f3df55ad58
* Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
43 lines
1.8 KiB
Plaintext
43 lines
1.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: KV - Secrets Engines
|
|
description: The KV secrets engine can store arbitrary secrets.
|
|
---
|
|
|
|
# KV Secrets Engine
|
|
|
|
The `kv` secrets engine is a generic Key-Value store used to store arbitrary
|
|
secrets within the configured physical storage for Vault. This backend can be
|
|
run in one of two modes; either it can be configured to store a single value
|
|
for a key or, versioning can be enabled and a configurable number of versions
|
|
for each key will be stored.
|
|
|
|
## KV Version 1
|
|
|
|
When running the `kv` secrets backend non-versioned, only the most recently
|
|
written value for a key will be preserved. The benefits of non-versioned `kv`
|
|
is a reduced storage size for each key since no additional metadata or history
|
|
is stored. Additionally, requests going to a backend configured this way will be
|
|
more performant because for any given request there will be fewer storage calls
|
|
and no locking.
|
|
|
|
More information about running in this mode can be found in the [K/V Version 1
|
|
Docs](/vault/docs/secrets/kv/kv-v1)
|
|
|
|
## KV Version 2
|
|
|
|
When running v2 of the `kv` backend a key can retain a configurable number of
|
|
versions. This defaults to 10 versions. The older versions' metadata and data
|
|
can be retrieved. Additionally, Check-and-Set operations can be used to avoid
|
|
overwriting data unintentionally.
|
|
|
|
When a version is deleted the underlying data is not removed, rather it is
|
|
marked as deleted. Deleted versions can be undeleted. To permanently remove a
|
|
version's data the destroy command or API endpoint can be used. Additionally all
|
|
versions and metadata for a key can be deleted by deleting on the metadata
|
|
command or API endpoint. Each of these operations can be ACL'ed differently,
|
|
restricting who has permissions to soft delete, undelete, or fully remove data.
|
|
|
|
More information about running in this mode can be found in the [K/V Version 2
|
|
Docs](/vault/docs/secrets/kv/kv-v2)
|