Difficulty: beginner
Estimated Time: 5 minutes

HashiCorp Vault's transit secrets engine handles cryptographic functions on data in-transit. It can also viewed as encryption as a service.

NOTE: Vault does not store the data sent to the secrets engine.

The primary use case for the transit secrets engine is to encrypt data from applications while still storing that encrypted data in some primary data store. This relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault.

Encryption as a Service


This scenario demonstrates the usage of transit secrets engine:

  • Configure Transit Secrets Engine
  • Encrypt Secret
  • Rotate the Encryption Key
  • Rewrap Data
  • Update Key Configuration

See the Transit Secrets Re-wrapping guide which demonstrates ciphertext rewrapping programatically.

This scenario demonstrated the usage of transit secrets engine:

  • Configure Transit Secrets Engine
  • Encrypt Secret
  • Rotate the Encryption Key
  • Rewrap Data
  • Update Key Configuration

Resources:

Vault Encryption as a Service

Step 1 of 5

Configure Transit Secrets Engine

Login with root token.

Click on the command () will automatically copy it into the terminal and execute it.

vault login root

The transit secrets engine must be configured before it can perform its operations. These steps are usually done by an operator or configuration management tool.

First, enable the transit secrets engine by executing the following command:

vault secrets enable transit

By default, the secrets engine will mount at the name of the engine. If you wish to enable it at a different path, use the -path argument.

Example: vault secrets enable -path=encryption transit

Run the following command to verify that the transit secrets engine has been enabled at transit:

vault secrets list

Now, create an encryption key ring named, "orders" by executing the following command:

vault write -f transit/keys/orders

NOTE: Typically, you want to create an encryption key ring for each application.

Now, the transit secrets engine is ready to use!