Welcome to this tutorial on the Vault Transit Secrets Engine. In this guide, you’ll learn how to enable and configure the Transit engine, manage encryption keys, and perform encrypt, decrypt, and rewrap operations.
Table of Contents Overview The Transit Secrets Engine provides cryptographic functions as a service. It allows you to offload encryption, decryption, key management, and more to Vault without storing raw data.
Learn more in the official docs: Transit Secrets Engine .
Verify Enabled Secrets Engines First, check which secrets engines are active on your Vault dev server:
Expected output in dev mode:
Path Type Description cubbyhole/ cubbyhole per-token private secret storage identity/ identity identity store secret/ kv (v2) key/value secret storage sys/ system system endpoints for control & debugging
In Vault dev mode, the cubbyhole/, identity/, secret/ (KV v2), and sys/ engines are enabled by default.
Enable the Transit Engine Enable the Transit engine at the default path transit/:
vault secrets enable transit
Verify it was added:
Path Type Description transit/ transit n/a
You can also add a description when enabling:
vault secrets disable transit vault secrets enable -description= "My transit engine" transit vault secrets list
Create and Inspect an Encryption Key Create a new key named training:
vault write -f transit/keys/training
Then read its configuration:
vault read transit/keys/training
Key configuration highlights:
Field Value name training type aes256-gcm96 latest_version 1 supports_encryption true supports_decryption true
Rotate an Encryption Key Rotate training to generate a new version:
vault write -f transit/keys/training/rotate
Verify the version bump:
vault read transit/keys/training | grep latest_version # latest_version: 2
Encrypt Data
Base64-encode your plaintext:
BASE64 = $( base64 <<< "Getting Started with HashiCorp Vault" ) echo $BASE64
Encrypt the encoded string:
vault write transit/encrypt/training plaintext= $BASE64
Sample response:
Key Value --- ----- ciphertext vault:v2:… key_version 2
Store the ciphertext for later use.
Rewrap Data After Rotation After rotating to version 3:
vault write -f transit/keys/training/rotate
Rewrap the version 2 ciphertext to version 3:
vault write transit/rewrap/training \ ciphertext="vault:v2:…"
Response:
Key Value --- ----- ciphertext vault:v3:… key_version 3
Decrypt Ciphertexts Decrypt version 2:
vault write transit/decrypt/training ciphertext="vault:v2:…"
Decrypt version 3:
vault write transit/decrypt/training ciphertext="vault:v3:…"
Both return the same Base64 plaintext.
Enforce Minimum Decryption Version To block decryption of older ciphertext, set min_decryption_version=3:
vault write transit/keys/training/config min_decryption_version= 3
Verify:
vault read transit/keys/training # min_decryption_version: 3
Attempting to decrypt version 2 now fails:
vault write transit/decrypt/training ciphertext="vault:v2:…"
Any ciphertext with a version lower than the min_decryption_version will be rejected.
Decryption of version 3 still succeeds:
vault write transit/decrypt/training ciphertext="vault:v3:…"
Conclusion In this lesson, you have:
Enabled and configured the Transit Secrets Engine
Created, rotated, and inspected encryption keys
Encrypted, decrypted, and rewrapped data
Enforced minimum decryption version policies
For more information, visit the Vault Transit Secrets Engine documentation .
