Skip to content
Latchkey

vault kv delete: Delete KV Secret Versions

vault kv delete soft-deletes the latest (or specified) version of a KV v2 secret, leaving it recoverable until destroyed.

On KV v2, delete is reversible: it marks a version deleted but keeps the data until you destroy it. Knowing the delete vs destroy vs metadata-delete distinction avoids surprises in cleanup jobs.

What it does

vault kv delete soft-deletes a KV v2 secret version. The data remains and can be brought back with vault kv undelete. To remove the data permanently use vault kv destroy; to remove the secret and all its versions and metadata use vault kv metadata delete.

Common usage

Terminal
vault kv delete secret/ci/db
# delete specific versions
vault kv delete -versions=2,3 secret/ci/db
# permanently destroy a version
vault kv destroy -versions=2 secret/ci/db

Options

FlagWhat it does
-versions=<n,m>Soft-delete specific versions instead of the latest
-mount=<name>Specify the KV v2 mount explicitly

In CI

Use vault kv delete for reversible cleanup and vault kv destroy only when the data must be gone. A cleanup job that deletes the latest version but expects the secret to disappear is wrong: readers can still see older versions and undelete is possible. Use metadata delete to fully remove a secret.

Common errors in CI

"permission denied" means the policy lacks the delete capability on secret/data/... (or update on secret/delete/...). A delete that "did nothing" is usually a KV v1 mount where delete is permanent and -versions is unsupported; check the mount version with vault secrets list -detailed.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →