App design help with use of transit engine

Hey All,

I am pretty new to Vault, but I am pretty much in love with it. I am trying to figure out how to implement user access to the transit engine.

The use case I am building is to encrypt a user defined text blob and store that in a db.

Transit seemed like the right engine to use, though I am open to other engines I may have overlooked.

The system would ideally have many users that can encrypt a blob that only they could access. My current design would have a single transit engine deployed and each user, upon, creation, would get their own key ring added. Then use that key ring to encrypt the data blob.

Am I understanding the use of the each of those pieces correctly?

Finally, what would the best way to store access to the key ring? Should vault handle the IAM? That seems like an overcomlication, but I just was hoping for others people’s thoughts to make sure I am not missing anything.

Thanks for any feedback.

That’s a normal transit use case. Assuming the text blob is relatively small, as there’s a 32MB limit.
You can make a key for each user, /transit/keys/bob /transit/keys/sally etc
Then either give the app server/etc access to all keys, or, make individual auth methods/tokens for each which is alot more work but maybe required depending on your use case/security requirements.
And send your data over to /transit/encrypt/bob and /transit/encrypt/sally
Then save in your database…

For your access from the app server/client to Vault, that depends on your infrastructure+architecture - if you’re an AWS shop, you can use AWS EC2 or IAM auth, or if you want to embed in your build pipeline, use AppRole in one of its ways.

Might also check out:

1 Like

Thanks so much for the reply. Glad to know that I am understanding that correctly.

Thanks for the link as well. I looked through the Transit-aaS pages. They were helpful, but I wanted to make sure I wasn’t doing blatantly silly.