Vault
transit Seal
The Transit seal configures Vault to use Vault's Transit Secret Engine as the autoseal mechanism. The Transit seal is activated by one of the following:
- The presence of a
seal "transit"block in Vault's configuration file - The presence of the environment variable
VAULT_SEAL_TYPEset totransit.
transit Example
This example shows configuring Transit seal through the Vault configuration file by providing all the required values:
seal "transit" {
address = "https://vault:8200"
token = "s.Qf1s5zigZ4OX6akYjQXJC1jY"
disable_renewal = "false"
// Key configuration
key_name = "transit_key_name"
mount_path = "transit/"
namespace = "ns1/"
// TLS Configuration
tls_ca_cert = "/etc/vault/ca_cert.pem"
tls_client_cert = "/etc/vault/client_cert.pem"
tls_client_key = "/etc/vault/ca_cert.pem"
tls_server_name = "vault"
tls_skip_verify = "false"
}
transit Parameters
These parameters apply to the seal stanza in the Vault configuration file:
address(string: <required>): The full address to the Vault cluster. This may also be specified by theVAULT_ADDRenvironment variable.token(string: <required>): The Vault token to use. This may also be specified by theVAULT_TOKENenvironment variable.key_name(string: <required>): The transit key to use for encryption and decryption. This may also be supplied using theVAULT_TRANSIT_SEAL_KEY_NAMEenvironment variable.mount_path(string: <required>): The mount path to the transit secret engine.
This may also be supplied using theVAULT_TRANSIT_SEAL_MOUNT_PATHenvironment variable.namespace(string: ""): The namespace path to the transit secret engine.
This may also be supplied using theVAULT_NAMESPACEenvironment variable.disable_renewal(string: "false"): Disables the automatic renewal of the token in case the lifecycle of the token is managed with some other mechanism outside of Vault, such as Vault Agent. This may also be specified using theVAULT_TRANSIT_SEAL_DISABLE_RENEWALenvironment variable.tls_ca_cert(string: ""): Specifies the path to the CA certificate file used for communication with the Vault server. This may also be specified using theVAULT_CACERTenvironment variable.tls_client_cert(string: ""): Specifies the path to the client certificate for communication with the Vault server. This may also be specified using theVAULT_CLIENT_CERTenvironment variable.tls_client_key(string: ""): Specifies the path to the private key for communication with the Vault server. This may also be specified using theVAULT_CLIENT_KEYenvironment variable.tls_server_name(string: ""): Name to use as the SNI host when connecting to the Vault server via TLS. This may also be specified via theVAULT_TLS_SERVER_NAMEenvironment variable.tls_skip_verify(bool: "false"): Disable verification of TLS certificates. Using this option is highly discouraged and decreases the security of data transmissions to and from the Vault server. This may also be specified using theVAULT_SKIP_VERIFYenvironment variable.
Authentication
Authentication-related values must be provided, either as environment variables or as configuration parameters.
Note: Although the configuration file allows you to pass in
VAULT_TOKEN as part of the seal's parameters, it is strongly recommended
to set these values via environment variables.
The Vault token used to authenticate needs the following permissions on the transit key:
path "<mount path>/encrypt/<key name>" {
capabilities = ["update"]
}
path "<mount path>/decrypt/<key name>" {
capabilities = ["update"]
}
Key Rotation
This seal supports key rotation using the Transit Secret Engine's key rotation endpoints. See doc. Old keys must not be disabled or deleted and are used to decrypt older data.
Learn
Refer to the Auto-unseal using Transit Secrets Engine guide for a step-by-step tutorial.