HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for pre-release version v2.x (rc). View latest version.

transit

The transit command groups subcommands for interacting with Vault's Transit Secrets Engine.

Syntax

Option flags for a given subcommand are provided after the subcommand, but before the arguments.

Examples

Importing keys

To import keys into a mount via the Transit BYOK mechanism, use the vault transit import <path> <key> or vault transit import-version <path> <key> commands:

$ vault transit import transit/keys/test-key @test-key type=rsa-2048
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key.
Success!

Envelope encryption

Use envelope encryption for client side symmetric encryption of arbitrarily sized files and streams.

To envelope encrypt files and streams, use:

$ vault transit envelope encrypt <key_path> <file_path> ...

To decrypt files and streams use:

$ vault transit envelope decrypt <key_path> <file_path> ...

To extract headers from encrypted files or streams, use:

$ vault transit envelope header <file_path> ...
Edit this page on GitHub