Skip to main content

Documentation Index

Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt

Use this file to discover all available pages before exploring further.

Welcome to this tutorial on the Vault Transit Secrets Engine. In this guide, you’ll learn how to enable and configure the Transit engine, manage encryption keys, and perform encrypt, decrypt, and rewrap operations.

Table of Contents

Overview

The Transit Secrets Engine provides cryptographic functions as a service. It allows you to offload encryption, decryption, key management, and more to Vault without storing raw data. Learn more in the official docs: Transit Secrets Engine.

Verify Enabled Secrets Engines

First, check which secrets engines are active on your Vault dev server: 
vault secrets list
Expected output in dev mode:
PathTypeDescription
cubbyhole/cubbyholeper-token private secret storage
identity/identityidentity store
secret/kv (v2)key/value secret storage
sys/systemsystem endpoints for control & debugging
In Vault dev mode, the cubbyhole/, identity/, secret/ (KV v2), and sys/ engines are enabled by default.

Enable the Transit Engine

Enable the Transit engine at the default path transit/: 
vault secrets enable transit
Verify it was added: 
vault secrets list
PathTypeDescription
transit/transitn/a
You can also add a description when enabling: 
vault secrets disable transit
vault secrets enable -description="My transit engine" transit
vault secrets list

Create and Inspect an Encryption Key

Create a new key named training: 
vault write -f transit/keys/training
Then read its configuration: 
vault read transit/keys/training
Key configuration highlights:
FieldValue
nametraining
typeaes256-gcm96
latest_version1
supports_encryptiontrue
supports_decryptiontrue

Rotate an Encryption Key

Rotate training to generate a new version: 
vault write -f transit/keys/training/rotate
Verify the version bump: 
vault read transit/keys/training | grep latest_version
# latest_version: 2

Encrypt Data

  1. Base64-encode your plaintext: 
    BASE64=$(base64 <<< "Getting Started with HashiCorp Vault")
echo $BASE64
  2. Encrypt the encoded string: 
    vault write transit/encrypt/training plaintext=$BASE64
Sample response: 
Key         Value
---         -----
ciphertext  vault:v2:…  
key_version 2
Store the ciphertext for later use.

Rewrap Data After Rotation

After rotating to version 3: 
vault write -f transit/keys/training/rotate
Rewrap the version 2 ciphertext to version 3: 
vault write transit/rewrap/training \
  ciphertext="vault:v2:…"
Response: 
Key         Value
---         -----
ciphertext  vault:v3:…  
key_version 3

Decrypt Ciphertexts

Decrypt version 2: 
vault write transit/decrypt/training ciphertext="vault:v2:…"
Decrypt version 3: 
vault write transit/decrypt/training ciphertext="vault:v3:…"
Both return the same Base64 plaintext.

Enforce Minimum Decryption Version

To block decryption of older ciphertext, set min_decryption_version=3: 
vault write transit/keys/training/config min_decryption_version=3
Verify: 
vault read transit/keys/training
# min_decryption_version: 3
Attempting to decrypt version 2 now fails: 
vault write transit/decrypt/training ciphertext="vault:v2:…"
Any ciphertext with a version lower than the min_decryption_version will be rejected.
Decryption of version 3 still succeeds: 
vault write transit/decrypt/training ciphertext="vault:v3:…"

Conclusion

In this lesson, you have:
  • Enabled and configured the Transit Secrets Engine
  • Created, rotated, and inspected encryption keys
  • Encrypted, decrypted, and rewrapped data
  • Enforced minimum decryption version policies
For more information, visit the Vault Transit Secrets Engine documentation.

Watch Video

Practice Lab