Skip to main content

Retention policies

Object states

A Vault object is assigned a usable period (active life) when created. An object is archived when its active life expires or the API or CLI deletes it. The deletion or expiration of an owner object archives all the objects it owns.

The default setting in Vault is for objects never to expire.

Grace period

Vault lets you specify a grace period during which an object remains archived so that you can reactivate it if desired. When the object's grace period expires, it becomes eligible for complete erasure from the Vault. For more information, see the 'archived' state in Object life cycle.

The default grace period is 30 days (720 hours).

Customizing the policy

Retention policies determine when an active object will expire. You can customize the retention policy for object types with the expiration environment variables as follows:

  1. using PVAULT_EXPIRATION_ASSOCIATED_OBJECTS for person objects and data objects associated with a person object. For example, a customer record or a credit card belonging to a customer.
  2. using PVAULT_EXPIRATION_UNASSOCIATED_OBJECTS for Data objects that are not associated with a person object.
  3. using PVAULT_EXPIRATION_TOKENS for tokens.
note

You can override the Vault default and these policies settings when creating or updating objects or tokens by setting their expiration_secs parameter in the REST API operations or --expiration-secs flag in the CLI commands.

You customize the grace period for archived objects using the PVAULT_DB_GC_RETENTION_PERIOD environment variable.