open-vault/website/source/docs/secrets/kv/index.html.md

---
layout: "docs"
page_title: "KV - Secrets Engines"
sidebar_current: "docs-secrets-kv"
description: |-
  The KV secrets engine can store arbitrary secrets.
---

# KV Secrets Engine

The `kv` secrets engine is used to store arbitrary secrets within the
configured physical storage for Vault.

Writing to a key in the `kv` backend will replace the old value; sub-fields are
not merged together.

Key names must always be strings. If you write non-string values directly via
the CLI, they will be converted into strings. However, you can preserve
non-string values by writing the key/value pairs to Vault from a JSON file or
using the HTTP API. 

This secrets engine honors the distinction between the `create` and `update`
capabilities inside ACL policies.

~> **Note**: Path and key names are _not_ obfuscated or encrypted; only the
values set on keys are. You should not store sensitive information as part of a
secret's path.

## Setup

Most secrets engines must be configured in advance before they can perform their
functions. These steps are usually completed by an operator or configuration
management tool.

The `kv` secrets engine is enabled by default at the path `secret/`. It can
be disabled, moved, or enabled multiple times at different paths. Each instance
of the KV secrets engine is isolated and unique.

## Usage

After the secrets engine is configured and a user/machine has a Vault token with
the proper permission, it can generate credentials. The `kv` secrets engine
allows for writing keys with arbitrary values.

1. Write arbitrary data:

    ```text
    $ vault write secret/my-secret my-value=s3cr3t
    Success! Data written to: secret/my-secret
    ```

1. Read arbitrary data:

    ```text
    $ vault read secret/my-secret
    Key                 Value
    ---                 -----
    refresh_interval    768h
    my-value            s3cr3t
    ```

## TTLs

Unlike other secrets engines, the KV secrets engine does not enforce TTLs
for expiration. Instead, the `lease_duration` is a hint for how often consumers
should check back for a new value. This is commonly displayed as
`refresh_interval` instead of `lease_duration` to clarify this in output.

If provided a key of `ttl`, the KV secrets engine will utilize this value
as the lease duration:

```text
$ vault write secret/my-secret ttl=30m my-value=s3cr3t
Success! Data written to: secret/my-secret
```

Even will a `ttl` set, the secrets engine _never_ removes data on its own. The
`ttl` key is merely advisory.

When reading a value with a `ttl`, both the `ttl` key _and_ the refresh interval
will reflect the value:

```text
$ vault read secret/my-secret
Key                 Value
---                 -----
refresh_interval    30m
my-value            s3cr3t
ttl                 30m
```

## API

The KV secrets engine has a full HTTP API. Please see the
[KV secrets engine API](/api/secret/kv/index.html) for more
details.
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00			`---`
			`layout: "docs"`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`page_title: "KV - Secrets Engines"`
Rename "generic" secret backend to "kv" (#3292) 2017-09-15 13:02:29 +00:00			`sidebar_current: "docs-secrets-kv"`
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00			`description: \|-`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The KV secrets engine can store arbitrary secrets.`
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00			`---`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`# KV Secrets Engine`
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			The `kv` secrets engine is used to store arbitrary secrets within the
			`configured physical storage for Vault.`
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00
Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-03 19:02:31 +00:00			Writing to a key in the `kv` backend will replace the old value; sub-fields are
			`not merged together.`
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00
Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-03 19:02:31 +00:00			`Key names must always be strings. If you write non-string values directly via`
			`the CLI, they will be converted into strings. However, you can preserve`
			`non-string values by writing the key/value pairs to Vault from a JSON file or`
			`using the HTTP API.`
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			This secrets engine honors the distinction between the `create` and `update`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`capabilities inside ACL policies.`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`~> Note: Path and key names are _not_ obfuscated or encrypted; only the`
			`values set on keys are. You should not store sensitive information as part of a`
Documentation update around path/key name encryption. Make it clear that path/key names in generic are not encrypted. Fixes #697 2015-10-29 15:21:40 +00:00			`secret's path.`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`## Setup`
website: add a couple more secret backend sections 2015-04-14 00:56:59 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`Most secrets engines must be configured in advance before they can perform their`
			`functions. These steps are usually completed by an operator or configuration`
			`management tool.`
Don't check parsability of a `ttl` key on write. On read we already ignore bad values, so we shouldn't be restricting this on write; doing so alters expected data-in-data-out behavior. In addition, don't issue a warning if a given `ttl` value can't be parsed, as this can quickly get annoying if it's on purpose. The documentation has been updated/clarified to make it clear that this is optional behavior that doesn't affect the status of the key as POD and the `lease_duration` returned will otherwise default to the system/mount defaults. Fixes #1505 2016-06-09 00:14:36 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			The `kv` secrets engine is enabled by default at the path `secret/`. It can
			`be disabled, moved, or enabled multiple times at different paths. Each instance`
			`of the KV secrets engine is isolated and unique.`
Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4. Fixes #528. 2015-08-20 23:41:25 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`## Usage`
Update/clarify docs on generic backend ttl. Ping #2697 2017-05-09 13:56:09 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`After the secrets engine is configured and a user/machine has a Vault token with`
			the proper permission, it can generate credentials. The `kv` secrets engine
			`allows for writing keys with arbitrary values.`
website: quickstart for generic 2015-04-27 02:14:41 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`1. Write arbitrary data:`
website: quickstart for generic 2015-04-27 02:14:41 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			```text
			`$ vault write secret/my-secret my-value=s3cr3t`
			`Success! Data written to: secret/my-secret`
			```
website: quickstart for generic 2015-04-27 02:14:41 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`1. Read arbitrary data:`

			```text
			`$ vault read secret/my-secret`
			`Key Value`
			`--- -----`
			`refresh_interval 768h`
			`my-value s3cr3t`
			```

			`## TTLs`

			`Unlike other secrets engines, the KV secrets engine does not enforce TTLs`
			for expiration. Instead, the `lease_duration` is a hint for how often consumers
			`should check back for a new value. This is commonly displayed as`
			`refresh_interval` instead of `lease_duration` to clarify this in output.

			If provided a key of `ttl`, the KV secrets engine will utilize this value
			`as the lease duration:`

			```text
			`$ vault write secret/my-secret ttl=30m my-value=s3cr3t`
			`Success! Data written to: secret/my-secret`
website: quickstart for generic 2015-04-27 02:14:41 +00:00			```

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			Even will a `ttl` set, the secrets engine _never_ removes data on its own. The
			`ttl` key is merely advisory.

			When reading a value with a `ttl`, both the `ttl` key _and_ the refresh interval
			`will reflect the value:`

			```text
			`$ vault read secret/my-secret`
			`Key Value`
			`--- -----`
			`refresh_interval 30m`
			`my-value s3cr3t`
			`ttl 30m`
			```
Add API endpoint documentation to generic 2015-09-21 15:22:48 +00:00
			`## API`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The KV secrets engine has a full HTTP API. Please see the`
			`[KV secrets engine API](/api/secret/kv/index.html) for more`
Break out API documentation for secret backends 2017-03-09 02:47:35 +00:00			`details.`