Tokenize Data with Transform Secrets Engine

NOTE: Transform secrets engine requires Vault Enterprise Advanced Data Protection (ADP) license. To explore Vault Enterprise features, you can sign up for a free 30-day trial from here.

»Challenge

When encrypting sensitive data, preservation of the original data format or length may be required to meet certain industry standards such as HIPAA or PCI. To fulfill this requirement, the transform secrets engine performs format preserving encryption (FPE).

However, there are organizations that care more about the irreversibility of the tokenized data and not so much about preserving the original data format. Therefore, the transform secrets engine's FPE transformation may not meet the governance, risk and compliance (GRC) strategy they are looking for due to the use of reversible cryptography to perform FPE.

»Solution

Transform secrets engine has a data transformation method to tokenize sensitive data stored outside of Vault. Tokenization replaces sensitive data with unique values (tokens) that are unrelated to the original value in any algorithmic sense. Therefore, those tokens cannot risk exposing the plaintext satisfying the PCI-DSS guidance.

»Characteristics of the tokenization transformation:

Non-reversible identification: Protect data pursuant to requirements for data irreversibility (PCI-DSS, GDPR, etc.)
Integrated Metadata: Supports metadata for identifying data type and purpose
Extreme scale and performance: Support for performantly managing billions of tokens across clouds as well as on-premise

»Prerequisites

To perform the tasks described in this tutorial, you need to have a Vault Enterprise v1.6 or later with Advanced Data Protection module.

NOTE: To explore Vault Enterprise features, you can sign up for a free 30-day trial.

»Policy requirements

NOTE: For the purpose of this tutorial, you can use root token to work with Vault. However, it is recommended that root tokens are only used for just enough initial setup or in emergencies. As a best practice, use tokens with appropriate set of policies based on your role in the organization.

To perform all tasks demonstrated in this tutorial, your policy must include the following permissions:

# Work with transform secrets engine
path "transform/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Enable secrets engine
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# List enabled secrets engine
path "sys/mounts" {
  capabilities = [ "read", "list" ]
}

# Work with transform secrets engine
path "transform/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Enable secrets engine
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# List enabled secrets engine
path "sys/mounts" {
  capabilities = [ "read", "list" ]
}

If you are not familiar with policies, refer to the policies tutorial.

»Setup the Transform secrets engine

Create a role named, mobile-pay which is attached to credit-card transformation. The tokenized value has a fixed maximum time-to-live (TTL) of 24 hours.

Enable the transform secrets engine at transform/.

$ vault secrets enable transform

$ vault secrets enable transform

Create a role named mobile-pay with a transformation named credit-card.

$ vault write transform/role/mobile-pay transformations=credit-card
Success! Data written to: transform/role/mobile-pay

$ vault write transform/role/mobile-pay transformations=credit-card
Success! Data written to: transform/role/mobile-pay

The mobile-pay role is created.

The role is created but the credit-card transformation does not exist, yet.

Create a transformation named credit-card which sets the generated token's time-to-live (TTL) to 24 hours.

$ vault write transform/transformations/tokenization/credit-card \
  allowed_roles=mobile-pay \
  max_ttl=24h

$ vault write transform/transformations/tokenization/credit-card \
  allowed_roles=mobile-pay \
  max_ttl=24h

Output:

Success! Data written to: transform/transformations/tokenization/credit-card

Success! Data written to: transform/transformations/tokenization/credit-card

The max_ttl is an optional parameter which allows you to control how long the token should stay valid.

NOTE: Set the allowed_roles parameter to a wildcard (*) to allow all roles or with globs at the end for pattern matching (e.g. mobile-*).

Display details about the credit-card transformation.

$ vault read transform/transformations/tokenization/credit-card

Key              Value
---              -----
allowed_roles    [mobile-pay]
mapping_mode     default
max_ttl          24h
templates        <nil>
type             tokenization

$ vault read transform/transformations/tokenization/credit-card

Key              Value
---              -----
allowed_roles    [mobile-pay]
mapping_mode     default
max_ttl          24h
templates        <nil>
type             tokenization

Notice that the type is set to tokenization.

»Tokenize secrets

The Vault client applications must have the following in their policy to perform tokenization transformation using the Transform secrets engine enabled at transform/.

# To request data encoding using any of the roles
# Specify the role name in the path to narrow down the scope
path "transform/encode/mobile-pay" {
   capabilities = [ "update" ]
}

# To request data decoding using any of the roles
# Specify the role name in the path to narrow down the scope
path "transform/decode/mobile-pay" {
   capabilities = [ "update" ]
}

# To validate the token
path "transform/validate/mobile-pay" {
   capabilities = [ "update" ]
}

# To retrieve the metadata belong to the token
path "transform/metadata/mobile-pay" {
   capabilities = [ "update" ]
}

# To check and see if the secret is tokenized
path "transform/tokenized/mobile-pay" {
   capabilities = [ "update" ]
}

Required Client Policy

# To request data encoding using any of the roles
# Specify the role name in the path to narrow down the scope
path "transform/encode/mobile-pay" {
   capabilities = [ "update" ]
}

# To request data decoding using any of the roles
# Specify the role name in the path to narrow down the scope
path "transform/decode/mobile-pay" {
   capabilities = [ "update" ]
}

# To validate the token
path "transform/validate/mobile-pay" {
   capabilities = [ "update" ]
}

# To retrieve the metadata belong to the token
path "transform/metadata/mobile-pay" {
   capabilities = [ "update" ]
}

# To check and see if the secret is tokenized
path "transform/tokenized/mobile-pay" {
   capabilities = [ "update" ]
}

Encode a value with the mobile-pay role with some metadata.

$ vault write transform/encode/mobile-pay value=1111-2222-3333-4444 \
     transformation=credit-card \
     ttl=8h \
     metadata="Organization=HashiCorp" \
     metadata="Purpose=Travel" \
     metadata="Type=AMEX"

$ vault write transform/encode/mobile-pay value=1111-2222-3333-4444 \
     transformation=credit-card \
     ttl=8h \
     metadata="Organization=HashiCorp" \
     metadata="Purpose=Travel" \
     metadata="Type=AMEX"

The ttl value is an optional parameter. Remember that the max_ttl was set to 24 hours when you created the credit-card transformation. You can overwrite that value to make the token's TTL to be shorter.

The output displays the encoded value.

Key              Value
---              -----
encoded_value    Q4tYgFXHxUbU5XZoQsxusAzxhNyVWmCFWxAT8SGkHoYB3VkrmQGXVR

Key              Value
---              -----
encoded_value    Q4tYgFXHxUbU5XZoQsxusAzxhNyVWmCFWxAT8SGkHoYB3VkrmQGXVR

Set the generated token value in a MY_TOKEN environment variable for testing.

Example:

$ export MY_TOKEN="Q4tYgFXHxUbU5XZoQsxusAzxhNyVWmCFWxAT8SGkHoYB3VkrmQGXVR"

$ export MY_TOKEN="Q4tYgFXHxUbU5XZoQsxusAzxhNyVWmCFWxAT8SGkHoYB3VkrmQGXVR"

Retrieve the metadata of the token.

$ vault write transform/metadata/mobile-pay value=$MY_TOKEN transformation=credit-card

Key                Value
---                -----
expiration_time    2021-03-13 06:49:58.041608 +0000 UTC
metadata           map[Organization:HashiCorp Purpose:Travel Type:AMEX]

$ vault write transform/metadata/mobile-pay value=$MY_TOKEN transformation=credit-card

Key                Value
---                -----
expiration_time    2021-03-13 06:49:58.041608 +0000 UTC
metadata           map[Organization:HashiCorp Purpose:Travel Type:AMEX]

Notice that expiration_time is displayed. Since you have overwritten the max_ttl, the ttl is set to 8 hours.

Validate the token value.

$ vault write transform/validate/mobile-pay value=$MY_TOKEN transformation=credit-card

Key      Value
---      -----
valid    true

$ vault write transform/validate/mobile-pay value=$MY_TOKEN transformation=credit-card

Key      Value
---      -----
valid    true

Validate that the credit card number has been tokenized already.

$ vault write transform/tokenized/mobile-pay value=1111-2222-3333-4444 transformation=credit-card

Key          Value
---          -----
tokenized    true

$ vault write transform/tokenized/mobile-pay value=1111-2222-3333-4444 transformation=credit-card

Key          Value
---          -----
tokenized    true

Retrieve the original plaintext credit card value.

$ vault write transform/decode/mobile-pay transformation=credit-card value=$MY_TOKEN

Key              Value
---              -----
decoded_value    1111-2222-3333-4444

$ vault write transform/decode/mobile-pay transformation=credit-card value=$MY_TOKEN

Key              Value
---              -----
decoded_value    1111-2222-3333-4444

»Convergent tokenization

Requirement: This feature requires Vault 1.11.0 or later.

If you run the command multiple times, you would notice that it returns a different encoded value every time.

Example:

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 transformation=credit-card
Key              Value
---              -----
encoded_value    Q4tYgFXHxURKc5zaVDRhi3QT35htvADKtnBpBazpoBZPG373FP1mXs     

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 transformation=credit-card
Key              Value
---              -----
encoded_value    Q4tYgFXHxUVpMnf4SSVQZWm1YhAG2eSGvS3dBeDNmm7fkPLnw3JV54

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 transformation=credit-card
Key              Value
---              -----
encoded_value    Q4tYgFXHxURKc5zaVDRhi3QT35htvADKtnBpBazpoBZPG373FP1mXs     

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 transformation=credit-card
Key              Value
---              -----
encoded_value    Q4tYgFXHxUVpMnf4SSVQZWm1YhAG2eSGvS3dBeDNmm7fkPLnw3JV54

In some use cases, you may want to have the same encoded value for a given input so that you can query your database to count the number of entries for a given secret.

Key derivation is supported to allow the same key to be used for multiple purposes by deriving a new key based on a user-supplied context value. In this mode, convergent encryption can optionally be supported, which allows the same input values to produce the same ciphertext.

Create a transformation named credit-card-convergent which sets the enables the convergent encryption. When you define a transformation, set convergent=true.

$ vault write transform/transformations/tokenization/credit-card-convergent \
     allowed_roles="*" \
     convergent=true

$ vault write transform/transformations/tokenization/credit-card-convergent \
     allowed_roles="*" \
     convergent=true

Output:

Success! Data written to: transform/transformations/tokenization/credit-card-convergent

Success! Data written to: transform/transformations/tokenization/credit-card-convergent

Add the credit-card-convergent to the mobile-pay role.

$ vault write transform/role/mobile-pay transformations="credit-card, credit-card-convergent"
Success! Data written to: transform/role/mobile-pay

$ vault write transform/role/mobile-pay transformations="credit-card, credit-card-convergent"
Success! Data written to: transform/role/mobile-pay

Encode a value using the credit-card-convergent transformation.

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 \
     transformation=credit-card-convergent

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 \
     transformation=credit-card-convergent

Example output:

Key              Value
---              -----
encoded_value    DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x

Key              Value
---              -----
encoded_value    DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x

Run the command again.

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 \
     transformation=credit-card-convergent

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 \
     transformation=credit-card-convergent

Example output:

The same encrypted value is returned.

Key              Value
---              -----
encoded_value    DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x

Key              Value
---              -----
encoded_value    DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x

»Lookup token

When the transformation is configured with convergent encryption, you can look up the tokenized value (token).

Encode the value using the credit-card-convergent transformation with time-to-live (TTL) of 8 hours.

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 \
     transformation=credit-card-convergent ttl=8h

$ vault write transform/encode/mobile-pay value=5555-6666-7777-8888 \
     transformation=credit-card-convergent ttl=8h

Example output:

Key              Value
---              -----
encoded_value    MQEgMY8jwXYJNb9p177dYCttwRUcctAeo89yVmMPiLotzfe3sx2btpBGNLijo2KA9cy4hAnTfeV78D5rJwyBdC5j6tMEZgH

Key              Value
---              -----
encoded_value    MQEgMY8jwXYJNb9p177dYCttwRUcctAeo89yVmMPiLotzfe3sx2btpBGNLijo2KA9cy4hAnTfeV78D5rJwyBdC5j6tMEZgH

Notice that the encoded value (token) is longer than the one without TTL.

Look up the token for a card number, "5555-6666-7777-8888".

$ vault write transform/tokens/mobile-pay value=5555-6666-7777-8888 \
    transformation=credit-card-convergent

$ vault write transform/tokens/mobile-pay value=5555-6666-7777-8888 \
    transformation=credit-card-convergent

Output:

Key       Value
---       -----
tokens    [DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x]

Key       Value
---       -----
tokens    [DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x]

Now, look up with expiration of "any".

$ vault write transform/tokens/mobile-pay value=5555-6666-7777-8888 \
    transformation=credit-card-convergent expiration="any"

$ vault write transform/tokens/mobile-pay value=5555-6666-7777-8888 \
    transformation=credit-card-convergent expiration="any"

Output:

Key       Value
---       -----
tokens    [DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x MQEgMY8jwXYJNb9p177dYCttwRUcctAeo89yVmMPiLotzfe3sx2btpBGNLijo2KA9cy4hAnTfeV78D5rJwyBdC5j6tMEZgH]

Key       Value
---       -----
tokens    [DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x MQEgMY8jwXYJNb9p177dYCttwRUcctAeo89yVmMPiLotzfe3sx2btpBGNLijo2KA9cy4hAnTfeV78D5rJwyBdC5j6tMEZgH]

This returns two tokens. In absence of the "expiration" paramter, the command returns token with no expiration. When the expiration is set to "any", it returns tokens with any expiration.

Look up token that are expiration between a given range using min_expiration and min_expiration which are RFC3339 formatted time and date.

Example:

$ vault write transform/tokens/mobile-pay value=5555-6666-7777-8888 \
    transformation=credit-card-convergent \
    min_expiration="2022-06-20T06:30:50+00:00" \
    max_expiration="2022-06-20T14:30:50+00:00"

Key       Value
---       -----
tokens    [DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x MQEgMY8jwXYJNb9p177dYCttwRUcctAeo89yVmMPiLotzfe3sx2btpBGNLijo2KA9cy4hAnTfeV78D5rJwyBdC5j6tMEZgH]

$ vault write transform/tokens/mobile-pay value=5555-6666-7777-8888 \
    transformation=credit-card-convergent \
    min_expiration="2022-06-20T06:30:50+00:00" \
    max_expiration="2022-06-20T14:30:50+00:00"

Key       Value
---       -----
tokens    [DaCJhefr1oRUoY1vCtgJ8HixeazFhWHzFsNoNGeDWnyGGe76Xp8Er4UyW76xiPyQ2Eh2jGztnb3x MQEgMY8jwXYJNb9p177dYCttwRUcctAeo89yVmMPiLotzfe3sx2btpBGNLijo2KA9cy4hAnTfeV78D5rJwyBdC5j6tMEZgH]

»Setup external token storage

Unlike format preserving encryption (FPE) transformation, tokenization is a stateful procedure to facilitate mapping between tokens and various cryptographic values (one way HMAC of the token, encrypted metadata, etc.) including the encrypted plaintext itself which must be persisted.

At scale, this could put a lot of additional load on the Vault's storage backend. To avoid this, you have an option to use external storage to persist data for tokenization transformation.

NOTE: Currently, PostgreSQL and MySQL are supported as external storage for tokenization.

To demonstrate, run a PostgreSQL database in a Docker container. Create a new transformation named, "passport" which uses this PostgreSQL as its storage rather than using the Vault's storage backend.

Run PostgreSQL Docker image in a container.

Start a postgres instance which listens to port 5432, and the superuser (root) password is set to rootpassword.

$ docker run --name postgres -e POSTGRES_USER=root \
     -e POSTGRES_PASSWORD=rootpassword \
     -d -p 5432:5432 postgres

$ docker run --name postgres -e POSTGRES_USER=root \
     -e POSTGRES_PASSWORD=rootpassword \
     -d -p 5432:5432 postgres

You can verify that the postgres container is running.

$ docker ps

CONTAINER ID        IMAGE            ...         PORTS                    NAMES
befcf913da91        postgres         ...         0.0.0.0:5432->5432/tcp   postgres

$ docker ps

CONTAINER ID        IMAGE            ...         PORTS                    NAMES
befcf913da91        postgres         ...         0.0.0.0:5432->5432/tcp   postgres

Create a new role, "global-id".

$ vault write transform/role/global-id transformations=passport
Success! Data written to: transform/role/global-id

$ vault write transform/role/global-id transformations=passport
Success! Data written to: transform/role/global-id

Create a store which points to the postgres.

$ vault write transform/stores/postgres \
   type=sql \
   driver=postgres \
   supported_transformations=tokenization \
   connection_string='postgresql://{{username}}:{{password}}@localhost/root?sslmode=disable' \
   username=root \
   password=rootpassword

$ vault write transform/stores/postgres \
   type=sql \
   driver=postgres \
   supported_transformations=tokenization \
   connection_string='postgresql://{{username}}:{{password}}@localhost/root?sslmode=disable' \
   username=root \
   password=rootpassword

Create a schema in postgres to store tokenization artifacts.

$ vault write transform/stores/postgres/schema transformation_type=tokenization \
    username=root password=rootpassword

$ vault write transform/stores/postgres/schema transformation_type=tokenization \
    username=root password=rootpassword

Create a new transformation named, "passport" which points to the postgres store.

$ vault write transform/transformations/tokenization/passport \
    allowed_roles=global-id stores=postgres

$ vault write transform/transformations/tokenization/passport \
    allowed_roles=global-id stores=postgres

Open another terminal and connect to the postgres container.

$ docker exec -it postgres bash

$ docker exec -it postgres bash

Start psql.

$ psql -U root

$ psql -U root

Check to verify that there is no entry.

$ select * from tokens;

storage_token | key_version | ciphertext | encrypted_metadata | fingerprint | expiration_time
---------------+-------------+------------+--------------------+-------------+-----------------
(0 rows)

$ select * from tokens;

storage_token | key_version | ciphertext | encrypted_metadata | fingerprint | expiration_time
---------------+-------------+------------+--------------------+-------------+-----------------
(0 rows)

Return to the terminal you were running Vault CLI, and encode some test data.

$ vault write transform/encode/global-id \
    transformation=passport \
    value="123456789"

$ vault write transform/encode/global-id \
    transformation=passport \
    value="123456789"

Example output:

Key              Value
---              -----
encoded_value    Q4tYgFXHxUS3PnQLiUnyH2JfGeEZQDFXMMaFXLU6MZfiix1tjqwgNX

Key              Value
---              -----
encoded_value    Q4tYgFXHxUS3PnQLiUnyH2JfGeEZQDFXMMaFXLU6MZfiix1tjqwgNX

Return to the postgres container, and check the data entry.

$ select * from tokens;

$ select * from tokens;

Example output:

  storage_token        | key_version |       ciphertext          | encrypted_metadata | ...
--------------------------+-------------+---------------------------+--------------------+-...
\x128aa3c24699...snip... |           1 | \x1ee7cc3505e31...snip... |                    | ...
(1 row)

  storage_token        | key_version |       ciphertext          | encrypted_metadata | ...
--------------------------+-------------+---------------------------+--------------------+-...
\x128aa3c24699...snip... |           1 | \x1ee7cc3505e31...snip... |                    | ...
(1 row)

As you encode more data, the table entry grows.

Enter \q to quit the psql session.
Enter exit to exit out of the Docker container.

»Summary

Transformation secrets engine introduced tokenization transformation feature which replaces sensitive data with unique value (token) that are unrelated to the original value in any algorithmic sense. This can help organizations to meet certain industry standards.

If retaining the original data format is important, refer to the Transform Secrets Engine to learn about the format preserving encryption (FPE) transformation.

Infrastructure

Security

Applications

Networking

cloud

»Challenge

»Solution

»Characteristics of the tokenization transformation:

»Prerequisites

»Policy requirements

»Setup the Transform secrets engine

»Tokenize secrets

»Convergent tokenization

»Lookup token

»Setup external token storage

»Summary

»Help and Reference