April 22, 2020

Advanced Data Protection with HashiCorp Vault

Organizations store sensitive, personal and valuable data, which must be protected. Leakage of such data can lead to financial loss, reputation risk, legal ramifications and more.

Moreover, organizations must comply to data protection standards and regulations like the PCI DSS, GDPR, HIPAA, etc.

In this blog you will learn what measures organizations take to protect their data, how they implement them, understand their challenges and find out how HashiCorp Vault helps organizations solve these challenges.

Data Protection Measures and Implementation

Encryption at Rest

Transparent Data Encryption (TDE) and Full Disk Encryption (FDE) Most organizations implement some sort of encryption at rest. Information is encrypted at the block level in the filesystem or physical storage medium. This type of encryption does protect you from physical theft but does not protect you if access to a database or database host is compromised, as an example.

Encryption in Transit

Information is encrypted in flight and decrypted by software when required. Information is persisted in an encrypted manner. This type of encryption work well against threats such as SQL injection. Even if the data is compromised, it is encrypted and not useful.


Ultra-sensitive information, such as credit card numbers are commonly protected using tokenization where sensitive data is substituted by non sensitive data called the token.

Format Preserving Encryption & Data Masking

Information is obfuscated in such a way that it is compliant with data constraints in systems of record and decoded as needed.

Data masking is another way to obfuscate information. In this case though the data is masked and cannot be decoded once its encoded.

Hardware Security Module (HSM)

Many organizations use FIPS 140–2-certified Hardware Security Modules or HSMs to ensure that critical security parameters are protected in a compliant manner.

Data Protection Challenges

Increasing Costs

Procuring and deploying new key management infrastructure, HSMs and support can be expensive.

Vault can help reduce hardware costs related to multiple key management 
infrastructure solutions, HSMs, **licensing** and support.

Reduced Productivity

With multiple workflows/APIs to learn cryptographic standards across an organization and different projects and restricted access to HSMs.

With Vault, you can create consistent workflows and cryptographic 
standards across your organization.

Increasing Risk

With multiple attack surfaces to intercept and steal sensitive data.

Vault enables you to encrypt sensitive data using centrally managed,
audited and secured encryption keys. But more importantly all of this
can be achieved through a single workflow and APIs.

Data Protection Perspectives

We have different personas and decision makers responsible for data protection rollout and implementation in every organization and they all have different goals and expectations.

CISO and the security teams

A CISO and the security teams must ensure that the organization and the applications are compliant and audited. They are responsible for security after all and hence, they want to reduce risk by having more control and transparency.

CTO and IT Managers

The CTO and IT Managers are more focused on the cost and productivity of the implementation. They must ensure that they use and build standards and those are consistent across the organization. They are also responsible for time to market. Hence, it is also in their interest to enable their developers by offering them the right tools and processes.


Developers love and expect APIs, ease of use and simplicity.

Vault and Data Protection

Encryption as a Service

Vault’s transit secrets engine provides Encryption as a Service (EaaS). Vault manages the keys, but the client decides where to store the encrypted data. Applications use Vault APIs to encrypt and decrypt values.
Following image shows transit secret engine encrypt operation: Following image shows transit secret engine decrypt operation: Here is some sample code to enable and use the transit secret engine:

Format-Preserving Encryption

Vault’s transform secrets engine provides AES FF3–1 Format-Preserving Encryption (FPE). Vault manages keys and the client decides format & storage for data. Application’s can encode and decode values using the Vault API. Following image shows transform secret engine FPE encode operation: Following image shows transform secret engine FPE decode operation: Here is some sample code to enable and use the transform secret engine with FPE:

Data Masking

Transform secrets engine provides Data Masking. Vault basically search and replaces PII data you pattern match for (Credit Card, SSN, Passport, etc). Application’s can encode or mask the values using Vault API. Decoding is not possible with data masking.

Following image shows transform secret engine Data masking encode operation: Following image shows that once encoded, masked values cannot be decoded:

Here is some sample code to enable and use the transform secret engine with data masking:
KMIP and HSM Integration

You can also use Vault with traditional Applications and Storage systems using KMIP and also integrate with HSMs to maintain compliance.


Vault supports Key Management Interoperability Protocol and can present itself as a KMIP Server to systems e.g. NetApp, VMware, SQL Server, MySQL etc.


Vault supports integration with any HSM that supports PKCS #11.


Vault offers namespaces and can also instantiate multiple KMIP Servers.

Full Disk Encryption (FDE)

Storage systems that support the KMIP protocol can retrieve keys stored in Vault and serve them to encrypted disk for access.

Transparent Data Encryption (TDE)

KMIP capable Database applications can retrieve keys stored in Vault and serve them to encrypted data.

NetApp & VMware

If you are interested in the integration with NetApp or VMware, checkout these blog posts:

  1. HashiCorp Vault as an External Key Manager for NetApp Encryption
  2. Securing VMWare Data: A HashiCorp Vault KMIP Story


  1. Vault provides the foundation for cloud security.
  2. Vault offers advanced data protection features like EaaS, FPE & Data-masking along with KMIP & HSM integration.
  3. Vault increases agility for deploying new and isolated cryptography and at the same time reduces cost and risk.

© Kapil Arora 2019-2020

Powered by Hugo & Kiss.