Introduction
When using the Transit Secrets Engine, key versions that are earlier than a key's specified min_decryption_version get archived, and the rest of the key versions belong to the working set. Currently this archive is stored in a single storage entry. With some storage backends, notably those using Raft or Paxos for HA capabilities, frequent rotation may lead to a storage entry size for the archive that is larger than the storage backend can handle. See storage related limits in the Additional Information section.
Problem
In understanding how the archive folder works, we can prevent the archive from growing too large, thus affecting its storage entry size and ultimately, the storage backend.
Prerequisites (if applicable)
- Vault
- Transit Secrets Engine
Solutions
- Use the trim key endpoint, which trims older key versions by setting a minimum version for the keyring. Once set, trim will delete earlier versions of the key set. These keys are not recoverable once trimmed.
- Note: when setting trim,
minimum_encryption_versionandminimum_decryption_versionmust also be set.
- Note: when setting trim,
Outcome
Trimming keys will keep the archive folder's storage entry size from growing too large for the backend and let's us avoid encountering possible storage issues.