Inquiry About Secret Version Retention Policy in Vault

fante.sun · June 28, 2024, 10:07am

Hello Vault Support Team,

I have a question regarding the retention policy for secret versions in Vault. I understand that Vault retains the latest 10 versions of a secret by default. For instance, if the current version number is 100, I am able to access the secrets from versions 91 to 100.

Could you clarify whether Vault automatically and permanently removes the secrets from versions prior to 91? Or are these older versions still stored somewhere within Vault even though they are not directly accessible through normal queries?

Thank you for your assistance.

jonathanfrappier · July 2, 2024, 1:48pm

Hello,

I think this page/info is what you are looking for?

A version's data is permanently deleted only when the key has more versions than are 
allowed by the max-versions setting, or when using vault kv destroy. When the destroy 
command is used the underlying version data will be removed and the key metadata will be 
marked as destroyed. If a version is cleaned up by going over max-versions the version 
metadata will also be removed from the key.

fante.sun · July 2, 2024, 4:01pm

Thanks Jonathan! That’s truly helpful!

Topic		Replies	Views
Keep versioned keys indefinitely Vault kv	2	447	April 14, 2022
Kv v2 destroyed secret version still marked as current Vault kv	3	2226	January 20, 2023
Possibility adjust default max_versions=num under all secrets/metadata Vault	1	255	May 8, 2023
GoLang API: Destroy Version of Secret Vault	2	1176	August 20, 2020
Max_versions not applying to a kv2 secrets engine Vault	6	520	February 6, 2023

Inquiry About Secret Version Retention Policy in Vault

Related topics