Difficulty: beginner
Estimated Time: 5 minutes

Logo

HashiCorp Vault's transit secrets engine handles cryptographic functions on data in-transit. It can also viewed as encryption as a service.

NOTE: Vault does not store the data sent to the secrets engine.

The primary use case for the transit secrets engine is to encrypt data from applications while still storing that encrypted data in some primary data store. This relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault.

Encryption as a Service


This scenario demonstrates the usage of transit secrets engine:

  • Configure Transit Secret Engine
  • Encrypt Secret
  • Rotate the Encryption Key
  • Rewrap Data
  • Update Key Configuration

See the Transit Secrets Re-wrapping guide which demonstrates ciphertext rewrapping programatically.

This scenario demonstrated the usage of transit secrets engine:

  • Configure Transit Secret Engine
  • Encrypt Secret
  • Rotate the Encryption Key
  • Rewrap Data
  • Update Key Configuration

Resources:

Don’t stop now! The next scenario will only take about 10 minutes to complete.

Vault Encryption as a Service

Step 1 of 6

Getting Started

Enter the following command to start the Vault server in development mode.

Click on the command () will automatically copy it into the terminal and execute it.

vault server -dev -dev-root-token-id="root"

Scroll up the Terminal to locate the following output:

==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
                 Storage: inmem
                 Version: Vault v0.11.4
             Version Sha: 8575f8fedcf8f5a6eb2b4701cb527b99574b5286

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

When Vault is running in development mode, it runs entirely in-memory that the data does not get persisted. This build-in, pre-configured server is useful for local development, testing and exploration.


Login with root token

Click the + next to the opened Terminal, and select Open New Terminal.

New Terminal

In the Terminal 2, set the VAULT_ADDR environment variable:

export VAULT_ADDR='http://127.0.0.1:8200'

Login with the generated root token.

vault login root

Now, you are logged in as a root and ready to play!