HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Well-Architected Framework

Tokenize data

Tokenization converts sensitive data into nonsensitive data called tokens. Tokens are helpful when you send sensitive data remotely, such as client authentication, credit card numbers, banking credentials, or any other systems that require external authentication or data exchange.

Why tokenize data

Protect data even when systems are compromised: Encrypted data can be decrypted if encryption keys are stolen or mishandled. Tokens have no algorithmic relationship to the original data, so a leaked token reveals nothing, even if an attacker gains access to the tokenized dataset.

Meet compliance requirements: Standards such as PCI-DSS require organizations to protect cardholder data throughout its lifecycle. Replacing card numbers with tokens means most of your systems never handle the actual sensitive data, reducing the systems in scope for compliance audits and lowering the cost and complexity of maintaining compliance.

Reduce the impact of data breaches: When sensitive data is tokenized, a breach of the application database exposes only tokens and not the original values. The actual sensitive data lives in a different system, limiting the damage any single breach can cause.

Tokenize data with Vault

The Vault Transform secrets engine, available in Vault Enterprise or HCP Vault Dedicated, supports three data transformation modes: tokenization, format-preserving encryption (FPE), and data masking. Choose the mode that best fits your use case.

Tokenization replaces sensitive values such as credit card numbers with unique tokens that have no algorithmic relationship to the original value. Tokenized values cannot be reversed without a lookup against the secure tokenization store, so a leaked token exposes nothing. Only authorized services can exchange a token for its original value, and Vault manages the token-to-value mapping securely. Tokenization satisfies PCI-DSS requirements for cardholder data irreversibility.

Format-preserving encryption (FPE) encrypts data while maintaining the original format and length. For example, a 16-digit credit card number encrypts to a different 16-digit number. Use FPE when your existing database schemas and validation systems require the data to retain its original structure. FPE uses the NIST-vetted FF3-1 algorithm and is reversible — authorized services can decrypt the value back to its original form.

Data masking performs one-way character replacement, such as transforming 4111-1111-1111-1111 to XXXX-XXXX-XXXX-1111. Masking is non-reversible. Use masking when you need to display partial data for verification or customer service without exposing the full value.

HashiCorp resources

Next steps

In this section of how to Secure data, you learned how to tokenize sensitive data using HashiCorp Vault's Transform secrets engine to reduce breach risk and meet compliance requirements. Tokenize data is part of the Secure systems pillar.

Visit the following documents to continue building your data protection strategy:

  • Protect sensitive data to apply encryption and access controls for confidential and restricted data
  • Protect data at rest to implement storage encryption strategies for classified data
  • Protect data in transit to secure data as it moves between systems
  • Use policy as code to enforce tokenization requirements across your infrastructure
Edit this page on GitHub