HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

Restore soft deleted key/value data

You can restore data from soft deletes in the kv v2 plugin as long as the destroyed metadata field for the targeted version is false.

Assumptions

  • You have set up a kv v2 plugin.
  • Your authentication token has create and update permissions for the kv v2 plugin.

Use vault kv undelete with the -versions flag to restore soft deleted version of key/value data:

$ vault kv undelete             \
   -mount <mount_path>          \
   -versions <target_versions>  \
   <secret_path>

For example:

$ vault kv undelete -mount shared -versions 1,4 dev/square-api

Success! Data deleted (if it existed) at: shared/data/dev/square-api

The deletion_time metadata field for versions 1 and 4 is now n/a:

$ vault kv metadata get -mount shared dev/square-api

======== Metadata Path ========
shared/metadata/dev/square-api

========== Metadata ==========
Key                     Value
---                     -----
cas_required            false
created_time            2024-11-13T21:51:50.898782695Z
current_version         4
custom_metadata         <nil>
delete_version_after    0s
max_versions            5
oldest_version          0
updated_time            2024-11-14T22:32:42.29534643Z

====== Version 1 ======
Key              Value
---              -----
created_time     2024-11-13T21:51:50.898782695Z
deletion_time    n/a
destroyed        false

...

====== Version 4 ======
Key              Value
---              -----
created_time     2024-11-14T22:32:42.29534643Z
deletion_time    n/a
destroyed        false
Edit this page on GitHub