Vault’s Transform secrets engine, part of the
Vault Enterprise Advanced Data Protection Module (ADP)
, can encode and decode sensitive values residing in external
systems such as databases or file systems. This capability allows
Vault to ensure that encoded values remain safe even if they are
exfiltrated from a compromised system. It does so while
retaining this data's high availability and adherence to
compliance requirements such as PCI, DSS, and HIPAA.
Transform does not actually store the protected secret.
Instead it protects only the key material necessary to
decrypt the secret’s ciphertext. This maximizes encode/decode
performance for applications, while also minimizing the
possibility of exposure of that secret.