Store static secrets properly — versioned keys, metadata, soft deletes you can undo, and the difference between KV v1 and v2 that trips everyone up.
Why: Vault organizes everything by PATH, and each path prefix is served by a secrets engine — a pluggable backend. The KV (key-value) engine stores static secrets; later engines generate dynamic ones. Everything you do is "act on a path", and which engine is mounted there decides what happens.
secret/ ──▶ KV engine (static key-value secrets)
database/ ──▶ database engine (generates DB credentials on demand)
transit/ ──▶ transit engine (encryption as a service)
(a "secrets engine" is mounted at a path and decides what that path does)Why: the dev server pre-mounts KV at secret/, but on a real server you enable engines yourself. KV version 2 adds versioning and soft deletes over v1 — always prefer v2. Mount it at a path of your choosing; everything under that path is now versioned KV.
Enable KV version 2 at the path "kv"
vault secrets enable -version=2 -path=kv kvList mounted secrets engines
vault secrets listWhy: with KV v2, each write creates a new VERSION rather than overwriting — so you can read or roll back to an earlier value. Write twice, then read a specific version. This is how you recover from a bad rotation or see what a secret used to be.
Two writes create version 1, then version 2
vault kv put kv/db password=oldvault kv put kv/db password=newRead the current version
vault kv get kv/dbRead a specific older version
vault kv get -version=1 kv/dbWhy: KV v2 deletes are reversible by default — delete marks a version gone but keeps it, so you can undelete a mistake. destroy removes the data permanently; metadata delete wipes the key and all its versions. The graduated danger (delete → undelete → destroy) is a safety feature.
Soft-delete the latest version (recoverable)
vault kv delete kv/dbBring it back
vault kv undelete -versions=2 kv/dbPermanently destroy a version's data
vault kv destroy -versions=1 kv/dbWhy: every secret carries metadata — how many versions exist, when each was created, and which are deleted. vault kv metadata shows it, useful for auditing and for setting limits like max versions to keep. The data and its history are managed separately.
See all versions and their state
vault kv metadata get kv/dbCap how many versions are retained
vault kv metadata put -max-versions=5 kv/db