One of the core features of Vault is the ability to read and write arbitrary secrets securely. Secrets written to Vault are encrypted and then written to the backend storage. Therefore, the backend storage mechanism never sees the unencrypted value and doesn't have the means necessary to decrypt it without Vault.
NOTE: This step assumes that you created and connected to the HCP Vault cluster in the Create a Vault Cluster on HashiCorp Cloud Platform (HCP) step.
»Key/Value secrets engine
Key/Value v2 secrets engine is a generic key-value store used to store arbitrary secrets within the configured physical storage for Vault. Secrets written to Vault are encrypted and then written to backend storage. Therefore, the backend storage mechanism never sees the unencrypted value and doesn't have the means necessary to decrypt it without Vault.
Key/Value secrets engine has version 1 and 2. The difference is that v2 provides versioning of secrets and v1 does not.
vault kv <subcommand> [options]
[args] command to interact with
K/V secrets engine.
|Subcommand||kv v1||kv v2||Description|
|delete||x||x||Delete versions of secrets stored in K/V|
|destroy||x||Permanently remove one or more versions of secrets|
|enable-versioning||x||Turns on versioning for an existing K/V v1 store|
|list||x||x||List data or secrets|
|metadata||x||Interact with Vault's Key-Value storage|
|patch||x||Update secrets without overwriting existing secrets|
|put||x||x||Sets or update secrets (this replaces existing secrets)|
|rollback||x||Rolls back to a previous version of secrets|
|undelete||x||Restore the deleted version of secrets|
»Enable secrets engine
First, enable key/value v2 secrets
secret/ path in
admin namespace. Secrets engines are tied to their namespace. Therefore,
the secrets you create in the
admin namespace are not accessible from other
NOTE: If you receive any errors after making a configuration change in
the Vault UI, such as
404 page could not be found refresh the page.
In the Vault UI, set the current namespace to
Select the Secrets tab in the Vault UI.
Click Enable new engine.
Select KV from the list, and then click Next.
secretin the Path field.
Click Enable Engine to complete.
Click secret to explore the new secret engine you enabled.
Now that you have a secret engine enabled, you will create a new secret.
Now that you have enabled a secrets engine, in this scenario the key/value v2 secrets engine, you can store and retrieve secrets from HCP Vault.
Click Create secret. Enter
test/webappin the Path for this secret field.
Under the Secret data section, enter
api-keyin the key field, and
ABC0DEFG9876in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.
Click the masked input toggle button to review the value for the
This tutorial gave you a brief introduction to the key/value v2 secrets engine. To understand the features it provides, follow the Versioned Key/Value Secrets Engine tutorial. The tutorial is written for a self-managed Vault OSS server. The only difference is that you must set the target namespace when you follow the instruction.
The next step is to go through an introduction to Vault policies.