Transit/Transform BYOK - Vault CLI Helper

Avatar
Akash Gupta
  • Updated

Background

For the Transform secret engine, Vault Enterprise users running with Vault v1.12.0 or greater can use the BYOK (Bring your own key) functionality to import an existing encryption key generated outside of Vault and use it with the Transform secrets engine.

 

On the other hand, for the Transit secret engine, Vault Enterprise users running with Vault v1.11.0 or greater can use the BYOK (Bring your own key) functionality to import an existing encryption key generated outside of Vault and use it with the Transit secrets engine.

 

The target key for import can originate from an HSM or other external sources and must be prepared according to its origin before you can import it.

 

Vault introduced import key APIs starting Vault v1.12.x as listed here for Transform (check the dedicated sections for FPE & Tokenization transformations) and starting Vault v1.11.x as listed here for Transit secret engines.

 

For the Transform secret engine, and while you're on Vault v1.12.x - 1.13.x, the only way to prepare the target key is to follow this process which sometimes is complex for the ones who have never crossed paths against this before. Similarly for the Transit secret engine, and while you're on Vault v1.11.x - 1.12.x, one has to follow this process to prepare the target key.

 

Vault CLI Helper

For the Transit secret engine, starting Vault v1.13.x, HashiCorp introduced a Vault CLI helper to Interact with Vault's Transit Secrets Engine which does all the jobs for you internally which was previously done manually as mentioned in the last section.

Here is the document explaining all the possibilities of transit import and transit import-version commands.

 

For the Transform secret engine, starting Vault v1.14.x, HashiCorp introduced a Vault CLI helper to Interact with Vault's Transform Secrets Engine as well which does all the jobs for you internally which was previously done manually as mentioned in the last section.

The behavior is exactly similar to that of transit import and transit import-version commands, all you need to do is to replace the transit with transform and use the dedicated API endpoints for FPE or Tokenization transformations as described here. For example, the following block contains the command with minimal parameters to import an FPE target key to the Transform secret engine using its CLI helper:

 

vault transform import transform/transformations/fpe/new-transformation \
@path/to/key \
template=identifier \
allowed_roles=physical-access

 

Articles in this section

See more

Related articles