»Encryption as a Service: Transit Secrets Engine
Vault's transit
secrets engine handles cryptographic functions on
data-in-transit. Vault doesn't store the data sent to the secrets engine, so it
can also be viewed as encryption as a service.
Although the transit
secrets engine provides additional features (sign and
verify data, generate hashes and HMACs of data, and act as a source of random
bytes), its primary use case is to encrypt data. This relieves the burden of
proper encryption/decryption from application developers and pushes the burden
onto the operators of Vault.
»Reference Materials
- Transit Secret Engine
- Transit Secret Engine API
- Transparent Data Encryption in the Modern Datacenter
NOTE: An interactive tutorial is also available if you do not have a Vault environment to perform the steps described in this guide.
»Estimated Time to Complete
10 minutes
»Personas
The end-to-end scenario described in this guide involves two personas:
- operator with privileged permissions to manage the encryption keys
- app with un-privileged permissions encrypt/decrypt secrets via API
»Challenge
Think of the following scenario:
Example Inc. recently made headlines for a massive data breach which exposed millions of their users' payment card accounts online. When they tracked down the problem they found that a new HVAC system with management software had been put into their data centers and had created vulnerabilities in their networks and exposed ports and IPs to the databases publicly.
»Solutions
The transit
secrets engine enables security teams to fortify data during
transit and at rest. So even if an intrusion occurs, your data is encrypted with
AES 256-bit CBC encryption (TLS in transit). Even if an attacker were able to
access the raw data, they would only have encrypted bits. This means attackers
would need to compromise multiple systems before exfiltrating data.
This guide demonstrates the basics of the transit
secrets engine.
»Prerequisites
To perform the tasks described in this guide, you need to have a Vault environment. Refer to the Getting Started guide to install Vault. Make sure that your Vault server has been initialized and unsealed.
»Policy requirements
NOTE: For the purpose of this guide, you can use root
token to work
with Vault. However, it is recommended that root tokens are only used for just
enough initial setup or in emergencies. As a best practice, use tokens with
appropriate set of policies based on your role in the organization.
To perform all tasks demonstrated in this guide, your policy must include the following permissions:
If you are not familiar with policies, complete the policies guide.
»Steps
You will perform the following:
- Configure Transit Secret Engine
- Encrypt Secrets
- Decrypt a cipher-text
- Rotate the Encryption Key
- Update Key Configuration
»Step 1: Configure Transit Secret Engine
(Persona: operator)
The transit
secrets engine must be configured before it can perform its
operations. This step is usually done by an operator or configuration
management tool.
»CLI command
Enable the transit
secret engine by executing the following command:
By default, the secrets engine will mount at the name of the engine. If you wish to enable it at a different path, use the
-path
argument.
Example:
vault secrets enable -path=encryption transit
Now, create an encryption key ring named, orders
by executing the following
command:
»API call using cURL
Enable transit
secret engine using /sys/mounts
endpoint:
Where <TOKEN>
is your valid token, and <PARAMETERS>
holds configuration
parameters of the secret engine.
Example:
The following example enables transit secret engine at sys/mounts/transit
path, and passed the secret engine type (transit
) in the request payload.
Now, create an encryption key ring named, orders
using the transit/keys
endpoint:
»Web UI
Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and then login.
Select Enable new engine and select Transit from Secrets engine type drop-down list.
Click Enable Engine.
Select Create encryption key and enter
orders
in the Name field.Click Create encryption key to complete.
NOTE: Typically, you want to create an encryption key ring for each application.
»Step 2: Encrypt Secrets
(Persona: operator)
Once the transit
secrets engine has been configured, any client with a valid
token with proper permission can send data to encrypt.
Here, you are going to encrypt a plaintext, "credit-card-number".
NOTE: You can pass non-text binary file such as a PDF or image. When you encrypt a plaintext, it must be base64-encoded.
»CLI command
To encrypt your secret, use the transit/encrypt
endpoint:
Execute the following command to encrypt a plaintext:
Vault does NOT store any of this data. The output you received is the ciphertext. You can store this ciphertext at the desired location (e.g. MySQL database) or pass it to another application.
»API call using cURL
To encrypt your secret, use the transit/encrypt
endpoint.
Example:
Vault does NOT store any of this data. The output you received is the ciphertext. You can store this ciphertext at the desired location (e.g. MySQL database) or pass it to another application.
»Web UI
Select the orders encryption key.
Select Key actions.
Make sure that Encrypt is selected under TRANSIT ACTIONS, and then enter "credit-card-number" in the Plaintext field.
Click Encode to base64 to encode the plaintext.
Click Encrypt. Vault does NOT store any of this data. The output you received is the ciphertext. You can click Copy to copy the resulting ciphertext and store it at the desired location (e.g. MySQL database) or pass it to another application.
»Step 3: Decrypt a cipher-text
(Persona: operator)
Any client with a valid token with proper permission can decrypt the ciphertext
generated by Vault. To decrypt the ciphertext, invoke the transit/decrypt
endpoint.
»CLI command
Execute the following command to decrypt the ciphertext resulted in Step 2:
The resulting data is base64-encoded. To reveal the original plaintext, run the following command:
»API call using cURL
Use the transit/decrypt
endpoint to decrypt the ciphertext resulted in Step
2:
Example:
»Web UI
Select the orders encryption key.
Select Key actions.
Make sure that Decrypt is selected under TRANSIT ACTIONS, and then enter the ciphertext you wish to decrypt.
Click Decrypt.
The resulting data is base64-encoded. Click Decode from base64 to reveal the plaintext.
»Step 4: Rotate the Encryption Key
(Persona: operator)
One of the benefits of using the Vault transit
secrets engine is its ability
to easily rotate the encryption keys. Keys can be rotated manually by a human,
or an automated process which invokes the key rotation API endpoint through
cron, a CI pipeline, a periodic Nomad batch job, Kubernetes Job, etc.
Vault maintains the versioned keyring and the operator can decide the minimum version allowed for decryption operations. When data is encrypted using Vault, the resulting ciphertext is prepended with the version of the key used to encrypt it.
»CLI command
To rotate the encryption key, invoke the transit/keys/<key_ring_name>/rotate
endpoint.
Let's encrypt another data:
Compare the ciphertexts from Step 2.
Notice that the first ciphertext starts with "vault:v1:
". After rotating
the encryption key, the ciphertext starts with "vault:v2:
". This indicates
that the data gets encrypted using the latest version of the key after the
rotation.
Execute the following command to rewrap your ciphertext from Step 2 with the latest version of the encryption key:
Notice that the resulting ciphertext now starts with "vault:v2:
".
This operation does not reveal the plaintext data. But Vault will decrypt the value using the appropriate key in the keyring and then encrypted the resulting plaintext with the newest key in the keyring.
»API call using cURL
To rotate the encryption key, invoke the transit/keys/<key_ring_name>/rotate
endpoint.
Let's encrypt another data:
Compare the ciphertexts from Step 2.
Notice that the first ciphertext starts with "vault:v1:
". After rotating
the encryption key, the ciphertext starts with "vault:v2:
". This indicates
that the data gets encrypted using the latest version of the key after the
rotation.
Execute the transit/rewrap
endpoint to rewrap your ciphertext from Step 2
with the latest version of the encryption key:
Notice that the resulting ciphertext now starts with "vault:v2:
".
This operation does not reveal the plaintext data. But Vault will decrypt the value using the appropriate key in the keyring and then encrypted the resulting plaintext with the newest key in the keyring.
»Step 5: Update Key Configuration
(Persona: operator)
The operators can update the encryption key configuration to specify the minimum version of ciphertext allowed to be decrypted, the minimum version of the key that can be used to encrypt the plaintext, the key is allowed to be deleted, etc.
This helps further tightening the data encryption rule.
»CLI Command
Execute the key rotation command a few times to generate multiple versions of the key:
Now, read the orders
key information:
In the example, the current version of the key is 6. However, there is no
restriction about the minimum encryption key version, and any of the key
versions can decrypt the data (min_decryption_version
).
Run the following command to enforce the use of the encryption key at version 5 or later to decrypt the data.
Now, verify the orders
key configuration:
»API call using cURL
Execute the transit/keys/<key_ring_name>/rotate
endpoint a few times key
rotation command a few times to generate multiple versions of the key:
Read the transit/keys/orders
endpoint to review the orders
key
detail:
In the example, the current version of the key is 6. However, there is no
restriction about the minimum encryption key version, and any of the key
versions can decrypt the data (min_decryption_version
).
Run the following command to enforce the use of the encryption key at version 5 or later to decrypt the data.
Now, verify the orders
key configuration:
NOTE: Notice that the output only displays two valid encryption key
versions (5
and 6
).
»Next steps
Transit Secrets Re-wrapping guide introduces a sample application which re-wraps data after rotating an encryption key in the transit engine in Vault.