open-vault/website/source/docs/secrets/generic/index.html.md

---
layout: "docs"
page_title: "Secret Backend: Generic"
sidebar_current: "docs-secrets-generic"
description: |-
  The generic secret backend can store arbitrary secrets.
---

# Generic Secret Backend

Name: `generic`

The generic secret backend is used to store arbitrary secrets within
the configured physical storage for Vault. If you followed along with
the getting started guide, you interacted with a generic secret backend
via the `secret/` prefix that Vault mounts by default. You can mount as many
of these backends at different mount points as you like.

Writing to a key in the `generic` backend will replace the old value;
sub-fields are not merged together.

This backend honors the distinction between the `create` and `update`
capabilities inside ACL policies.

**Note**: Path and key names are _not_ obfuscated or encrypted; only the values
set on keys are. You should not store sensitive information as part of a
secret's path.

## Quick Start

The generic backend allows for writing keys with arbitrary values. When data is
returned, the `lease_duration` field (in the API JSON) or `refresh_interval`
field (on the CLI) gives a hint as to how often a reader should look for a new
value. This comes from the value of the `default_lease_ttl` set on the mount,
or the system value.

There is one piece of special data handling: if a `ttl` key is provided, it
will be treated as normal data, but on read the backend will attempt to parse
it as a duration (either as a string like `1h` or an integer number of seconds
like `3600`). If successful, the backend will use this value in place of the
normal `lease_duration`. However, the given value will also still be returned
exactly as specified, so you are free to use that key in any way that you like
if it fits your input data.

As an example, we can write a new key "foo" to the generic backend mounted at
"secret/" by default:

```
$ vault write secret/foo \
    zip=zap \
    ttl=1h
Success! Data written to: secret/foo
```

This writes the key with the "zip" field set to "zap" and a one hour TTL.
We can test this by doing a read:

```
$ vault read secret/foo
Key               Value
---               -----
refresh_interval  3600
ttl               1h
zip               zap
```

As expected, we get the values previously set back as well as our custom TTL
both as specified and translated to seconds. The duration has been set to 3600
seconds (one hour) as specified.

## API

#### GET

<dl class="api">
  <dt>Description</dt>
  <dd>
    Retrieves the secret at the specified location.
  </dd>

  <dt>Method</dt>
  <dd>GET</dd>

  <dt>URL</dt>
  <dd>`/secret/<path>`</dd>

  <dt>Parameters</dt>
  <dd>
     None
  </dd>

  <dt>Returns</dt>
  <dd>

  ```javascript
  {
    "auth": null,
    "data": {
      "foo": "bar"
    },
    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
  ```

  </dd>
</dl>

#### LIST

<dl class="api">
  <dt>Description</dt>
  <dd>
    Returns a list of key names at the specified location. Folders are
    suffixed with `/`. The input must be a folder; list on a file will not
    return a value. Note that no policy-based filtering is performed on keys;
    do not encode sensitive information in key names. The values themselves
    are not accessible via this command.
  </dd>

  <dt>Method</dt>
  <dd>LIST/GET</dd>

  <dt>URL</dt>
  <dd>`/secret/<path>` (LIST) or `/secret/<path>?list=true` (GET)</dd>

  <dt>Parameters</dt>
  <dd>
     None
  </dd>

  <dt>Returns</dt>
  <dd>
  The example below shows output for a query path of `secret/` when there are
  secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
  entries.

  ```javascript
  {
    "auth": null,
    "data": {
      "keys": ["foo", "foo/"]
    },
    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
  ```

  </dd>
</dl>

#### POST/PUT

<dl class="api">
  <dt>Description</dt>
  <dd>
    Stores a secret at the specified location. If the value does not yet exist,
    the calling token must have an ACL policy granting the `create` capability.
    If the value already exists, the calling token must have an ACL policy
    granting the `update` capability.
  </dd>

  <dt>Method</dt>
  <dd>POST/PUT</dd>

  <dt>URL</dt>
  <dd>`/secret/<path>`</dd>

  <dt>Parameters</dt>
  <dd>
    <ul>
      <li>
        <span class="param">(key)</span>
        <span class="param-flags">optional</span>
        A key, paired with an associated value, to be held at the given
        location. Multiple key/value pairs can be specified, and all will be
        returned on a read operation. A key called `ttl` will trigger some
        special behavior; see above for details.
      </li>
    </ul>
  </dd>

  <dt>Returns</dt>
  <dd>
  A `204` response code.
  </dd>
</dl>

#### DELETE

<dl class="api">
  <dt>Description</dt>
  <dd>
    Deletes the secret at the specified location.
  </dd>

  <dt>Method</dt>
  <dd>DELETE</dd>

  <dt>URL</dt>
  <dd>`/secret/<path>`</dd>

  <dt>Parameters</dt>
  <dd>
     None
  </dd>

  <dt>Returns</dt>
  <dd>
  A `204` response code.
  </dd>
</dl>
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00			`---`
			`layout: "docs"`
			`page_title: "Secret Backend: Generic"`
			`sidebar_current: "docs-secrets-generic"`
			`description: \|-`
			`The generic secret backend can store arbitrary secrets.`
			`---`

			`# Generic Secret Backend`

			Name: `generic`

			`The generic secret backend is used to store arbitrary secrets within`
			`the configured physical storage for Vault. If you followed along with`
			`the getting started guide, you interacted with a generic secret backend`
Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00			via the `secret/` prefix that Vault mounts by default. You can mount as many
			`of these backends at different mount points as you like.`
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00
Updates and documentation 2016-01-14 19:18:27 +00:00			Writing to a key in the `generic` backend will replace the old value;
Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00			`sub-fields are not merged together.`
website: Document overwrite behavior. Fixes #182 2015-05-11 17:58:21 +00:00
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			This backend honors the distinction between the `create` and `update`
			`capabilities inside ACL policies.`

Documentation update around path/key name encryption. Make it clear that path/key names in generic are not encrypted. Fixes #697 2015-10-29 15:21:40 +00:00			`Note: Path and key names are _not_ obfuscated or encrypted; only the values`
			`set on keys are. You should not store sensitive information as part of a`
			`secret's path.`

website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00			`## Quick Start`

Don't check parsability of a `ttl` key on write. On read we already ignore bad values, so we shouldn't be restricting this on write; doing so alters expected data-in-data-out behavior. In addition, don't issue a warning if a given `ttl` value can't be parsed, as this can quickly get annoying if it's on purpose. The documentation has been updated/clarified to make it clear that this is optional behavior that doesn't affect the status of the key as POD and the `lease_duration` returned will otherwise default to the system/mount defaults. Fixes #1505 2016-06-09 00:14:36 +00:00			`The generic backend allows for writing keys with arbitrary values. When data is`
			returned, the `lease_duration` field (in the API JSON) or `refresh_interval`
			`field (on the CLI) gives a hint as to how often a reader should look for a new`
			value. This comes from the value of the `default_lease_ttl` set on the mount,
			`or the system value.`

			There is one piece of special data handling: if a `ttl` key is provided, it
			`will be treated as normal data, but on read the backend will attempt to parse`
			it as a duration (either as a string like `1h` or an integer number of seconds
			like `3600`). If successful, the backend will use this value in place of the
			normal `lease_duration`. However, the given value will also still be returned
			`exactly as specified, so you are free to use that key in any way that you like`
			`if it fits your input data.`
Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4. Fixes #528. 2015-08-20 23:41:25 +00:00
Some generic docs updates 2016-03-18 13:57:21 +00:00			`As an example, we can write a new key "foo" to the generic backend mounted at`
			`"secret/" by default:`
website: quickstart for generic 2015-04-27 02:14:41 +00:00
			```
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`$ vault write secret/foo \`
			`zip=zap \`
			`ttl=1h`
website: quickstart for generic 2015-04-27 02:14:41 +00:00			`Success! Data written to: secret/foo`
			```

Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00			`This writes the key with the "zip" field set to "zap" and a one hour TTL.`
			`We can test this by doing a read:`
website: quickstart for generic 2015-04-27 02:14:41 +00:00
			```
			`$ vault read secret/foo`
Don't check parsability of a `ttl` key on write. On read we already ignore bad values, so we shouldn't be restricting this on write; doing so alters expected data-in-data-out behavior. In addition, don't issue a warning if a given `ttl` value can't be parsed, as this can quickly get annoying if it's on purpose. The documentation has been updated/clarified to make it clear that this is optional behavior that doesn't affect the status of the key as POD and the `lease_duration` returned will otherwise default to the system/mount defaults. Fixes #1505 2016-06-09 00:14:36 +00:00			`Key Value`
			`--- -----`
			`refresh_interval 3600`
			`ttl 1h`
			`zip zap`
website: quickstart for generic 2015-04-27 02:14:41 +00:00			```

Don't check parsability of a `ttl` key on write. On read we already ignore bad values, so we shouldn't be restricting this on write; doing so alters expected data-in-data-out behavior. In addition, don't issue a warning if a given `ttl` value can't be parsed, as this can quickly get annoying if it's on purpose. The documentation has been updated/clarified to make it clear that this is optional behavior that doesn't affect the status of the key as POD and the `lease_duration` returned will otherwise default to the system/mount defaults. Fixes #1505 2016-06-09 00:14:36 +00:00			`As expected, we get the values previously set back as well as our custom TTL`
Some generic docs updates 2016-03-18 13:57:21 +00:00			`both as specified and translated to seconds. The duration has been set to 3600`
Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00			`seconds (one hour) as specified.`

			`## API`

			`#### GET`

			`<dl class="api">`
			`<dt>Description</dt>`
			`<dd>`
			`Retrieves the secret at the specified location.`
			`</dd>`

			`<dt>Method</dt>`
			`<dd>GET</dd>`

			`<dt>URL</dt>`
			<dd>`/secret/<path>`</dd>

			`<dt>Parameters</dt>`
			`<dd>`
			`None`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`

			```javascript
			`{`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"auth": null,`
			`"data": {`
			`"foo": "bar"`
			`},`
Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 22:32:49 +00:00			`"lease_duration": 2764800,`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"lease_id": "",`
			`"renewable": false`
Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00			`}`
			```
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00
Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00			`</dd>`
			`</dl>`

Updates and documentation 2016-01-14 19:18:27 +00:00			`#### LIST`

			`<dl class="api">`
			`<dt>Description</dt>`
			`<dd>`
Wordsmith the docs around the `list` command. Prompted by: feedback from conference attendees at PGConf '16 2016-04-20 22:13:58 +00:00			`Returns a list of key names at the specified location. Folders are`
Only allow listing on folders and enforce this. Also remove string sorting from Consul backend as it's not a requirement and other backends don't do it. 2016-01-19 22:05:01 +00:00			suffixed with `/`. The input must be a folder; list on a file will not
Wordsmith the docs around the `list` command. Prompted by: feedback from conference attendees at PGConf '16 2016-04-20 22:13:58 +00:00			`return a value. Note that no policy-based filtering is performed on keys;`
			`do not encode sensitive information in key names. The values themselves`
			`are not accessible via this command.`
Updates and documentation 2016-01-14 19:18:27 +00:00			`</dd>`

			`<dt>Method</dt>`
Added user listing endpoint to userpass docs 2016-09-30 19:47:33 +00:00			`<dd>LIST/GET</dd>`
Updates and documentation 2016-01-14 19:18:27 +00:00
			`<dt>URL</dt>`
Added user listing endpoint to userpass docs 2016-09-30 19:47:33 +00:00			<dd>`/secret/<path>` (LIST) or `/secret/<path>?list=true` (GET)</dd>
Updates and documentation 2016-01-14 19:18:27 +00:00
			`<dt>Parameters</dt>`
			`<dd>`
			`None`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`
			The example below shows output for a query path of `secret/` when there are
			secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
			`entries.`

			```javascript
			`{`
			`"auth": null,`
			`"data": {`
Only allow listing on folders and enforce this. Also remove string sorting from Consul backend as it's not a requirement and other backends don't do it. 2016-01-19 22:05:01 +00:00			`"keys": ["foo", "foo/"]`
Updates and documentation 2016-01-14 19:18:27 +00:00			`},`
Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 22:32:49 +00:00			`"lease_duration": 2764800,`
Updates and documentation 2016-01-14 19:18:27 +00:00			`"lease_id": "",`
			`"renewable": false`
			`}`
			```

			`</dd>`
			`</dl>`

Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00			`#### POST/PUT`

			`<dl class="api">`
			`<dt>Description</dt>`
			`<dd>`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`Stores a secret at the specified location. If the value does not yet exist,`
			the calling token must have an ACL policy granting the `create` capability.
			`If the value already exists, the calling token must have an ACL policy`
			granting the `update` capability.
Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00			`</dd>`

			`<dt>Method</dt>`
			`<dd>POST/PUT</dd>`

			`<dt>URL</dt>`
			<dd>`/secret/<path>`</dd>

			`<dt>Parameters</dt>`
			`<dd>`
			`<ul>`
			`<li>`
			`<span class="param">(key)</span>`
			`<span class="param-flags">optional</span>`
Don't check parsability of a `ttl` key on write. On read we already ignore bad values, so we shouldn't be restricting this on write; doing so alters expected data-in-data-out behavior. In addition, don't issue a warning if a given `ttl` value can't be parsed, as this can quickly get annoying if it's on purpose. The documentation has been updated/clarified to make it clear that this is optional behavior that doesn't affect the status of the key as POD and the `lease_duration` returned will otherwise default to the system/mount defaults. Fixes #1505 2016-06-09 00:14:36 +00:00			`A key, paired with an associated value, to be held at the given`
			`location. Multiple key/value pairs can be specified, and all will be`
			returned on a read operation. A key called `ttl` will trigger some
			`special behavior; see above for details.`
Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00			`</li>`
			`</ul>`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`
			A `204` response code.
			`</dd>`
			`</dl>`
added the delete api details to generic backend documentation was missing this api description 2016-01-26 07:56:33 +00:00
			`#### DELETE`

			`<dl class="api">`
			`<dt>Description</dt>`
			`<dd>`
			`Deletes the secret at the specified location.`
			`</dd>`

			`<dt>Method</dt>`
			`<dd>DELETE</dd>`

			`<dt>URL</dt>`
			<dd>`/secret/<path>`</dd>

			`<dt>Parameters</dt>`
			`<dd>`
			`None`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`
			A `204` response code.
			`</dd>`
			`</dl>`