---
layout: docs
page_title: secrets disable - Command
description: |-
  The "secrets disable" command disables an secrets engine at a given PATH. The
  argument corresponds to the enabled PATH of the engine, not the TYPE! All
  secrets created by this engine are revoked and its Vault data is removed.
---

# secrets disable

The `secrets disable` command disables an secrets engine at a given PATH. The
argument corresponds to the enabled PATH of the engine, not the TYPE! All
secrets created by this engine are revoked and its Vault data is removed.

When a secrets engine is disabled, **all secrets generated via the secrets
engine are immediately revoked.** Care should be taken when disabling a
secret mount with a large number of secrets, as it can cause a high load on
the system during revocation time.

## Examples

Disable the secrets engine enabled at aws/:

```shell-session
$ vault secrets disable aws/
```

## Usage

There are no flags beyond the [standard set of flags](/vault/docs/commands)
included on all commands.

## Force Disable

Because `secrets disable` revokes secrets associated with this mount, possible
errors can prevent the secrets engine from being disabled if the revocation
fails.

The best way to resolve this is to figure out the underlying issue and then
disable the secrets engine once the underlying issue is resolved. Often, this
can be as simple as increasing the timeout (in the event of timeout errors).

For recovery situations where the secret was manually removed from the
secrets backing service, one can force a secrets engine disable in Vault by
performing a [prefix force revoke](/vault/docs/commands/lease/revoke) on the mount
prefix, followed by a `secrets disable` when that completes. 
If the underlying secrets were not manually cleaned up, this method might result
in dangling credentials. This is meant for extreme circumstances.