Vault
Manage secrets engines
You can use the UI to manage the lifecycle of a secrets engine in Vault. With the correct token policies, you can enable, configure, and test a Transit secrets engine.
Note
This step assumes that you enabled authenticated with the credentials created in the Manage Authentication Methods step.
Enable Transit secrets engine
Select the Secrets tab in the Vault UI.
Under Secrets Engines, select Enable new engine.
Under Enable a Secrets Engine, select Transit and Next.
The minimal required configuration to enable the Transit secrets engine is a value for Path. Vault supports enabling multiple secrets engines at various paths so long as they are unique. If you have not previously configured a Transit secrets engine, then the default path "transit" is acceptable.
Find advanced configuration under Method Options.
You can use these options to add a description, fine tune the mount configuration, adjust default time-to-live (TTL) values, filter keys in audit devices and allow specific headers.
The Vault API documentation for /sys/mounts API Parameters is a great reference for learning more about these options and how they are configured.
Select Enable Engine to enable the Transit secrets engine.
The Transit secrets engine is successfully enabled at the path transit
. Before you can encrypt and decrypt data in Transit, you need to create a key that will be used for those purposes.
Create encryption key
Select Create encryption key to begin the key creation process.
Enter
my-key
into the Name field to name it.Vault supports a range of key types; leave Type set to the default value "aes256-gcm96" for this tutorial.
For now, you also do not need to be concerned with the other options, Exportable, Derived, and Enable convergent encryption. You can learn more about key creation parameters, including details on key types from the Create Key API documentation.
Select Create encryption key to create the key.
Encrypt plaintext
Select transit to navigate back to the list of Transit secrets engine keys.
Select my-key from the list of transit keys to encrypt some plaintext.
Select Encrypt from the available Key Actions.
Enter
Learn Vault!
into the Plaintext area.Select Encrypt.
The ciphertext is returned in a dialog that allows for copying it to the clipboard. Select Copy & Close to dismiss the dialog.
Keep the plaintext string handy; here is a ciphertext example.
vault:v1:VGCOXenNqz4gb4z7SLBHrqKB8FtKUhj8wmhVVEvT/lMd4FqlvzoQGA==
NOTE Since we created a Transit key with default options, it is expected to get different ciphertext output for the same plaintext, so your result will vary from the example shown. If you enable Convergent Encryption with certain key types however, you can produce the same ciphertext for the same plaintext on every encrypt operation.
Decrypt ciphertext
Follow these steps to decrypt the returned ciphertext.
Under Key Actions, select Decrypt.
Paste the ciphertext string from the previous step into the Ciphertext area.
Select Decrypt.
A dialog returns the base64 encoded plaintext (e.g.
TGVhcm4gVmF1bHQh
).Select Copy & Close.
You can decode the string in the browser console. Open your browser inspector, access the console, and decode the string with the JavaScript
atob()
function.atob('TGVhcm4gVmF1bHQh')
The expected output should match the original plaintext: "Learn Vault!".
Next steps
You now have a basic understanding of secrets engine management in the Vault UI with the Transit secrets engine as an example. From here, you can go on to learn about the Vault API Explorer.
To learn more about secrets engines, refer to the Secrets Management tutorials.