Hashicorp Vault : Transit Secret Engine







In the last article, we discussed dynamic secrets, how to deal with them, and manage leases. Now here in this article, we are going to talk about the transit secret engine. Before deep-diving into it, let's discuss a typical challenge scenario.


Many applications require proper encryption/decryption functionalities. Building the custom logic to handle these functionalities can add to a burden to the application developers. In many cases, developers are also not an expert in the technical details related to the security area.





Possible Solution


Vault's transit secrets engine handles cryptographic functions on data-in-transit.

vault doesn't store the data sent to the secret's engine, so it can also be viewed as encryption as a service.


Instead of developing and managing cryptographic related operations, an application developer can put that burden on the vault.





How does Transit Engine work?





Let's see how it is done by login into the vault console.



  • Go to vault console -- Enable New engine -- Select the transit type




  • Enable the transit engine






  • Create a key to be used for encryption/decryption


  • Click on the encryption key and select encrypt






Copy this token( this needs to be provided to decrypt the data)




To decrypt the text, click on decrypt( from the same place where we clicked encrypt from). Provide the token that was provided in the last step. Note that after decryption, the text would be base64 encrypted, to see the real contents we can use any conversion utility on the internet or use Linux utilities as well.





Now we can just copy-paste this token, this is base64 encoded.




That's it about the Transit engine. Please click here to convert base64 encoded text to plain text.


In the next article, we will study vault authentication. So stay tuned.