HashiCorp Certified: Vault Associate Certification
Compare and Configure Secrets Engines
Demo Transit Secrets Engine
In this hands-on lab, you'll learn how to enable and configure the Vault Transit Secrets Engine. You’ll work through:
- Enabling Transit at its mount point
- Creating, rotating, and inspecting keys
- Encrypting and decrypting data
- Rewrapping ciphertext after key rotation
- Enforcing a minimum decryption version
Note
This demo uses a Vault development server for simplicity. Do not use a dev server in production workloads.
Prerequisites
- A running Vault development server (default mounts).
- The
vaultCLI installed and authenticated (VAULT_ADDR,VAULT_TOKEN).
| Default Mount | Type | Description |
|---|---|---|
| cubbyhole/ | cubbyhole | Per-token private secret storage |
| identity/ | identity | Identity store |
| secret/ | kv | Key/value secret storage (KV v2) |
| sys/ | system | System endpoints (control & policy) |
1. Verify Installed Secret Engines
Ensure Transit is not yet enabled:
vault secrets list
| Path | Type | Accessor | Description |
|---|---|---|---|
| cubbyhole/ | cubbyhole | cubbyhole_XXXXXXXX | Per-token private secret storage |
| identity/ | identity | identity_YYYYYYYY | Identity store |
| secret/ | kv | kv_ZZZZZZZZZZZZ | Key/value secret storage (KV v2) |
| sys/ | system | system_AAAAAAAA | System endpoints (control & policy) |
2. Enable the Transit Secrets Engine
Enable at the default mount (transit/):
vault secrets enable transit
Confirm it’s listed:
vault secrets list
| Path | Type | Accessor | Description |
|---|---|---|---|
| transit/ | transit | transit_BBBBBBBB | Vault Transit Secrets |
Optionally add a description when enabling:
vault secrets disable transit
vault secrets enable -description="My Transit Secrets Engine" transit
3. Create an Encryption Key
Create a new key named training (default: AES-256-GCM96):
vault write -f transit/keys/training
Inspect its metadata:
vault read transit/keys/training
Key metadata fields include latest_version, min_decryption_version, and supported operations.
4. Rotate the Key
Generate a new version for the training key:
vault write -f transit/keys/training/rotate
vault read transit/keys/training
You should see latest_version incremented.
5. Encrypt Data
First, Base64-encode your plaintext:
export PLAINTEXT_B64=$(echo -n "Getting Started with HashiCorp Vault" | base64)
echo $PLAINTEXT_B64
Encrypt with the training key:
vault write transit/encrypt/training plaintext=$PLAINTEXT_B64
Response fields:
| Field | Description |
|---|---|
| ciphertext | Resulting ciphertext (e.g. vault:v2:…) |
| key_version | Version used for encryption |
6. Rotate Again & Rewrap Ciphertext
Rotate to version 3:
vault write -f transit/keys/training/rotate
Rewrap an existing ciphertext (v2 → v3):
vault write transit/rewrap/training \
ciphertext="vault:v2:…(old-ciphertext)…"
Response includes new ciphertext and key_version=3.
7. Decrypt Ciphertext
7.1 Decrypt Version 2
vault write transit/decrypt/training \
ciphertext="vault:v2:…(old-ciphertext)…"
Decode the Base64 plaintext:
echo R2V0dGluZyBTdGFydGVkIHdpdGggSGFzaGlDb3JjIFZhdWx0 \
| base64 --decode
7.2 Decrypt Version 3
vault write transit/decrypt/training \
ciphertext="vault:v3:…(new-ciphertext)…"
8. Enforce a Minimum Decryption Version
Disallow decryption of data encrypted with older key versions:
vault write transit/keys/training/config min_decryption_version=3
vault read transit/keys/training
| Key | Value |
|---|---|
| min_decryption_version | 3 |
| latest_version | 3 |
| keys | map[1:… 2:… 3:…] |
Warning
After setting min_decryption_version=3, any attempt to decrypt version 2 will fail with:
Error writing data to transit/decrypt/training: ... ciphertext version is disallowed by policy
References
Watch Video
Watch video content
Practice Lab
Practice lab