This assumes the following has already been done.

• Hashicorp Vault has been installed
• Hashicorp Vault has been initialized
• Hashicorp Vault has been unsealed

You can either:

• delete a secret - the secret can be undeleted
• destroy a secret - the secret cannot be restored

Let's say the secrets engine has been enabled with -path=secret/

~]# vault secrets enable -path=secret/ kv
Success! Enabled the kv secrets engine at: secret/

And let's say approle has been enabled and there is a role named "my-role" and contains a policy named "my-policy".

~]$ vault read auth/approle/role/my-role
Key                        Value
---                        -----
policies                   [my-policy]

In this example, since the secrets engine has been enabled with -path=secret/ the policy path will need to begin with secret/

Let's say "my-policy" permits the following capabilities to "secret/my_path/*".

~]$ vault policy read my-policy
path "secret/my_path/*" {
  capabilities = ["create", "delete", "list", "patch", "read", "update"]
}

Before deleting or destroying a secret, the vault kv list command can be used to list the secrets that have been created. In this example, there are two secrets, one named "foo" and another named "bar".

~]# vault kv list secret/
Keys
----
foo
bar

Before deleting or destroying a secret, let's first return the secrets metadata. Notice in this example that the secret named foo is at version 8 and deletion_time is n/a because the secret has not been destroyed.

~]$ vault kv get secret/foo
========== Secret Path ==========
get secret/foo

======= Metadata =======
Key                Value
---                -----
created_time       2024-05-30T19:02:40.592529578Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            8

You may want to delete the secret before you destroy the secret. The vault kv delete command can be used to delete a secret. 

~]# vault kv delete secret/foo
Success! Data deleted (if it existed) at: secret/foo

Once deleted, the vault kv get command can be used to return the secrets metadata, which should now show that the secret has a deletion_time.

~]$ vault kv get secret/foo
========== Secret Path ==========
get secret/foo

======= Metadata =======
Key                Value
---                -----
created_time       2024-05-30T19:02:40.592529578Z
custom_metadata    <nil>
deletion_time      2025-08-13T02:32:51.914632322Z
destroyed          false
version            8

The vault kv destroy command can then be used to destroy a specific version of the secret.

~]$ vault kv destroy -versions=1 secret/foo
Success! Data written to: secret/foo

It is noteworthy that even after a secret is destroyed, the secret will still "exist". It will just be listed as destroyed.

~]$ vault kv get secret/foo
========== Secret Path ==========
get secret/foo

======= Metadata =======
Key                Value
---                -----
created_time       2024-05-30T19:02:40.592529578Z
custom_metadata    <nil>
deletion_time      2025-08-13T02:32:51.914632322Z
destroyed          true
version            8