HashiCorp Certified: Vault Associate Certification
Compare and Configure Secrets Engines
Demo KeyValue KV Version 1 Secrets Engine
In this guide, you’ll explore how to enable and manage the Key/Value (KV) version 1 secrets engine in HashiCorp Vault. You will learn to list existing secrets engines, mount a new KV engine, perform CRUD operations on secrets, and filter JSON output with jq.
1. List Enabled Secrets Engines
Run the following command to see which secrets engines are mounted:
vault secrets list
| Path | Type | Accessor | Description |
|---|---|---|---|
| cubbyhole/ | cubbyhole | cubbyhole_9c6c2ca2 | Per-token private secret storage |
| identity/ | identity | identity_e55fbf01 | Identity store |
| sys/ | system | system_ae43616e | System endpoints for control, policy, and debugging |
| transit/ | transit | transit_5bb3af5e | n/a |
2. Enable a KV Version 1 Secrets Engine
By default, kv enables version 1. Mount it at the path training:
vault secrets enable -path=training kv
Success! You should see:
Enabled the kv secrets engine at: training/
Verify the new mount:
vault secrets list
| Path | Type | Accessor | Description |
|---|---|---|---|
| training/ | kv | kv_1d131683 | n/a |
| … | … | … | … |
Note
If you need KV version 2 (with versioning, metadata, and rollback), use -version=2.
3. Verify the Engine Version
Use --detailed to confirm the KV engine version:
vault secrets list --detailed
Look for an empty Options map (map[]), which indicates KV v1:
Path Plugin Accessor Options
---- ------ -------- -------
training/ kv kv_1d131683 map[]
4. Write and Read Secrets
Write a secret at training/apps/jenkins:
vault kv put training/apps/jenkins apikey=secret123
Read it back:
vault kv get training/apps/jenkins
Output:
Key Value
--- -----
apikey secret123
5. Update Secrets
Writing to the same path replaces existing data:
vault kv put training/apps/jenkins apikey=newsecret456
vault kv get training/apps/jenkins
Result:
Key Value
--- -----
apikey newsecret456
6. Write Multiple Key/Value Pairs
You can include several pairs in one command:
vault kv put training/apps/jenkins apikey=secret789 user=vault-admin
vault kv get training/apps/jenkins
Result:
Key Value
--- -----
apikey secret789
user vault-admin
7. Filter JSON Output with jq
Retrieve secret data in JSON:
vault kv get -format=json training/apps/jenkins
Sample output:
{
"request_id": "...",
"data": {
"apikey": "secret789",
"user": "vault-admin"
}
}
Extract fields:
vault kv get -format=json training/apps/jenkins \
| jq -r '.data.apikey'
vault kv get -format=json training/apps/jenkins \
| jq -r '.data.user'
# vault-admin
8. Delete Secrets
Warning
In KV v1, deleting a secret permanently removes it—no version history is kept.
vault kv delete training/apps/jenkins
vault kv get training/apps/jenkins
You should see:
No value found at training/apps/jenkins
9. List Keys in a Path
First, add a couple of secrets:
vault kv put training/apps/jenkins abc=123
vault kv put training/apps/azuredevops user=administrator
List subpaths under training/apps:
vault kv list training/apps
| Keys |
|---|
| azuredevops/ |
| jenkins/ |
To list only data keys (no trailing slash):
vault kv list training/apps/
| Keys |
|---|
| azuredevops |
| jenkins |
Conclusion
You’ve now learned how to:
- Mount the KV version 1 secrets engine
- Write, read, update, and delete secrets
- List secrets and filter JSON output
For KV version 2 features like versioning and rollback, see the HashiCorp Vault KV Secrets Engine.
Links and References
Watch Video
Watch video content