Skip to main content
In this guide, you’ll explore how to enable and manage the Key/Value (KV) version 1 secrets engine in HashiCorp Vault. You will learn to list existing secrets engines, mount a new KV engine, perform CRUD operations on secrets, and filter JSON output with jq.

1. List Enabled Secrets Engines

Run the following command to see which secrets engines are mounted: 
vault secrets list
PathTypeAccessorDescription
cubbyhole/cubbyholecubbyhole_9c6c2ca2Per-token private secret storage
identity/identityidentity_e55fbf01Identity store
sys/systemsystem_ae43616eSystem endpoints for control, policy, and debugging
transit/transittransit_5bb3af5en/a

2. Enable a KV Version 1 Secrets Engine

By default, kv enables version 1. Mount it at the path training: 
vault secrets enable -path=training kv
Success! You should see: 
Enabled the kv secrets engine at: training/
Verify the new mount: 
vault secrets list
PathTypeAccessorDescription
training/kvkv_1d131683n/a
If you need KV version 2 (with versioning, metadata, and rollback), use -version=2.

3. Verify the Engine Version

Use --detailed to confirm the KV engine version: 
vault secrets list --detailed
Look for an empty Options map (map[]), which indicates KV v1: 
Path        Plugin  Accessor       Options
----        ------  --------       -------
training/   kv      kv_1d131683    map[]

4. Write and Read Secrets

Write a secret at training/apps/jenkins: 
vault kv put training/apps/jenkins apikey=secret123
Read it back: 
vault kv get training/apps/jenkins
Output: 
Key      Value
---      -----
apikey   secret123

5. Update Secrets

Writing to the same path replaces existing data: 
vault kv put training/apps/jenkins apikey=newsecret456
vault kv get training/apps/jenkins
Result: 
Key      Value
---      -----
apikey   newsecret456

6. Write Multiple Key/Value Pairs

You can include several pairs in one command: 
vault kv put training/apps/jenkins apikey=secret789 user=vault-admin
vault kv get training/apps/jenkins
Result: 
Key      Value
---      -----
apikey   secret789
user     vault-admin

7. Filter JSON Output with jq

Retrieve secret data in JSON: 
vault kv get -format=json training/apps/jenkins
Sample output: 
{
  "request_id": "...",
  "data": {
    "apikey": "secret789",
    "user": "vault-admin"
  }
}
Extract fields: 
vault kv get -format=json training/apps/jenkins \
  | jq -r '.data.apikey'
vault kv get -format=json training/apps/jenkins \
  | jq -r '.data.user'
# vault-admin

8. Delete Secrets

In KV v1, deleting a secret permanently removes it—no version history is kept.
vault kv delete training/apps/jenkins
vault kv get training/apps/jenkins
You should see: 
No value found at training/apps/jenkins

9. List Keys in a Path

First, add a couple of secrets: 
vault kv put training/apps/jenkins abc=123
vault kv put training/apps/azuredevops user=administrator
List subpaths under training/apps: 
vault kv list training/apps
Keys
azuredevops/
jenkins/
To list only data keys (no trailing slash): 
vault kv list training/apps/
Keys
azuredevops
jenkins

Conclusion

You’ve now learned how to:
  • Mount the KV version 1 secrets engine
  • Write, read, update, and delete secrets
  • List secrets and filter JSON output
For KV version 2 features like versioning and rollback, see the HashiCorp Vault KV Secrets Engine.

Watch Video