update the key named "foo" in the "secret" mount with the value
  "bar=baz":

      $ vault kv put -mount=secret foo bar=baz

  Read this value back:

      $ vault kv get -mount=secret foo

  Get metadata for the key:

      $ vault kv metadata get -mount=secret foo

  Get a specific version of the key:

      $ vault kv get -mount=secret -version=1 foo

  The deprecated path-like syntax can also be used, but this should be avoided
  for KV v2, as the fact that it is not actually the full API path to
  the secret (secret/data/foo) can cause confusion:

      $ vault kv get secret/foo

  Please see the individual subcommand help for detailed usage information.

Subcommands:
    delete               Deletes versions in the KV store
    destroy              Permanently removes one or more versions in the KV store
    enable-versioning    Turns on versioning for a KV store
    get                  Retrieves data from the KV store
    list                 List data or secrets
    metadata             Interact with Vault's Key-Value storage
    patch                Sets or updates data in the KV store without overwriting
    put                  Sets or updates data in the KV store
    rollback             Rolls back to a previous version of data
    undelete             Undeletes versions in the KV store

Creating Key/Value secrets

To create the secret, we have to supply the path where secrets are to be stored and key/value pairs. put command is used to add or update the secrets. Here is sample command. In this command, we are providing the path to store the secrets as "secret/first-app-secrets". username and passwords are key value pairs here that are going to be stored at the secret's path.
mail2@sm15 MINGW64 ~
$ vault kv put secret/first-app-secrets username=mytopsecretusername password=mytopsecretpassword
======== Secret Path ========
secret/data/first-app-secrets

======= Metadata =======
Key                Value
---                -----
created_time       2022-12-25T23:59:27.1182955Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

Updating the secret

Put command can also be used to update the values at the secret's path. 

If any updates are done to the values at secret path, Vault creates a new version. Here is the command that will update the values at the path created earlier. Here we see that the version number has been updated to 2
mail2@sm15 MINGW64 ~
$ vault kv put secret/first-app-secrets username=mytopsecretusername password=mynewtopsecretpassword
======== Secret Path ========
secret/data/first-app-secrets

======= Metadata =======
Key                Value
---                -----
created_time       2022-12-26T00:05:12.8519398Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

Retrieve Secrets

Get command is used to retrieve the secrets.
 mail2@sm15 MINGW64 ~
$ vault kv get secret/first-app-secrets
======== Secret Path ========
secret/data/first-app-secrets

======= Metadata =======
Key                Value
---                -----
created_time       2022-12-26T00:05:12.8519398Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

====== Data ======
Key         Value
---         -----
password    mynewtopsecretpassword
username    mytopsecretusername

Version number can be provided to get the secrets from specific version of the path
mail2@sm15 MINGW64 ~
$ vault kv get -version=1 secret/first-app-secrets
======== Secret Path ========
secret/data/first-app-secrets

======= Metadata =======
Key                Value
---                -----
created_time       2022-12-25T23:59:27.1182955Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

====== Data ======
Key         Value
---         -----
password    mytopsecretpassword
username    mytopsecretusername

Field name can be specified to retrieve the specific field secret.
mail2@sm15 MINGW64 ~
$ vault kv get -version=1 -field=password secret/first-app-secrets
mytopsecretpassword

The stored secrets can also be viewed from the Vault UI:

Removing Secrets from Vault

There are two ways to remove the secrets from the Vault path. Delete command can be reverted meaning that secret deleted from a path can be brought back using "undelete" command. Destroy command permanently removes the secret from the path.

Deleting the secrets from the path
mail2@sm15 MINGW64 ~
$ vault kv delete secret/first-app-secrets
Success! Data deleted (if it existed) at: secret/data/first-app-secrets

Now if we try to retrieve the secrets we only get the meta data
mail2@sm15 MINGW64 ~
$ vault kv get secret/first-app-secrets
======== Secret Path ========
secret/data/first-app-secrets

======= Metadata =======
Key                Value
---                -----
created_time       2022-12-26T00:05:12.8519398Z
custom_metadata    <nil>
deletion_time      2022-12-26T02:17:22.6706911Z
destroyed          false
version            2

Undeleting the deleted secrets: Versions to be restored is to be provided using versions flag. The provided version number and previous versions get restored.
mail2@sm15 MINGW64 ~
$ vault kv undelete -versions=2 secret/first-app-secrets
Success! Data written to: secret/undelete/first-app-secrets

We can now retrieve the secrets
mail2@sm15 MINGW64 ~
$ vault kv get secret/first-app-secrets
======== Secret Path ========
secret/data/first-app-secrets

======= Metadata =======
Key                Value
---                -----
created_time       2022-12-26T00:05:12.8519398Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

====== Data ======
Key         Value
---         -----
password    mynewtopsecretpassword
username    mytopsecretusername

Destroying the secrets from the path: Destroy command permanent removed the secrets from the path and secrets can not be undeleted. Destroy command requires versions flag.
mail2@sm15 MINGW64 ~
$ vault kv destroy -versions=2 secret/first-app-secrets
Success! Data written to: secret/destroy/first-app-secrets

After this execution version 2 is removed but version 1 can still be retrieved.
mail2@sm15 MINGW64 ~
$ vault kv get -version=2 -field=password secret/first-app-secrets
No data found at secret/data/first-app-secrets

mail2@sm15 MINGW64 ~
$ vault kv get -version=1 -field=password secret/first-app-secrets
mytopsecretpassword



Next: Creating Vault Access Policies

    Leave a Comment

  • captcha text