> Creating a policy with the permissions required to operate with the Transform Engine

In [256]:
%%bash
cat /tmp/vault/cluster-keys.json | jq -r ".root_token"

hvs.UF9zLWBhwJJj2GHX620VPOpJ


In [257]:
%env VAULT_ADDR=http://localhost:8200
%env VAULT_TOKEN=hvs.UF9zLWBhwJJj2GHX620VPOpJ

env: VAULT_ADDR=http://localhost:8200
env: VAULT_TOKEN=hvs.UF9zLWBhwJJj2GHX620VPOpJ


In [258]:
%%bash
vault secrets disable transform
vault auth disable userpass

Success! Disabled the secrets engine (if it existed) at: transform/
Success! Disabled the auth method (if it existed) at: userpass/


In [259]:
%%bash 
# export VAULT_ADDR=http://localhost:8200
vault login $(cat /tmp/vault/cluster-keys.json | jq -r ".root_token") 

variable will take precedence; if this is unwanted please unset VAULT_TOKEN or
update its value accordingly.



Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.UF9zLWBhwJJj2GHX620VPOpJ
token_accessor       vR83KAjwDewTVwTSlhq3ML4N
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]


In [260]:
%%bash
vault policy write adpuser -<<EOF
# Work with transform secrets engine
path "transform/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Enable secrets engine
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# List enabled secrets engine
path "sys/mounts" {
  capabilities = [ "read", "list" ]
}
EOF

Success! Uploaded policy: adpuser


In [261]:
%%bash
#
vault auth enable userpass
vault write auth/userpass/users/adpuser password="changeme" policies="adpuser"
vault write auth/userpass/users/admin password="admin" policies="root"

Success! Enabled userpass auth method at: userpass/
Success! Data written to: auth/userpass/users/adpuser
Success! Data written to: auth/userpass/users/admin


> Log in with account and set VAULT_TOKEN env with the returned Token

In [149]:
def get_token(user, password=False, method="userpass"):
    import requests, os, json, pprint

    payload = {
        "password": password,
        }
    #headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
    url = os.getenv('VAULT_ADDR') + "/v1/auth/{}/login/{}".format(method, user)
    try:
        r = requests.post(url, data=payload)
        data = json.loads(r.text)
        r.raise_for_status()

        # Extract Token from Response Payload
        
        #pprint.pprint(data)
        os.environ["VAULT_TOKEN"] = data['auth']['client_token']
        return ("Token: " + data['auth']['client_token'])

    except:
        print(data["errors"])

#get_token("adpuser", password="changeme")

'Token: hvs.CAESIFSn9RrRX0fDKb57J1FoeBzwwj2gdOeZrcn_RvhuOvtzGiEKHGh2cy5uSzJud0hJdk14MmhQNmJZcDdMcmhYNUIQ6QE'

In [262]:
%%bash
echo $VAULT_TOKEN

hvs.UF9zLWBhwJJj2GHX620VPOpJ


# Format Preserving Encryption

![image.png](attachment:image.png)

### Enable Tranform Engine

In [263]:
%%bash
# curl $VAULT_ADDR/v1/sys/mounts/transform --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"type":"transform"}' 
vault secrets enable transform

Success! Enabled the transform secrets engine at: transform/


### Create a role asociated to a Tranformation

In [264]:
%%bash
# curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"transformations": ["card-number"]}' $VAULT_ADDR/v1/transform/role/payments
vault write transform/role/payments transformations=card-number

Success! Data written to: transform/role/payments


### Display the Created Roles

In [265]:
%%bash
#! curl --header "X-Vault-Token: $VAULT_TOKEN" --request LIST $VAULT_ADDR/v1/transform/role | jq ".data"
vault list transform/role

Keys
----
payments


#### Create a transformation named "card-number" which will be used to transform credit card numbers. This uses the built-in template builtin/creditcardnumber to perform format-preserving encryption (FPE). 
#### The allowed role to use this transformation is payments, which you just created.

In [266]:
%%bash
# curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data @payload.json $VAULT_ADDR/v1/transform/transformations/fpe/card-number
vault write transform/transformations/fpe/card-number template="builtin/creditcardnumber" tweak_source=internal allowed_roles='*'

Success! Data written to: transform/transformations/fpe/card-number


### Get the list of Transformations

In [267]:
%%bash
#curl --header "X-Vault-Token: $VAULT_TOKEN" --request LIST $VAULT_ADDR/v1/transform/transformations/fpe | jq ".data"
vault list transform/transformations/fpe

Keys
----
card-number


### Get Details about the specific Transformation card-number

In [268]:
%%bash
# curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/transform/transformations/fpe/card-number | jq ".data"
vault read transform/transformations/fpe/card-number

Key                 Value
---                 -----
allowed_roles       [*]
deletion_allowed    false
template            builtin/creditcardnumber
templates           [builtin/creditcardnumber]
tweak_source        internal
type                fpe


## Transform Secrets

### Encode

In [269]:
%%bash
# curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"value": "1111-2222-3333-4444"}' $VAULT_ADDR/v1/transform/encode/payments | jq ".data"
vault write transform/encode/payments value=1111-2222-3333-4444  -format=json | jq -r .data.encoded_value > encoded.txt
cat encoded.txt

9869-9851-5355-7327


### Decode

In [270]:
%%bash
# curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"value": "6781-4032-7760-7869"}' $VAULT_ADDR/v1/transform/decode/payments | jq ".data"
vault write transform/decode/payments value=$(cat encoded.txt) transformation=card-number

Key              Value
---              -----
decoded_value    1111-2222-3333-4444


In [273]:
import requests, os, json, pprint

card_number = "9869-9851-5355-7327"
transformation = "card-number"

payload = {
    "value": card_number,
    "transformation": transformation
    }
headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
url = os.getenv('VAULT_ADDR') + "/v1/transform/decode/payments"
try:
    r = requests.post(url, data=payload, headers=headers)
    data = json.loads(r.text)
    r.raise_for_status()

    # Extract Token from Response Payload
    
    print("Decoded Value: ", data["data"]['decoded_value'])

except:
    print(data["errors"])

Decoded Value:  1111-2222-3333-4444


### Create Custom Template

In [274]:
%%bash
vault list transform/template

Keys
----
builtin/creditcardnumber
builtin/socialsecuritynumber


In [275]:
headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
url = os.getenv('VAULT_ADDR') + "/v1/transform/template/uk-passport-tmpl"
payload = {
  "type": "regex",
  "pattern": "(\d{9})",
  "alphabet": "builtin/numeric"
}
try:
  r = requests.post(url, data=payload, headers=headers)
  r.raise_for_status()

  get = requests.get(os.getenv('VAULT_ADDR') + "/v1/transform/template?list=true", headers=headers)
  data = json.loads(get.text)
  pprint.pprint (data['data'])
except:
  print(json.load(r.text)["errors"])

{'keys': ['builtin/creditcardnumber',
          'builtin/socialsecuritynumber',
          'uk-passport-tmpl']}


In [276]:
# Creat a Transformation that matches the template es-dni-tmpl
# %%bash
# vault write transform/transformations/fpe/es-dni template=es-dni-tmpl tweak_source=internal allowed_roles='*'
# curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data @payload.json $VAULT_ADDR/v1/transform/transformations/fpe/uk-passport

headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
url = os.getenv('VAULT_ADDR') + "/v1/transform/transformations/fpe/es-dni"
payload = {
  "template": "es-dni-tmpl",
  "tweak_source": "internal",
  "allowed_roles": ["*"]
}
r = requests.post(url, data=payload, headers=headers)
r.raise_for_status()

get = requests.get(os.getenv('VAULT_ADDR') + "/v1/transform/transformation?list=true", headers=headers)
data = json.loads(get.text)
pprint.pprint (data['data'])

{'keys': ['card-number', 'es-dni']}


In [277]:
# Associate the new transformation to the role
# ! vault write transform/role/payments transformations=card-number,es-dni
# ! curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"transformations": ["uk-passport", "card-number"]}'  $VAULT_ADDR/v1/transform/role/payments

headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
url = os.getenv('VAULT_ADDR') + "/v1/transform/role/payments"
payload = {
  "transformations": ["uk-passport", "card-number"],
}
r = requests.post(url, data=payload, headers=headers)
r.raise_for_status()

get = requests.get(url, headers=headers)
data = json.loads(get.text)
pprint.pprint (data['data'])


{'transformations': ['uk-passport', 'card-number']}


In [278]:
%%bash
vault write transform/template/uk-passport-tmpl type=regex pattern='(\d{9})'  alphabet=builtin/numeric
vault write transform/transformations/fpe/uk-passport template=uk-passport-tmpl tweak_source=internal allowed_roles='*'
vault write transform/role/payments transformations=card-number,uk-passport

vault write transform/encode/payments value='123456789' transformation=uk-passport

Success! Data written to: transform/template/uk-passport-tmpl
Success! Data written to: transform/transformations/fpe/uk-passport
Success! Data written to: transform/role/payments
Key              Value
---              -----
encoded_value    846174268


In [279]:
%%bash
vault write transform/decode/payments value='846174268' transformation=uk-passport

Key              Value
---              -----
decoded_value    123456789


> Advanced Handling

In [280]:
%%bash 
# Create Template
 vault write transform/template/us-ssn-tmpl \
     type=regex \
     pattern='(?i)(?:SSN[:\s]?)?(\d{3})[-\s]?(\d{2})[-\s]?(\d{4})' \
     encode_format='$1-$2-$3' \
     alphabet=builtin/numeric


Success! Data written to: transform/template/us-ssn-tmpl


In [281]:
%%bash
# Create Transformation matched to template
vault write transform/transformations/fpe/us-ssn \
    template=us-ssn-tmpl \
    tweak_source=internal \
    allowed_roles='*'


Success! Data written to: transform/transformations/fpe/us-ssn


In [282]:
%%bash
# Update payment role to include the new transformation
vault write transform/role/payments transformations=card-number,uk-passport,us-ssn

Success! Data written to: transform/role/payments


In [283]:
%%bash
# Verify Encoding
vault write transform/encode/payments value="123-45-6789" \
    transformation=us-ssn


Key              Value
---              -----
encoded_value    414-92-8442


In [284]:
%%bash
# Verify Encoding
vault write transform/encode/payments value="SSN:123 45 6789" \
    transformation=us-ssn

Key              Value
---              -----
encoded_value    414-92-8442


In [285]:
%%bash
vault write transform/encode/payments value="SSN 123 45 6789" \
    transformation=us-ssn


Key              Value
---              -----
encoded_value    414-92-8442


In [286]:
%%bash
vault write transform/encode/payments value="ssn 123-45-6789" \
    transformation=us-ssn

Key              Value
---              -----
encoded_value    414-92-8442


In [287]:
%%bash
vault write transform/decode/payments value="414-92-8442" \
    transformation=us-ssn


Key              Value
---              -----
decoded_value    123-45-6789


> Decoding Customization

In [288]:
%%bash
vault write transform/template/us-ssn-tmpl \
     type=regex \
     pattern='(?i)(?:SSN[:\s]?)?(\d{3})[-\s]?(\d{2})[-\s]?(\d{4})' \
     encode_format='$1-$2-$3' \
     decode_formats=space-separated='$1 $2 $3' \
     decode_formats=last-four='*** ** $3' \
     alphabet=builtin/numeric


Success! Data written to: transform/template/us-ssn-tmpl


In [289]:
%%bash
vault write transform/encode/payments value="123-45-6789" \
    transformation=us-ssn


Key              Value
---              -----
encoded_value    414-92-8442


> Decode with space-separated

In [290]:
%%bash
vault write transform/decode/payments/space-separated value="414-92-8442" \
     transformation=us-ssn


Key              Value
---              -----
decoded_value    123 45 6789


In [291]:
%%bash
vault write transform/decode/payments/last-four value="414-92-8442" \
     transformation=us-ssn


Key              Value
---              -----
decoded_value    *** ** 6789


# Masking

![image.png](attachment:image.png)

In [292]:
%%bash
vault write transform/template/phone-number-tmpl type=regex \
    pattern="\+\d{1,2}[\s-]?(\d{3})-?(\d{3})-?(\d{3,4})" \
    alphabet=builtin/numeric


Success! Data written to: transform/template/phone-number-tmpl


In [293]:
%%bash
vault write transform/transformations/masking/phone-number \
    template=phone-number-tmpl \
    masking_character=+ \
    allowed_roles='*'


Success! Data written to: transform/transformations/masking/phone-number


In [294]:
%%bash
# Update payment role to include the new transformation
vault write transform/role/payments transformations=card-number,uk-passport,us-ssn,phone-number

Success! Data written to: transform/role/payments


In [295]:
%%bash
vault write transform/encode/payments value="+1 123-345-5678" \
    transformation=phone-number



Key              Value
---              -----
encoded_value    +1 +++-+++-++++


In [296]:
%%bash
vault write transform/encode/payments value="+34 911-111222" \
    transformation=phone-number

Key              Value
---              -----
encoded_value    +34 +++-++++++


# Batch Input Processing

In [183]:
%%bash
tee input-multiple.json <<EOF
{
  "batch_input": [
    {
      "value": "1111-1111-1111-1111",
      "transformation": "card-number"
    },
    {
      "value": "123456789",
      "transformation": "uk-passport"
    },
    {
      "value": "+1 123-345-5678",
      "transformation": "phone-number"
    }
  ]
}
EOF

curl --header "X-Vault-Token: $VAULT_TOKEN" \
     --request POST \
     --data @input-multiple.json \
     $VAULT_ADDR/v1/transform/encode/payments | jq ".data"

{
  "batch_input": [
    {
      "value": "1111-1111-1111-1111",
      "transformation": "card-number"
    },
    {
      "value": "123456789",
      "transformation": "uk-passport"
    },
    {
      "value": "+1 123-345-5678",
      "transformation": "phone-number"
    }
  ]
}


  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   508  100   244  100   264  22725  24587 --:--:-- --:--:-- --:--:--  248k


null


In [297]:
# Encode

headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
url = os.getenv('VAULT_ADDR') + "/v1/transform/encode/payments"

payload = {
  "batch_input": [
    {
      "value": "1111-1111-1111-1111", 
      "transformation": "card-number"
      },
      {
        "value": "123456789",
        "transformation": "uk-passport"
      },
        {
        "value": "+1 123-345-5678",
        "transformation": "phone-number"
        }
    ]
  }
try: 
  r = requests.post(url, data=json.dumps(payload), headers=headers)
  r.raise_for_status()

  data = json.loads(r.text)
  #pprint.pprint (data)
  [ print(i['encoded_value']) for i in data['data']['batch_results']  ]
except:
    error = json.loads(r.text)["errors"]
    print(error)

6264-2685-9634-6907
846174268
+1 +++-+++-++++


In [298]:
# Encode

headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
url = os.getenv('VAULT_ADDR') + "/v1/transform/encode/payments"

payload = {
  "batch_input": [
    { "value": "7998-7227-5261-3751", "transformation": "card-number" },
    { "value": "2026-7948-2166-0380", "transformation": "card-number" },
    { "value": "3979-1805-7116-8137", "transformation": "card-number" },
    { "value": "0196-8166-5765-0438", "transformation": "card-number" }
  ]
}
try: 
  r = requests.post(url, data=json.dumps(payload), headers=headers)
  r.raise_for_status()

  data = json.loads(r.text)
  #pprint.pprint (data)
  [ print(i['encoded_value']) for i in data['data']['batch_results']  ]
except:
    error = json.loads(r.text)["errors"]
    print(error)

8970-7607-6427-3028
7483-6585-2737-9812
6097-2083-9116-2434
8844-3061-6301-1067


In [299]:
# Decode - Copy output from the cell above. Result should be as per the input of the cell above

headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
url = os.getenv('VAULT_ADDR') + "/v1/transform/decode/payments"

payload = {
  "batch_input": [
    { "value": "8970-7607-6427-3028", "transformation": "card-number" },
    { "value": "7483-6585-2737-9812", "transformation": "card-number" },
    { "value": "6097-2083-9116-2434", "transformation": "card-number" },
    { "value": "8844-3061-6301-1067", "transformation": "card-number" }
  ]
}
try: 
  r = requests.post(url, data=json.dumps(payload), headers=headers)
  r.raise_for_status()

  data = json.loads(r.text)
  #pprint.pprint (data)
  [ print(i['decoded_value']) for i in data['data']['batch_results']  ]
except:
    error = json.loads(r.text)["errors"]
    print(error)

7998-7227-5261-3751
2026-7948-2166-0380
3979-1805-7116-8137
0196-8166-5765-0438


# Tokenization

In [300]:
%%bash
# Transform engine is already enabled
# Crate Transformation
vault write transform/transformations/tokenization/credit-card \
  allowed_roles=payments \
  max_ttl=24h


Success! Data written to: transform/transformations/tokenization/credit-card


In [301]:
%%bash
# Asociate Transformation to Role
vault write transform/role/payments transformations=card-number,uk-passport,us-ssn,phone-number,credit-card

Success! Data written to: transform/role/payments


In [302]:
%%bash
vault read transform/transformations/tokenization/credit-card

Key                 Value
---                 -----
allowed_roles       [payments]
deletion_allowed    false
mapping_mode        default
max_ttl             24h
stores              [builtin/internal]
templates           <nil>
type                tokenization


> Permissions required to operate with the Tokenization feature from an application perspective

In [303]:
%%bash
vault policy write tokenuser -<<EOF
# Work with transform secrets engine
# To request data encoding using any of the roles
# Specify the role name in the path to narrow down the scope
path "transform/encode/payments" {
   capabilities = [ "update" ]
}

# To request data decoding using any of the roles
# Specify the role name in the path to narrow down the scope
path "transform/decode/payments" {
   capabilities = [ "update" ]
}

# To validate the token
path "transform/validate/payments" {
   capabilities = [ "update" ]
}

# To retrieve the metadata belong to the token
path "transform/metadata/payments" {
   capabilities = [ "update" ]
}

# To check and see if the secret is tokenized
path "transform/tokenized/payments" {
   capabilities = [ "update" ]
}

# To check tokens associated to value
path "transform/tokens/payments" {
   capabilities = [ "update" ]
}

EOF

Success! Uploaded policy: tokenuser


In [304]:
%%bash
# vault auth enable userpass
vault write auth/userpass/users/tokenuser password="changeme" policies="tokenuser"

Success! Data written to: auth/userpass/users/tokenuser


In [206]:

payload = {
    "password": "changeme",
    }
#headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
url = os.getenv('VAULT_ADDR') + "/v1/auth/userpass/login/tokenuser"
try:
    r = requests.post(url, data=payload)
    data = json.loads(r.text)
    r.raise_for_status()

    # Extract Token from Response Payload
    
    pprint.pprint(data)
    print ("Token: " + data['auth']['client_token'])
    os.environ["VAULT_TOKEN"] = data['auth']['client_token']

except:
    print(data["errors"])

{'auth': {'accessor': 'lGMNEdSHfTIO3Hh6WeOr2uWL',
          'client_token': 'hvs.CAESIPetlmLgIXJy_e7-b4g8XuYhMm6EEw_0Vwur6KNJQNXXGiEKHGh2cy5weVl5VkNFQWQ5angyVkZFZURiN0VuNmgQkgI',
          'entity_id': '5ebd3c9d-9dc7-30a5-5e2b-a5dea4b66a22',
          'lease_duration': 2764800,
          'metadata': {'username': 'tokenuser'},
          'mfa_requirement': None,
          'num_uses': 0,
          'orphan': True,
          'policies': ['default', 'tokenuser'],
          'renewable': True,
          'token_policies': ['default', 'tokenuser'],
          'token_type': 'service'},
 'data': None,
 'lease_duration': 0,
 'lease_id': '',
 'renewable': False,
 'request_id': '46666b09-ec97-f88f-6e0f-842adcdf8fe7',
 'wrap_info': None}
Token: hvs.CAESIPetlmLgIXJy_e7-b4g8XuYhMm6EEw_0Vwur6KNJQNXXGiEKHGh2cy5weVl5VkNFQWQ5angyVkZFZURiN0VuNmgQkgI


In [305]:
%%bash
vault write transform/encode/payments value=1111-2222-3333-4444 \
     transformation=credit-card \
     ttl=8h \
     metadata="Organization=HashiCorp" \
     metadata="Purpose=Travel" \
     metadata="Type=AMEX"


Key              Value
---              -----
encoded_value    eRwUjS2L9duV6QCLhXWH9xXsCDV3ZX3RRh3AisMmFH2xspFT3obHFzc9ZgRdyRmYwogRLzvKS


In [311]:
%%bash
## Copy value from output of previous cell
export MY_TOKEN="eRwUjS2L9dhcWB44hWZqsDrtN8AAtqwkbKHQeTtjqZze2b7GP1gutH28eHkEZcwQCVNUHnkCc"
# Review Metadata
vault write transform/metadata/payments value=$MY_TOKEN transformation=credit-card
echo "--------------------------------------------------------------------------------"
# Validate Token
vault write transform/validate/payments value=$MY_TOKEN transformation=credit-card
echo "--------------------------------------------------------------------------------"
# Verified if already tokenized
#vault write transform/tokenized/payments value=1111-2222-3333-4444 transformation=credit-card
echo "--------------------------------------------------------------------------------"
# Obtain the original value
vault write transform/decode/payments transformation=credit-card value=$MY_TOKEN

Key                Value
---                -----
expiration_time    2023-02-06 17:58:13.620580429 +0000 UTC
metadata           map[Organization:HashiCorp metadata:Type=AMEX]
--------------------------------------------------------------------------------
Key      Value
---      -----
valid    true
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Key              Value
---              -----
decoded_value    1234-2222-3333-5555


In [307]:
# Tokenize
def tokenize(role, function, transformation_name, payload=False, token=False):
  headers = {'X-Vault-Token': os.getenv('VAULT_TOKEN')}
  if function in ["encode", "validate", "metadata", "tokenized", "decode"]:
    url = os.getenv('VAULT_ADDR') + "/v1/transform/{}/{}".format(function,role)
  else:
    raise Exception
  
  if function in ["validate", "tokenized", "metadata", "decode"]:
    payload = {
      "value": token,
      "transformation": transformation_name,
    }
  if function in ["encode"]:
    if payload:
      payload = payload
    else:
      print ("no Payload included")
      raise Exception

  try: 
    payload["transformation"] = transformation_name
    r = requests.post(url, data=json.dumps(payload), headers=headers)
    r.raise_for_status()

    data = json.loads(r.text)
    
    if function in ["encode"]:
      pprint.pprint (data['data'])
      encoded_value = data['data']['encoded_value']
      return encoded_value
    else:
      return data["data"]
  except:
    error = json.loads(r.text)["errors"]
    print(error)
    return

payload= {
  "value": "1234-2222-3333-5555",
  "transformation": "credit-card",
  "ttl": "8h",
  "metadata": {
    "BIN": "1234",
    "metadata": "Purpose=Travel",
    "metadata": "Type=AMEX"
  }
}

#Encode
token = tokenize("payments", "encode", "credit-card", payload=payload)
#Decode
print(tokenize("payments", "decode", "credit-card", token=token))
#Validate
print(tokenize("payments", "validate", "credit-card", token=token))
#Metadata
print(tokenize("payments", "metadata", "credit-card", token=token))

{'encoded_value': 'eRwUjS2L9dhNWA7dePMBQRoAJdguTDya15oqj2NRaFiFQmxzne33SCbfnpZCZxzRMPQFxyKTN'}
{'decoded_value': '1234-2222-3333-5555'}
{'valid': True}
{'expiration_time': '2023-02-06 17:57:53.837844545 +0000 UTC', 'metadata': {'Organization': 'HashiCorp', 'metadata': 'Type=AMEX'}}


> Convergent Tokenization. With the current configuration every encoding request results in a different token

In [308]:
#Encode
token = tokenize("payments", "encode", "credit-card", payload=payload)

{'encoded_value': '9UrVvkyFthyv5J5jGeEY1zdFrPCEqgEHsxw7K9k37higECpUYpAHiTUkcqMV5UvUPf3SUaNW'}


In [309]:
#Encode
token = tokenize("payments", "encode", "credit-card", payload=payload)

{'encoded_value': 'eRwUjS2L9dhcWB44hWZqsDrtN8AAtqwkbKHQeTtjqZze2b7GP1gutH28eHkEZcwQCVNUHnkCc'}


In [310]:
#Encode
token = tokenize("payments", "encode", "credit-card", payload=payload)

{'encoded_value': '9UrVvkyFthyNiq4b24FDGKoqpMrVXhZhs2dNkH2bgfN6b9R97V1gMnaiGVxnn56Gw2m2sTMH'}


In [312]:
%%bash
# We are going to create a new Transformation that support convergent tokenization
vault write transform/transformations/tokenization/credit-card-convergent \
     allowed_roles="*" \
     convergent=true 
# Asociate the transformation to the role
vault write transform/role/payments transformations=card-number,uk-passport,us-ssn,phone-number,credit-card,credit-card-convergent


Success! Data written to: transform/transformations/tokenization/credit-card-convergent
Success! Data written to: transform/role/payments


In [323]:
payload= {
  "value": "1234-2222-3333-5555",
  #"ttl": "8h",
  "metadata": {
    "BIN": "1234",
    "metadata": "Purpose=Travel",
    "metadata": "Type=AMEX"
  }
}

payload2= {
  "value": "1234-2222-3333-5555",
  #"transformation": "credit-card",
  #"ttl": "8h",
  "metadata": {
    "BIN": "3456",
    "metadata": "Purpose=Travel",
    "metadata": "Type=AMEX"
  }
}
token = tokenize("payments", "encode", "credit-card-convergent", payload=payload)
token1 = tokenize("payments", "encode", "credit-card-convergent", payload=payload2)
#token2 = tokenize("payments", "encode", "credit-card-convergent", payload=payload)
#token3 = tokenize("payments", "encode", "credit-card-convergent", payload=payload)


{'encoded_value': 'DaCJhefr1oY7zZ5YLSdDy5c2zze3Bio4UFu24F5LvabM2KDYguTSs3HAbrRkjZeu5pJ6PEAaFzv1'}
{'encoded_value': 'DaCJhefr1oY7zZ5YLSdDy5c2zze3Bio4UFu24F5LvabM2KDYguTSs3HAbrRkjZeu5pJ6PEAaFzv1'}


In [324]:
print(tokenize("payments", "metadata", "credit-card-convergent", token=token))
print(tokenize("payments", "metadata", "credit-card-convergent", token=token1))

{'metadata': {'BIN': '3456', 'metadata': 'Type=AMEX'}}
{'metadata': {'BIN': '3456', 'metadata': 'Type=AMEX'}}


In [220]:
%%bash
vault write transform/encode/payments value=5555-6666-7777-8888 transformation=credit-card-convergent 
vault write transform/encode/payments value=5555-6666-7777-8888 transformation=credit-card-convergent 
vault write transform/encode/payments value=5555-6666-7777-8888 transformation=credit-card-convergent 
vault write transform/encode/payments value=5555-6666-7777-8888 transformation=credit-card-convergent 


Key              Value
---              -----
encoded_value    DaCJhefr1oTgmn5qsiSp1ScwdaAuPUv5Ep37kBuSV9LxX3niuRkr5cuo1YM9EYsrZg2Di89J59ZV
Key              Value
---              -----
encoded_value    DaCJhefr1oTgmn5qsiSp1ScwdaAuPUv5Ep37kBuSV9LxX3niuRkr5cuo1YM9EYsrZg2Di89J59ZV
Key              Value
---              -----
encoded_value    DaCJhefr1oTgmn5qsiSp1ScwdaAuPUv5Ep37kBuSV9LxX3niuRkr5cuo1YM9EYsrZg2Di89J59ZV
Key              Value
---              -----
encoded_value    DaCJhefr1oTgmn5qsiSp1ScwdaAuPUv5Ep37kBuSV9LxX3niuRkr5cuo1YM9EYsrZg2Di89J59ZV


In [221]:
%%bash
# When a TTL is included the resulting token changes. By removing the TTL metadata we get the same token with every request

vault write transform/encode/payments value=1111-2222-3333-4444 \
     transformation=credit-card-convergent \
     ttl=8h \
     metadata="Organization=HashiCorp" \
     metadata="Purpose=Travel" \
     metadata="Type=AMEX"

vault write transform/encode/payments value=1111-2222-3333-4444 \
     transformation=credit-card-convergent \
     ttl=8h \
     metadata="Organization=HashiCorp" \
     metadata="Purpose=Travel" \
     metadata="Type=AMEX"

vault write transform/encode/payments value=1111-2222-3333-4444 \
     transformation=credit-card-convergent \
     ttl=8h \
     metadata="Organization=HashiCorp" \
     metadata="Purpose=Travel" \
     metadata="Type=AMEX"

Key              Value
---              -----
encoded_value    5d5TaiZFrCe8cJHL2uZFTAvqPxxmfR81hgqdqaK9a4tNAQBLhGxhxBqncV1Hp4XC4CwHEGh3iDy29puUy5myvJtKM6kMWk
Key              Value
---              -----
encoded_value    MQEgMY8jwXRFWi3pg5zPKjekh4g2BqshG3ozRsVPQ1tvhma6mtex1DQEha9UxjjV1aEfAE8hqrYEsptQTgnhifaAz6h5bwo
Key              Value
---              -----
encoded_value    MQEgMY8jwXRFWi3pg5zPKjekh4g2BqshG3ozRsVPQ1tvhma6mtex1DQEha9UxjjV1aEfAUYv1BSm1EsEKcUH8otyNEoeKM5


> Lookup token for convergent tokenization

In [326]:
%%bash
vault write transform/tokens/payments value=1234-2222-3333-5555 \
    transformation=credit-card-convergent expiration="any"


Key       Value
---       -----
tokens    [DaCJhefr1oY7zZ5YLSdDy5c2zze3Bio4UFu24F5LvabM2KDYguTSs3HAbrRkjZeu5pJ6PEAaFzv1 MQEgMY8jwXVEtDDzzmrZMS428fh3vuFyzKmBpw5DBVhayThA6U9xLzCKtBhyHHimx8LM55dQ7U5bEp4eLwavtzfDfKYFhjv MQEgMY8jwXHDtdVX2bNJ2XsqaURhdo5qzzzFPWkmeEiPSPtW7PVT2sp44GzddNiTCmbPL5AYm3Ja7gHq4hMXSrTc7msdQGT MQEgMY8jwXHDtdVX2bNJ2XsqaURhdo5qzzzFPWkmeEiPSPtW7PVT2sp44GzddNiTCmbPL7FqUbuuaiapndGtJBdPrUju9ib]


In [327]:
print(tokenize("payments", "decode", "credit-card-convergent", token="DaCJhefr1oY7zZ5YLSdDy5c2zze3Bio4UFu24F5LvabM2KDYguTSs3HAbrRkjZeu5pJ6PEAaFzv1"))

{'decoded_value': '1234-2222-3333-5555'}


In [328]:
print(tokenize("payments", "decode", "credit-card-convergent", token="MQEgMY8jwXHDtdVX2bNJ2XsqaURhdo5qzzzFPWkmeEiPSPtW7PVT2sp44GzddNiTCmbPL7FqUbuuaiapndGtJBdPrUju9ib"))

{'decoded_value': '1234-2222-3333-5555'}


In [329]:
print(tokenize("payments", "metadata", "credit-card-convergent", token="DaCJhefr1oY7zZ5YLSdDy5c2zze3Bio4UFu24F5LvabM2KDYguTSs3HAbrRkjZeu5pJ6PEAaFzv1"))
print(tokenize("payments", "metadata", "credit-card-convergent", token="MQEgMY8jwXHDtdVX2bNJ2XsqaURhdo5qzzzFPWkmeEiPSPtW7PVT2sp44GzddNiTCmbPL7FqUbuuaiapndGtJBdPrUju9ib"))

{'metadata': {'BIN': '3456', 'metadata': 'Type=AMEX'}}
{'expiration_time': '2023-02-06 18:06:05.684949342 +0000 UTC', 'metadata': {'BIN': '1234', 'metadata': 'Type=AMEX'}}


# Key Rotation

In [330]:
%%bash
# Latest version is 1
vault read transform/tokenization/keys/credit-card

Key                       Value
---                       -----
auto_rotate_period        0s
latest_version            1
min_available_version     0
min_decryption_version    1
name                      credit-card
type                      aes256-gcm96


In [331]:
%%bash
vault write -force transform/tokenization/keys/credit-card/rotate
# Latest version is 2 now
vault read transform/tokenization/keys/credit-card

Success! Data written to: transform/tokenization/keys/credit-card/rotate
Key                       Value
---                       -----
auto_rotate_period        0s
latest_version            2
min_available_version     0
min_decryption_version    1
name                      credit-card
type                      aes256-gcm96


In [225]:
%%bash
#Now autorotate every hour
vault write transform/tokenization/keys/credit-card/config \
   auto_rotate_period=1h
# Auto rotate period changes now
vault read transform/tokenization/keys/credit-card


Success! Data written to: transform/tokenization/keys/credit-card/config
Key                       Value
---                       -----
auto_rotate_period        1h
latest_version            2
min_available_version     0
min_decryption_version    1
name                      credit-card
type                      aes256-gcm96


In [226]:
%%bash
export MY_TOKEN_2=$(vault write -format=json transform/encode/payments \
   value=1234-5678-9012-3456 transformation=credit-card ttl=8h \
   | jq -r ".data.encoded_value")
echo $MY_TOKEN_2


9UrVvkyFthzgPKN2QeQhWPbmqp2fdBMKyzGsAHz3cjsSRCCSSTqHRQigtmZmpJfdMBC2Hxif


In [338]:
%%bash
vault write -force transform/tokenization/keys/credit-card/rotate --help

Usage: vault write [options] PATH [DATA K=V...]

  Writes data to Vault at the given path. The data can be credentials, secrets,
  configuration, or arbitrary data. The specific behavior of this command is
  determined at the thing mounted at the path.

  Data is specified as "key=value" pairs. If the value begins with an "@", then
  it is loaded from a file. If the value is "-", Vault will read the value from
  stdin.

  Persist data in the generic secrets engine:

      $ vault write secret/my-secret foo=bar

  Create a new encryption key in the transit secrets engine:

      $ vault write -f transit/keys/my-key

  Upload an AWS IAM policy from a file on disk:

      $ vault write aws/roles/ops policy=@policy.json

  Configure access to Consul by providing an access token:

      $ echo $MY_TOKEN | vault write consul/config/access token=-

  For a full list of examples and paths, please see the documentation that
  corresponds to the secret engines in use.

HTTP Options:

  -address=

In [None]:
%%bash
sleep 3600

Process is interrupted.


In [229]:
%%bash
vault read transform/tokenization/keys/credit-card
vault write transform/decode/payments transformation=credit-card value="9UrVvkyFthzgPKN2QeQhWPbmqp2fdBMKyzGsAHz3cjsSRCCSSTqHRQigtmZmpJfdMBC2Hxif"

Key                       Value
---                       -----
auto_rotate_period        1h
latest_version            2
min_available_version     0
min_decryption_version    1
name                      credit-card
type                      aes256-gcm96
Key              Value
---              -----
decoded_value    1234-5678-9012-3456


# External Storage

In [332]:
%%bash
# Add Helm repository by Bitnami
helm repo add bitnami https://charts.bitnami.com/bitnami

# Update Helm index charts
helm repo update
kubectl apply -f local-pv.yaml
kubectl apply -f pv-claim.yaml
helm install postgresql-dev -f postgres.yaml bitnami/postgresql -n vault



"bitnami" already exists with the same configuration, skipping
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "hashicorp" chart repository
...Successfully got an update from the "secrets-store-csi-driver" chart repository
...Successfully got an update from the "datadog" chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "bitnami" chart repository
Update Complete. ⎈Happy Helming!⎈
persistentvolume/postgresql-data created
persistentvolumeclaim/postgresql-data-claim created
NAME: postgresql-dev
LAST DEPLOYED: Mon Feb  6 11:19:24 2023
NAMESPACE: vault
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
CHART NAME: postgresql
CHART VERSION: 12.1.14
APP VERSION: 15.1.0

** Please be patient while the chart is being deployed **

PostgreSQL can be accessed via port 5432 on the following DNS names from within your cluster:

    postgresql-dev.vault.svc.cluster.loc

In [333]:
%%bash
# Get password from postgres
# Create a new role with a transformation password
vault write transform/role/global-id transformations=passport
# Create external storage
vault write transform/stores/postgres \
   type=sql \
   driver=postgres \
   supported_transformations=tokenization \
   connection_string='postgresql://{{username}}:{{password}}@postgresql-dev/app_db?sslmode=disable' \
   username=app1 \
   password=AppPassword
# Create schema in postgres
vault write transform/stores/postgres/schema transformation_type=tokenization \
    username=app1 password=AppPassword

# Crate transformation associated to global-id role and postgres stores
vault write transform/transformations/tokenization/passport \
    allowed_roles=global-id stores=postgres

Success! Data written to: transform/role/global-id
Success! Data written to: transform/stores/postgres
Success! Data written to: transform/stores/postgres/schema
Success! Data written to: transform/transformations/tokenization/passport


## Via termina connect to postgres
kubectl exec postgresql-dev-0 -n vault -i -t -- /bin/bash
## in the session
psql --host 127.0.0.1 -U app1 -d app_db 
select * from tokens;

In [334]:
%%bash
vault write transform/encode/global-id \
    transformation=passport \
    value="123456779"


Key              Value
---              -----
encoded_value    Q4tYgFXHxUTN9xW8WEGMYnQi7M3RY9KWMfuWkATfz5bxDL3rr45PD6


In [335]:
%%bash
vault write transform/encode/global-id value=1111-2222-3333-4444 \
     transformation=passport \
     ttl=8h \
     metadata="Organization=HashiCorp" \
     metadata="Purpose=Travel" \
     metadata="Type=AMEX"

Key              Value
---              -----
encoded_value    9UrVvkyFti58soW8BjS1SEoiDcaqT6CR9UczrKS4v7AREwmmzcKNySF9yoHcL4sy11UUExEM


## in the session once more 
select * from tokens;

In [336]:
%%bash
vault write transform/decode/global-id \
    transformation=passport \
    value="9UrVvkyFti58soW8BjS1SEoiDcaqT6CR9UczrKS4v7AREwmmzcKNySF9yoHcL4sy11UUExEM"

Key              Value
---              -----
decoded_value    1111-2222-3333-4444
