Vault Transform

Vault’s Transform secrets engine, part of the Vault Enterprise Advanced Data Protection Module (ADP) , can encode and decode sensitive values residing in external systems such as databases or file systems. This capability allows Vault to ensure that encoded values remain safe even if they are exfiltrated from a compromised system. It does so while retaining this data's high availability and adherence to compliance requirements such as PCI, DSS, and HIPAA.

Transform does not actually store the protected secret. Instead it protects only the key material necessary to decrypt the secret’s ciphertext. This maximizes encode/decode performance for applications, while also minimizing the possibility of exposure of that secret.

Learn how to integrate with Transform in Vault

Vault Transform: Protecting Secrets in External Systems

A common request we’ve had with HashiCorp Vault Enterprise is to protect application secrets stored in external untrusted or semi-trusted systems. The result of these efforts is called Transform.

Transform Secrets Engine Learn Guide

Get hands on using this learn Guide with Vault Enterprise’s Transform secrets engine which handles secure data transformation and tokenization against the provided secrets.

Transform Secrets Engine Docs

The Transform secrets engine handles secure data transformation and tokenization against provided input value. Transformation methods may encompass NIST vetted cryptographic standards FF3-1, but can also be masking.


Encrypting Data while Preserving Formatting with HashiCorp Vault

Vault 1.4 introduced a new feature called Transform. Transform is a Secrets Engine that allows Vault to encode and decode sensitive values residing in external systems such as databases or file systems.

How to Choose a Data Protection Method

This blog walks through specific considerations to make when deciding what data protection method to use.

Katacoda Transform Secrets Engine Hands on Lab

Walk through a step-by-step Hands on Lab using the Transform secrets engine. You’ll learn how to set it up, and learn the basics of using Transform to do transformations.

Transform for PCI DSS

Want to learn the difference between the Transform Secrets Engine and the Transit Secrets Engine? We’ll outline what it is, when to use it, and why it’s different from existing engines. We’ll also give you a quick demo to see it in action.

Vault 1.4 Product Announcement - Live stream

This is a recording of the HashiCorp Vault product announcement live stream. You’ll see a deep-dive and demonstration of the new features including the Transform Secret Engine.

Encrypting Data with the Vault Transform

This post shows you how to implement Transform secrets into a simple API; source code is provided for both the Java and Go programming languages.

When to consider Vault Enterprise?

Open Source

Technical Complexity

Vault Open Source addresses the technical complexity of managing secrets by leveraging trusted identities across distributed infrastructure and clouds.

View Open Source Features

Organizational Complexity

Vault Enterprise addresses the organizational complexity of large user bases and compliance requirements with collaboration and governance features.

View Enterprise Features

Ready to get started?