HashiCorp Certified: Vault Associate Certification

Compare and Configure Secrets Engines

Demo KeyValue KV Version 1 Secrets Engine

In this guide, you’ll explore how to enable and manage the Key/Value (KV) version 1 secrets engine in HashiCorp Vault. You will learn to list existing secrets engines, mount a new KV engine, perform CRUD operations on secrets, and filter JSON output with jq.

1. List Enabled Secrets Engines

Run the following command to see which secrets engines are mounted:

vault secrets list
PathTypeAccessorDescription
cubbyhole/cubbyholecubbyhole_9c6c2ca2Per-token private secret storage
identity/identityidentity_e55fbf01Identity store
sys/systemsystem_ae43616eSystem endpoints for control, policy, and debugging
transit/transittransit_5bb3af5en/a

2. Enable a KV Version 1 Secrets Engine

By default, kv enables version 1. Mount it at the path training:

vault secrets enable -path=training kv

Success! You should see:

Enabled the kv secrets engine at: training/

Verify the new mount:

vault secrets list
PathTypeAccessorDescription
training/kvkv_1d131683n/a

Note

If you need KV version 2 (with versioning, metadata, and rollback), use -version=2.

3. Verify the Engine Version

Use --detailed to confirm the KV engine version:

vault secrets list --detailed

Look for an empty Options map (map[]), which indicates KV v1:

Path        Plugin  Accessor       Options
----        ------  --------       -------
training/   kv      kv_1d131683    map[]

4. Write and Read Secrets

Write a secret at training/apps/jenkins:

vault kv put training/apps/jenkins apikey=secret123

Read it back:

vault kv get training/apps/jenkins

Output:

Key      Value
---      -----
apikey   secret123

5. Update Secrets

Writing to the same path replaces existing data:

vault kv put training/apps/jenkins apikey=newsecret456
vault kv get training/apps/jenkins

Result:

Key      Value
---      -----
apikey   newsecret456

6. Write Multiple Key/Value Pairs

You can include several pairs in one command:

vault kv put training/apps/jenkins apikey=secret789 user=vault-admin
vault kv get training/apps/jenkins

Result:

Key      Value
---      -----
apikey   secret789
user     vault-admin

7. Filter JSON Output with jq

Retrieve secret data in JSON:

vault kv get -format=json training/apps/jenkins

Sample output:

{
  "request_id": "...",
  "data": {
    "apikey": "secret789",
    "user": "vault-admin"
  }
}

Extract fields:

vault kv get -format=json training/apps/jenkins \
  | jq -r '.data.apikey'
vault kv get -format=json training/apps/jenkins \
  | jq -r '.data.user'
# vault-admin

8. Delete Secrets

Warning

In KV v1, deleting a secret permanently removes it—no version history is kept.

vault kv delete training/apps/jenkins
vault kv get training/apps/jenkins

You should see:

No value found at training/apps/jenkins

9. List Keys in a Path

First, add a couple of secrets:

vault kv put training/apps/jenkins abc=123
vault kv put training/apps/azuredevops user=administrator

List subpaths under training/apps:

vault kv list training/apps
Keys
azuredevops/
jenkins/

To list only data keys (no trailing slash):

vault kv list training/apps/
Keys
azuredevops
jenkins

Conclusion

You’ve now learned how to:

  • Mount the KV version 1 secrets engine
  • Write, read, update, and delete secrets
  • List secrets and filter JSON output

For KV version 2 features like versioning and rollback, see the HashiCorp Vault KV Secrets Engine.

Watch Video

Watch video content

Previous
Demo AWS Secrets Engine Assumed Role