Organizations need to protect application data at rest and in transit (especially in a cloud environment). Vault can encrypt and decrypt application data with an HTTP (TLS) API call. Key management, encryption algorithm, and more are offloaded and centrally managed by Vault.
In addition, Vault Enterprise offers an integration with HSM. Use FIPS 140-2 certified HSMs to ensure that Critical Security Parameters (CSPs) are protected in a compliant fashion.
Based on your organization's needs, refer to some or all of the guides provided on this track to get you started.
The Encryption as a Service: Transit Secrets Engine guide walks you through the basic mechanism of the
transit
secrets engine.Refer to the Transit Secrets Re-wrapping guide for a code example to re-wrap the ciphertexts which were encrypted with an older version of the encryption key.
The Java Application Demo uses Spring Cloud Vault library to show an example of integrating Vault. This guide provides a comprehensive example using not only the
transit
secrets engine but also thedatabase
secrets engine which is introduced in the Secrets Management learn track.If you are running Vault Enterprise and integrating Vault with HSM, read the HSM Integration - Seal Wrap guide which introduces the Seal Wrap capability provided by Vault.