Option for Vault to return the same cipher text for an input over multiple encrypt calls

When I try to encrypt the same plain text twice (with the same encryption key), Vault returns me different cipher text.

Request 1:
$ curl -H 'X-Vault-Token:myroot' --request POST --data '{"plaintext":"MTAw"}' http://localhost:8200/v1/transit/encrypt/k1                                       

Request 2:
$ curl -H 'X-Vault-Token:myroot' --request POST --data '{"plaintext":"MTAw"}' http://localhost:8200/v1/transit/encrypt/k1

I want to know if there is any way I could get the same cipher text no matter how many times I call the encrypt API for the same plain text.

Thank you

Since the transit engine is not a one way encryption why would you want it to? That would expose the key.

If you’re looking for tokenization then that’s a different Enterprise function, known as transform.

Thanks for the response @aram
As part of persisting the sensitive data in database, we are storing cipher texts in database tables and want to query the table based on the cipher text.
Hence our requirement is to get the same cipher text through which we can query the desired record.

Read this bit of the docs, it specifically addresses your use case: Transit - Secrets Engines | Vault by HashiCorp

1 Like

Thank you @maxb. Convergent Encryption solves our use case. Thanks again.