Vault generic kv to v1


We have a live vault installed long ago and upgraded from time to time. It is now in version 1.7.1. But we recently found that the /secret engine type is “generic”, while all our others vault are engine type kv (version 1). Probably the live vault as created before the engine type kv as created and never recreated and all other where recreated sooner or later.

The generic to kv migration was done here: Rename "generic" secret backend to "kv" by chrishoffman · Pull Request #3292 · hashicorp/vault · GitHub

We do not know what effects have this engine type difference, but we think it is safer to have everything using the same engine, specially on long run. At very least, seems to limit future upgrades: failed to enable to secret versioning · Issue #9782 · hashicorp/vault · GitHub

So is there anyway to convert the generic to kv, or we will have to drop that and recreate. From what i understand, we can convert kv v1 to v2.

Thanks in advance

Hi Daniel,

AFAIK there is no way of converting any secret anything to another (save KV → KV_V2, and that’s not a conversion, it’s adding metadata/versioning to the same engine). Generic and KV are almost identical but there are differences and for any future admins that come in contact with your Vault app I would suggest exporting and importing your secrets into the proper KV engine setup as KV. There are python scripts that I have seen around that can do that for you.

Two notes if I may:

  • There are rarely any reasons to have multiple engines of the same type mounted. It sounds like you have generic and KV both mounted for different ? Unless you have metadata changes, all that can be done with paths and policies and are easier to manage than setting up multiple engines.
  • 1.7.1 has known bugs/issues. I would review the change logs against your use pattern. 1.7.6 is the latest version. Depending on your backend 1.8 maybe even better (if using integrated storage)
1 Like

Thanks for the reply! i suspected that was the case…we will do that

We do not have multiple engines in the same vault, but different vault setups (live, qa, staging, dev) and only the live one is still on the generic engine. As i said, probably because it is live and was never recreated since we started to use vault and all the other were recreated sooner or later during their lifetime.

For the version, we already upgraded in the dev and staging and plan to upgrade in the next few weeks the remaining setups

again, thanks for the help