1--- 2layout: "docs" 3page_title: "KV - Secrets Engines" 4sidebar_title: "Key/Value" 5sidebar_current: "docs-secrets-kv" 6description: |- 7 The KV secrets engine can store arbitrary secrets. 8--- 9 10# KV Secrets Engine 11 12The `kv` secrets engine is used to store arbitrary secrets within the 13configured physical storage for Vault. This backend can be run in one of two 14modes. It can be a generic Key-Value store that stores one value for a key. 15Versioning can be enabled and a configurable number of versions for each key 16will be stored. 17 18## KV Version 1 19 20When running the `kv` secrets backend non-versioned only the most recently 21written value for a key will be preserved. The benefits of non-versioned `kv` 22is a reduced storage size for each key since no additional metadata or history 23is stored. Additionally, requests going to a backend configured this way will be 24more performant because for any given request there will be fewer storage calls 25and no locking. 26 27More information about running in this mode can be found in the [K/V Version 1 28Docs](/docs/secrets/kv/kv-v1.html) 29 30## KV Version 2 31 32When running v2 of the `kv` backend a key can retain a configurable number of 33versions. This defaults to 10 versions. The older versions' metadata and data 34can be retrieved. Additionally, Check-and-Set operations can be used to avoid 35overwriting data unintentionally. 36 37When a version is deleted the underlying data is not removed, rather it is 38marked as deleted. Deleted versions can be undeleted. To permanently remove a 39version's data the destroy command or API endpoint can be used. Additionally all 40versions and metadata for a key can be deleted by deleting on the metadata 41command or API endpoint. Each of these operations can be ACL'ed differently, 42restricting who has permissions to soft delete, undelete, or fully remove data. 43 44More information about running in this mode can be found in the [K/V Version 2 45Docs](/docs/secrets/kv/kv-v2.html) 46