Vault Transform

Vault’s Transform secrets engine, part of the Vault Enterprise Advanced Data Protection Module (ADP) , can encode and decode sensitive values residing in external systems such as databases or file systems. This capability allows Vault to ensure that encoded values remain safe even if they are exfiltrated from a compromised system. It does so while retaining this data's high availability and adherence to compliance requirements such as PCI, DSS, and HIPAA.

Transform does not actually store the protected secret. Instead it protects only the key material necessary to decrypt the secret’s ciphertext. This maximizes encode/decode performance for applications, while also minimizing the possibility of exposure of that secret.
Explore HashiCorp LearnExplore Documentation

Learn how to integrate with Transform in Vault

Vault Transform: Protecting Secrets in External Systems

A common request we’ve had with HashiCorp Vault Enterprise is to protect application secrets stored in external untrusted or semi-trusted systems. The result of these efforts is called Transform.

Link to Blog

Transform Secrets Engine Learn Guide

Get hands on using this learn Guide with Vault Enterprise’s Transform secrets engine which handles secure data transformation and tokenization against the provided secrets.

Link to Learn

Transform Secrets Engine Docs

The Transform secrets engine handles secure data transformation and tokenization against provided input value. Transformation methods may encompass NIST vetted cryptographic standards FF3-1, but can also be masking.

Link to Docs

Documentation

Encrypting Data while Preserving Formatting with HashiCorp Vault

Vault 1.4 introduced a new feature called Transform. Transform is a Secrets Engine that allows Vault to encode and decode sensitive values residing in external systems such as databases or file systems.

Link to YouTube

How to Choose a Data Protection Method

This blog walks through specific considerations to make when deciding what data protection method to use.

Link to Blog

Katacoda Transform Secrets Engine Hands on Lab

Walk through a step-by-step Hands on Lab using the Transform secrets engine. You’ll learn how to set it up, and learn the basics of using Transform to do transformations.

Link to Katacoda

Transform for PCI DSS

Want to learn the difference between the Transform Secrets Engine and the Transit Secrets Engine? We’ll outline what it is, when to use it, and why it’s different from existing engines. We’ll also give you a quick demo to see it in action.

Link to YouTube

Vault 1.4 Product Announcement - Live stream

This is a recording of the HashiCorp Vault product announcement live stream. You’ll see a deep-dive and demonstration of the new features including the Transform Secret Engine.

Link to YouTube

Encrypting Data with the Vault Transform

This post shows you how to implement Transform secrets into a simple API; source code is provided for both the Java and Go programming languages.

Link to Blog

When to consider Vault Enterprise?

Open Source

Technical Complexity

Vault Open Source addresses the technical complexity of managing secrets by leveraging trusted identities across distributed infrastructure and clouds.

View Open Source Features
Enterprise

Organizational Complexity

Vault Enterprise addresses the organizational complexity of large user bases and compliance requirements with collaboration and governance features.

View Enterprise Features

Ready to get started?

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
Explore HashiCorp Learn
Explore Documentation