# Secrets engines

You can use the UI to manage the lifecycle of a secrets engine in Vault. With the correct token policies, you can enable, configure, and test a Transit secrets engine.

{% hint style="info" %}
This step assumes you started the Vault server and signed in with the root token in the Web UI step.
{% endhint %}

### Enable Transit secrets engine <a href="#enable-transit-secrets-engine" id="enable-transit-secrets-engine"></a>

1. Select the **Secrets** tab in the Vault UI.
2. Under **Secrets Engines**, select **Enable new engine**.

<figure><img src="/files/OD79VDVw0grQnA1BkvSL" alt=""><figcaption></figcaption></figure>

3. Under **Enable a Secrets Engine**, select **Transit** and **Next**.

<figure><img src="/files/K3ZOB7QUxtKHJ4W3ATy4" alt=""><figcaption></figcaption></figure>

The minimal required configuration to enable the Transit secrets engine is a value for **Path**. Vault supports enabling multiple secrets engines at various paths so long as they are unique. If you have not previously configured a Transit secrets engine, then the default path "transit" is acceptable.

4. Find advanced configuration under **Method Options**.

<figure><img src="/files/w2WOQHjSDZ972jJyIP40" alt=""><figcaption></figcaption></figure>

You can use these options to add a description, fine tune the mount configuration, adjust default time-to-live (TTL) values, filter keys in audit devices and allow specific headers.

The Vault API documentation for /sys/mounts API Parameters is a great reference for learning more about these options and how they are configured.

<figure><img src="/files/AAzloyJnvR77BEesQeVa" alt=""><figcaption></figcaption></figure>

5. Select **Enable Engine** to enable the Transit secrets engine.

The Transit secrets engine is successfully enabled at the path `transit`. Before you can encrypt and decrypt data in Transit, you need to create a key that will be used for those purposes.

### Create encryption key <a href="#create-encryption-key" id="create-encryption-key"></a>

1. Select **Create encryption key** to begin the key creation process.

<figure><img src="/files/owHt8981d9C5Gt4PP3jV" alt=""><figcaption></figcaption></figure>

2. Enter `my-key` into the **Name** field to name it.

<figure><img src="/files/mOrfEMJZWYxgbAqscybq" alt=""><figcaption></figcaption></figure>

Vault supports a range of key types; leave **Type** set to the default value "aes256-gcm96" for this tutorial.

For now, you also do not need to be concerned with the other options, **Exportable**, **Derived**, and **Enable convergent encryption**. You can learn more about key creation parameters, including details on key types from the Create Key API documentation.

3. Select **Create encryption key** to create the key.

<figure><img src="/files/M7IVzL9OTLoeTaXVKs12" alt=""><figcaption></figcaption></figure>

### Encrypt plaintext <a href="#encrypt-plaintext" id="encrypt-plaintext"></a>

1. Select **transit** to navigate back to the list of Transit secrets engine keys.
2. Select **my-key** from the list of transit keys to encrypt some plaintext.

<figure><img src="/files/RYE6yDr00hTYOqRq07c2" alt=""><figcaption></figcaption></figure>

3. Select **Encrypt** from the available **Key Actions**.
4. Enter `Learn Vault!` into the **Plaintext** area.

<figure><img src="/files/ipxfToTzC60KLITw2G3F" alt=""><figcaption></figcaption></figure>

5. Select **Encrypt**.

<figure><img src="/files/RlKBTNI5TSZqowJWpmzZ" alt=""><figcaption></figcaption></figure>

The ciphertext is returned in a dialog that allows for copying it to the clipboard. Select **Copy & Close** to dismiss the dialog.

Keep the plaintext string handy; here is a ciphertext example.

```plaintext
vault:v1:+O9goK++G8NXRukAqCtlTvtcq7zFaAy1nGuWk6uKjV6Ie1ICPsE6AQ==
```

{% hint style="info" %}
Since we created a Transit key with default options, it is expected to get different ciphertext output for the same plaintext, so your result will vary from the example shown. If you enable Convergent Encryption with certain key types however, you can produce the same ciphertext for the same plaintext on every encrypt operation.
{% endhint %}

### Decrypt ciphertext <a href="#decrypt-ciphertext" id="decrypt-ciphertext"></a>

Follow these steps to decrypt the returned ciphertext.

1. Under **Key Actions**, select **Decrypt**.
2. Paste the ciphertext string from the previous step into the **Ciphertext** area.

<figure><img src="/files/ZsmeqBErJ0ZSHRxHXf36" alt=""><figcaption></figcaption></figure>

3. Select **Decrypt**.

<figure><img src="/files/9e8Npa9d8sfB8NR0vyJz" alt=""><figcaption></figcaption></figure>

A dialog returns the base64 encoded plaintext (e.g. `TGVhcm4gVmF1bHQh`).

4. Select **Copy & Close**.

You can decode the string in the browser console. Open your browser inspector, access the console, and decode the string with the JavaScript `atob()` function.

<pre class="language-javascript"><code class="lang-javascript"><strong>atob('TGVhcm4gVmF1bHQh')
</strong></code></pre>

The expected output should match the original plaintext: "Learn Vault!".

<figure><img src="/files/Kzw55bXWve59T6Qjvxjk" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/vault/tutorials/ui/secrets/secrets-engines.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.