The transit secrets engine handles cryptographic functions on data in-transit. Vault doesn’t store the data sent to the secrets engine. It can also be viewed as “cryptography as a service” or “encryption as a service”. Detailed information about transit encryption can be found in official documentation.

Currently transit encryption supported only on PODs mutation, Secrets and ConfigMaps will be supported in near future.

Example 🔗︎

Enable the Transit secrets engine:

vault secrets enable transit

Create a named encryption key:

vault write -f transit/keys/my-key

Encrypt data with encryption key:

vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")

This deployment will be mutated by the webhook, since it has at least one environment variable having a value which is encrypted by Vault:

apiVersion: apps/v1
kind: Deployment
  name: vault-test
  replicas: 1
    matchLabels: vault
      labels: vault
      annotations: "https://vault:8200" # optional, the address of the Vault service, default values is https://vault:8200 "default" # optional, the default value is the name of the ServiceAccount the Pod runs in, in case of Secrets and ConfigMaps it is "default" "false" # optional, skip TLS verification of the Vault server certificate "vault-tls" # optinal, the name of the Secret where the Vault CA cert is, if not defined it is not mounted "false" # optional, if true, a Vault Agent will be started to do Vault authentication, by default not needed and vault-env will do Kubernetes Service Account based Vault authentication "kubernetes" # optional, the Kubernetes Auth mount path in Vault the default value is "kubernetes" "my-key" # required if encrypted data was found; transit key id that created before
      serviceAccountName: default
      - name: alpine
        image: alpine
        command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"]
        - name: AWS_SECRET_ACCESS_KEY
          # Value based on encrypted key that stored in Vault, so value from this example
          # not the same as you can get after `encrypt`
          value: vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==