Vault Transform

Transform is part of the Vault Enterprise Advanced Data Protection (ADP) module , allowing for Vault to protect secrets that reside in untrusted or semi-trusted systems outside of Vault. This includes data such as social security numbers, credit card numbers, and other types of compliance-regulated data that must reside within systems such as file systems or databases for performance but must be protected in the event of their residence system’s compromise.

Supporting both one-way (masking) and two-way transformations via data type protection, Transform allows Vault to resolve use cases typically addressed by tokenization, with high-performance cryptography and the full suite of the Vault platform’s high availability and security features.

Learn how to integrate with Transform in Vault

Vault Transform: Protecting Secrets in External Systems

A common request we’ve had with HashiCorp Vault Enterprise is to protect application secrets stored in external untrusted or semi-trusted systems. The result of these efforts is called Transform.

Transform Secrets Engine Learn Guide

Get hands on using this learn Guide with Vault Enterprise’s Transform secrets engine which handles secure data transformation and tokenization against the provided secrets.

Transform Secrets Engine Docs

The Transform secrets engine handles secure data transformation and tokenization against provided input value. Transformation methods may encompass NIST vetted cryptographic standards FF3-1, but can also be masking.


Encrypting Data while Preserving Formatting with HashiCorp Vault

Vault 1.4 introduced a new feature called Transform. Transform is a Secrets Engine that allows Vault to encode and decode sensitive values residing in external systems such as databases or file systems.

Transform Brief

In this brief we’ll explain how Transform allows Vault to encode and decode sensitive values residing in external systems such as databases or file systems.

Katacoda Transform Secrets Engine Hands on Lab

Walk through a step-by-step Hands on Lab using the Transform secrets engine. You’ll learn how to set it up, and learn the basics of using Transform to do transformations.

Transform for PCI DSS

Want to learn the difference between the Transform Secrets Engine and the Transit Secrets Engine? We’ll outline what it is, when to use it, and why it’s different from existing engines. We’ll also give you a quick demo to see it in action.

Vault 1.4 Product Announcement - Live stream

This is a recording of the HashiCorp Vault product announcement live stream. You’ll see a deep-dive and demonstration of the new features including the Transform Secret Engine.

Encrypting Data with the Vault Transform

This post shows you how to implement Transform secrets into a simple API; source code is provided for both the Java and Go programming languages.

When to consider Vault Enterprise?

Open Source

Technical Complexity

Vault Open Source addresses the technical complexity of managing secrets by leveraging trusted identities across distributed infrastructure and clouds.

View Open Source Features

Organizational Complexity

Vault Enterprise addresses the organizational complexity of large user bases and compliance requirements with collaboration and governance features.

View Enterprise Features

Ready to get started?