Vault from entry to proficiency series three: write password, read password, delete password

1. Write a password

Now, use the vault kv put command to write a key-value secret to the path hello, the key is foo, and the value is world. This is where the KV v2 secrets engine is installed. This command creates a new version of the secret and replaces any pre-existing data in the path (if any).

vault kv put -mount=secret hello foo=world
== Secret Path ==
secret/data/hello

======= Metadata =======
Key                Value
---                -----
created_time       2023-06-19T05:42:29.37860224Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

Even kv put can write multiple pieces of data.

vault kv put -mount=secret hello foo=world excited=yes
== Secret Path ==
secret/data/hello

======= Metadata =======
Key                Value
---                -----
created_time       2023-06-19T05:49:45.203881375Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

Note that version is now 2.

2. Read the password

As you might expect, secrets can be retrieved using vault kv get .

vault kv get -mount=secret hello
== Secret Path ==
secret/data/hello

======= Metadata =======
Key                Value
---                -----
created_time       2023-06-19T05:49:45.203881375Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

===== Data =====
Key        Value
---        -----
excited    yes
foo        world

Vault returns the latest version of the secret (version 2 in this case) at secret/hello.

To print only the value of a given field, use the -field=<key_name> flag.

vault kv get -mount=secret -field=excited hello
yes

Optional JSON output is useful for scripts. For example, you can use the jq tool to extract the value of the excited secret.

vault kv get -mount=secret -format=json hello | jq -r .data.data.excited
yes

3. Delete the password

Now that you've learned how to read and write a secret, let's move on to deleting it. This can be done with the vault kv delete command.

vault kv delete -mount=secret hello
Success! Data deleted (if it existed) at: secret/data/hello

Try reading the secret you just deleted.

vault kv get -mount=secret hello
== Secret Path ==
secret/data/hello

======= Metadata =======
Key                Value
---                -----
created_time       2023-06-19T05:49:45.203881375Z
custom_metadata    <nil>
deletion_time      2023-06-19T06:10:47.146438181Z
destroyed          false
version            2

The output only shows metadata with deletion_time. Once removed, it does not reveal the data itself. Note that the destroyed parameter is false, which means you can recover deleted data if the deletion was unintentional.

vault kv undelete -mount=secret -versions=2 hello
Success! Data written to: secret/undelete/hello

Now, the data has been restored.

vault kv get -mount=secret hello
== Secret Path ==
secret/data/hello

======= Metadata =======
Key                Value
---                -----
created_time       2023-06-19T05:49:45.203881375Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

===== Data =====
Key        Value
---        -----
excited    yes
foo        world