Overview Admins can check that a secret exists with READ permissions Admins cannot actually see the value Encrypt string before putting in K/V ➜ ~ VALUE=$(vault write transit/encrypt/ranjit -format=json plaintext=$(base64 <<< "supersecret") | jq -r '.data.ciphertext') ➜ ~ vault kv put kv/my-secret value=$VALUE Check value with READ permissions ➜ ~ vault kv get kv/my-secret ==== Data ==== Key Value --- ----- value vault:v1:1Yd+KC+k6Wsx598NCYd88qO2HZGjMWDuXlDi/w9CiIu+u1hNfxR8/Q== Pull K/V and decrypt real value ➜ ~ LOOK=$(vault kv get -format=json kv/my-secret | jq -r '.data.data.value') ➜ ~ base64 --decode -i <(vault write -format=json transit/decrypt/ranjit ciphertext=$LOOK | jq -r '.data.plaintext') supersecret