Secure sensitive data

TBD TBD

Define custom parameters to encrypt or tokenize sensitive data in transit and at rest without storing the data in Vault.

Encrypt data

Use Vault to deploy encryption as a service and move the burden of data encryption/decryption from your applications to Vault.

With the transit plugin, Vault can encrypt and decrypt external data, essentially allowing applications to encrypt their data while storing it in the primary data store, which simplifies encrypting data in transit and at rest across clouds and datacenters.

Well architected framework: Best practices to protect sensitive data

Tokenize data

Use Vault to securely transform and tokenize input data with NIST vetted cryptographic standards such as format-preserving encryption (FPE) via FF3-1 and pseudonymous transformations like data masking.

With the transform plugin, Vault can perform one-way transformations that exchange sensitive values for unrelated, stateful tokenized values. Tokenization makes the original value unrecoverable from the token alone. Authorized clients must submit the token to Vault to retrieve the original value from a cryptographic mapping in storage.