Inquiry About Secret Version Retention Policy in Vault

Hello Vault Support Team,

I have a question regarding the retention policy for secret versions in Vault. I understand that Vault retains the latest 10 versions of a secret by default. For instance, if the current version number is 100, I am able to access the secrets from versions 91 to 100.

Could you clarify whether Vault automatically and permanently removes the secrets from versions prior to 91? Or are these older versions still stored somewhere within Vault even though they are not directly accessible through normal queries?

Thank you for your assistance.


I think this page/info is what you are looking for?

A version's data is permanently deleted only when the key has more versions than are 
allowed by the max-versions setting, or when using vault kv destroy. When the destroy 
command is used the underlying version data will be removed and the key metadata will be 
marked as destroyed. If a version is cleaned up by going over max-versions the version 
metadata will also be removed from the key.

Thanks Jonathan! That’s truly helpful!

1 Like