Secrets engines

You can use the UI to manage the lifecycle of a secrets engine in Vault. With the correct token policies, you can enable, configure, and test a Transit secrets engine.

This step assumes you started the Vault server and signed in with the root token in the Web UI step.

Enable Transit secrets engine

Select the Secrets tab in the Vault UI.
Under Secrets Engines, select Enable new engine.

Under Enable a Secrets Engine, select Transit and Next.

The minimal required configuration to enable the Transit secrets engine is a value for Path. Vault supports enabling multiple secrets engines at various paths so long as they are unique. If you have not previously configured a Transit secrets engine, then the default path "transit" is acceptable.

Find advanced configuration under Method Options.

You can use these options to add a description, fine tune the mount configuration, adjust default time-to-live (TTL) values, filter keys in audit devices and allow specific headers.

The Vault API documentation for /sys/mounts API Parameters is a great reference for learning more about these options and how they are configured.

Select Enable Engine to enable the Transit secrets engine.

The Transit secrets engine is successfully enabled at the path transit. Before you can encrypt and decrypt data in Transit, you need to create a key that will be used for those purposes.

Create encryption key

Select Create encryption key to begin the key creation process.

Enter my-key into the Name field to name it.

Vault supports a range of key types; leave Type set to the default value "aes256-gcm96" for this tutorial.

For now, you also do not need to be concerned with the other options, Exportable, Derived, and Enable convergent encryption. You can learn more about key creation parameters, including details on key types from the Create Key API documentation.

Select Create encryption key to create the key.

Encrypt plaintext

Select transit to navigate back to the list of Transit secrets engine keys.
Select my-key from the list of transit keys to encrypt some plaintext.

Select Encrypt from the available Key Actions.
Enter Learn Vault! into the Plaintext area.

Select Encrypt.

The ciphertext is returned in a dialog that allows for copying it to the clipboard. Select Copy & Close to dismiss the dialog.

Keep the plaintext string handy; here is a ciphertext example.

vault:v1:+O9goK++G8NXRukAqCtlTvtcq7zFaAy1nGuWk6uKjV6Ie1ICPsE6AQ==

Since we created a Transit key with default options, it is expected to get different ciphertext output for the same plaintext, so your result will vary from the example shown. If you enable Convergent Encryption with certain key types however, you can produce the same ciphertext for the same plaintext on every encrypt operation.

Decrypt ciphertext

Follow these steps to decrypt the returned ciphertext.

Under Key Actions, select Decrypt.
Paste the ciphertext string from the previous step into the Ciphertext area.

Select Decrypt.

A dialog returns the base64 encoded plaintext (e.g. TGVhcm4gVmF1bHQh).

Select Copy & Close.

You can decode the string in the browser console. Open your browser inspector, access the console, and decode the string with the JavaScript atob() function.

atob('TGVhcm4gVmF1bHQh')

The expected output should match the original plaintext: "Learn Vault!".

PreviousSecrets NextAccess Control

Last updated 1 year ago