HashiCorp Vault: Dynamic Secret Management with Transform Secrets Engine

An Intellyx Brain Candy Update

Since we last covered HashiCorp in September 2018, the company has continued to mature its suite of open source infrastructure products, including Terraform, Vagrant, Consul, and several others.

Its recent news: an update to Vault, its dynamic secret management product. Vault manages secrets and protects data, not only in traditional static infrastructures, but also in dynamic, cloud-native environments as well.

Vault controls access to encryption keys and other secrets by authenticating against existing trusted sources of identity and then enables fine-grained authorization via the Vault API, even in dynamic cloud and container environments.

In its latest release, HashiCorp has updated Vault’s functionality in several areas. Most notably, the enterprise version of Vault now features a Transform Secrets Engine that provides both traditional field masking as well as field-based encryption for both untrusted and semi-trusted systems outside of Vault.

What makes this capability notable are the encryption options. It’s possible to maintain the field length before and after encryption so that, say, a 16-digit credit card number remains 16 digits in encrypted form. The choice of alphabet (all numerals, alphanumeric, etc.) is configurable for the greatest compatibility with older systems.

In addition, the encrypted form of the same data will appear different in different instances, unlike traditional hash algorithms. Therefore, an attacker can’t match encrypted field values in order to gain insight into the original data.

Copyright © Intellyx LLC. Intellyx publishes the Cortex newsletter, advises companies on their digital transformation initiatives, and helps vendors communicate their agility stories. As of the time of writing, none of the organizations mentioned in this article are Intellyx customers. To be considered for a Brain Candy article, email us at pr@intellyx.com.

SHARE THIS: