diff --git a/kubernetes/Dockerfile b/kubernetes/Dockerfile
index a766c0e..3821382 100644
--- a/kubernetes/Dockerfile
+++ b/kubernetes/Dockerfile
@@ -1,6 +1,6 @@
 FROM alpine
 
-ARG VAULT_VERSION=1.13.2
+ARG VAULT_VERSION=1.16.3
 
 COPY vault-snapshot.sh /
 
diff --git a/kubernetes/README.md b/kubernetes/README.md
index adf2b14..f357983 100644
--- a/kubernetes/README.md
+++ b/kubernetes/README.md
@@ -15,5 +15,39 @@ After the snapshot is created in a temporary directory, `s3cmd` is used to sync
 * `S3_URI` - S3 URI to use to upload (s3://xxx)
 * `S3_BUCKET` - S3 bucket to point to
 * `S3_HOST` - S3 endpoint
+* `S3_EXPIRE_DAYS` - Delete files older than this threshold (expired)
 * `AWS_ACCESS_KEY_ID` - Access key to use to access S3
 * `AWS_SECRET_ACCESS_KEY` - Secret access key to use to access S3
+
+## Configuration of file retention (pruning)
+
+With AWS S3, use [lifecycle
+rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html)
+to configure retention and automatic cleanup action (prune) for expired files.
+
+For other S3 compatible storage, ensure to set [Governance
+lock](https://community.exoscale.com/documentation/storage/versioning/#set-up-the-lock-configuration-for-a-bucket)
+to avoid any modification before `$S3_EXPIRE_DAYS`:
+
+```
+mc retention set --default GOVERNANCE "${S3_EXPIRE_DAYS}d" my-s3-remote/my-bucket
+```
+
+On removal by the `vault-snapshot.sh` script, [`DEL` deletion marker
+(tombstone)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-managing-delete-markers)
+is set:
+
+```
+mc ls --versions my-snapshots/vault-snapshots-2f848f
+[2024-09-09 09:07:46 CEST]     0B X/1031980658232456253 v2 DEL vault_2024-09-06-1739.snapshot
+[2024-09-06 19:39:49 CEST]  28KiB Standard 1031052557042383613 v1 PUT vault_2024-09-06-1739.snapshot
+```
+
+Use [`mc
+undo`](https://min.io/docs/minio/linux/reference/minio-mc/mc-undo.html) to undo
+the `DEL` operation:
+```
+mc undo my-snapshots/vault-snapshots-2f848f/vault_2024-09-06-1739.snapshot
+mc ls --versions my-snapshots/vault-snapshots-2f848f
+[2024-09-06 19:39:49 CEST]  28KiB Standard 1031052557042383613 v1 PUT vault_2024-09-06-1739.snapshot
+```
diff --git a/kubernetes/cronjob.yaml b/kubernetes/cronjob.yaml
index a52ee49..0de469b 100644
--- a/kubernetes/cronjob.yaml
+++ b/kubernetes/cronjob.yaml
@@ -32,6 +32,9 @@ spec:
               value: bucketname
             - name: S3_URI
               value: s3://bucketname
+              # leave empty to retain snapshot files (default)
+            - name: S3_EXPIRE_DAYS
+              value:
             - name: VAULT_ROLE
               value: vault-snapshot
             - name: VAULT_ADDR
diff --git a/kubernetes/vault-snapshot.sh b/kubernetes/vault-snapshot.sh
index 3eca57e..fb71654 100644
--- a/kubernetes/vault-snapshot.sh
+++ b/kubernetes/vault-snapshot.sh
@@ -7,8 +7,22 @@ VAULT_TOKEN=$(vault write -field=token  auth/kubernetes/login role="${VAULT_ROLE
 export VAULT_TOKEN
 
 # create snapshot
-
 vault operator raft snapshot save /vault-snapshots/vault_"$(date +%F-%H%M)".snapshot
 
 # upload to s3
 s3cmd put /vault-snapshots/* "${S3_URI}" --host="${S3_HOST}" --host-bucket="${S3_BUCKET}"
+
+# remove expired snapshots
+if [ "${S3_EXPIRE_DAYS}" ]; then
+    s3cmd ls "${S3_URI}" --host="${S3_HOST}" --host-bucket="${S3_BUCKET}" | while read -r line; do
+        createDate=$(echo "$line" | awk '{print $1" "$2}')
+        createDate=$(date -d"$createDate" +%s)
+        olderThan=$(date --date @$(($(date +%s) - 86400*S3_EXPIRE_DAYS)) +%s)
+        if [ "$createDate" -lt "$olderThan" ]; then
+            fileName=$(echo "$line" | awk '{print $4}')
+            if [ "$fileName" != "" ]; then
+                s3cmd del "$fileName" --host="${S3_HOST}" --host-bucket="${S3_BUCKET}"
+            fi
+        fi
+    done;
+fi