diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua
index ba3227c8cfb..afec59e47f2 100644
--- a/kong/conf_loader/init.lua
+++ b/kong/conf_loader/init.lua
@@ -1915,6 +1915,16 @@ return setmetatable({
   remove_sensitive = function(conf)
     local purged_conf = tablex.deepcopy(conf)
 
+    local refs = purged_conf["$refs"]
+    if type(refs) == "table" then
+      for k, v in pairs(refs) do
+        if not CONF_SENSITIVE[k] then
+          purged_conf[k] = v
+        end
+      end
+      purged_conf["$refs"] = nil
+    end
+
     for k in pairs(CONF_SENSITIVE) do
       if purged_conf[k] then
         purged_conf[k] = CONF_SENSITIVE_PLACEHOLDER
diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua
index c389103e69a..49a42e96bbf 100644
--- a/spec/01-unit/03-conf_loader_spec.lua
+++ b/spec/01-unit/03-conf_loader_spec.lua
@@ -1461,6 +1461,36 @@ describe("Configuration loader", function()
       assert.not_equal("hide_me", purged_conf.pg_password)
       assert.not_equal("hide_me", purged_conf.cassandra_password)
     end)
+
+    it("replaces sensitive vault resolved settings", function()
+      finally(function()
+        helpers.unsetenv("PG_PASSWORD")
+        helpers.unsetenv("PG_DATABASE")
+        helpers.unsetenv("CASSANDRA_PASSWORD")
+        helpers.unsetenv("CASSANDRA_KEYSPACE")
+      end)
+
+      helpers.setenv("PG_PASSWORD", "pg-password")
+      helpers.setenv("PG_DATABASE", "pg-database")
+      helpers.setenv("CASSANDRA_PASSWORD", "cassandra-password")
+      helpers.setenv("CASSANDRA_KEYSPACE", "cassandra-keyspace")
+
+      local conf = assert(conf_loader(nil, {
+        pg_password = "{vault://env/pg-password}",
+        pg_database = "{vault://env/pg-database}",
+        cassandra_password = "{vault://env/cassandra-password}",
+        cassandra_keyspace = "{vault://env/cassandra-keyspace}",
+        vaults = "env",
+      }))
+
+      local purged_conf = conf_loader.remove_sensitive(conf)
+      assert.equal("******", purged_conf.pg_password)
+      assert.equal("{vault://env/pg-database}", purged_conf.pg_database)
+      assert.equal("******", purged_conf.cassandra_password)
+      assert.equal("{vault://env/cassandra-keyspace}", purged_conf.cassandra_keyspace)
+      assert.is_nil(purged_conf["$refs"])
+    end)
+
     it("does not insert placeholder if no value", function()
       local conf = assert(conf_loader())
       local purged_conf = conf_loader.remove_sensitive(conf)
diff --git a/spec/02-integration/13-vaults/03-mock_spec.lua b/spec/02-integration/13-vaults/03-mock_spec.lua
index f5b76ac8f78..b881e1cdbd6 100644
--- a/spec/02-integration/13-vaults/03-mock_spec.lua
+++ b/spec/02-integration/13-vaults/03-mock_spec.lua
@@ -113,25 +113,38 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(200, res)
         local json = cjson.decode(body)
         assert.equal(meta._VERSION, json.version)
+        assert.equal("{vault://mock/admin-listen}", json.configuration.admin_listen)
         assert.falsy(exists(join(helpers.test_conf.prefix, ".kong_process_secrets")))
       end)
     end)
 
     describe("Kong Reload", function()
       it("can use co-sockets and resolved referenced are passed to Kong server", function()
+        finally(function()
+          helpers.unsetenv("KONG_ADMIN_LISTEN")
+        end)
+
+        helpers.setenv("KONG_ADMIN_LISTEN", "{vault://mock/listen?prefix=admin_}")
+
         local workers = get_kong_workers()
 
         assert(helpers.kong_exec("reload --conf " .. helpers.test_conf_path ..
-                                 " --nginx-conf spec/fixtures/custom_nginx.template"))
+                                 " --nginx-conf spec/fixtures/custom_nginx.template", {
+          vaults = "env,mock"
+        }))
 
         wait_until_no_common_workers(workers, 1)
 
         assert.falsy(exists(join(helpers.test_conf.prefix, ".kong_process_secrets")))
 
-        local res = client:get("/")
+        ngx.sleep(0.1)
+
+        local http = assert(helpers.admin_client(10000))
+        local res = http:get("/")
         local body = assert.res_status(200, res)
         local json = cjson.decode(body)
         assert.equal(meta._VERSION, json.version)
+        assert.equal("{vault://mock/listen?prefix=admin_}", json.configuration.admin_listen)
       end)
     end)
   end)
diff --git a/spec/fixtures/custom_vaults/kong/vaults/mock/schema.lua b/spec/fixtures/custom_vaults/kong/vaults/mock/schema.lua
index c0496515f06..4241ad65ae4 100644
--- a/spec/fixtures/custom_vaults/kong/vaults/mock/schema.lua
+++ b/spec/fixtures/custom_vaults/kong/vaults/mock/schema.lua
@@ -5,6 +5,7 @@ return {
       config = {
         type = "record",
         fields = {
+          { prefix = { type = "string", match = [[^[%a_][%a%d_]*$]] } },
         },
       },
     },