# HashiCorp Vault Demo for Transit Engine and Advanced Data Protection (ADP) features.

This demo shows how HashiCorp Vault Transit engine encryption and ADP features work.  ADP features include Format Preserving Encryption (FPE), Data Masking, and Tokenization.

To run this notebook in VS Code, chose the Jupyter kernel and then Bash

This assumes your Vault server is installed using docker and already running on http://127.0.0.1:8200
and you have set your VAULT_ADDR and VAULT_TOKEN variables.

This also assumes you have the Vault CLI installed.

You will need Vault to be installed with an ADP Transform license add-on.

In [None]:
# Optional.  The following are some sample commands for running Vault Enterprise in docker.
export VAULT_PORT=8200
export VAULT_ADDR="http://127.0.0.1:${VAULT_PORT}"
export VAULT_TOKEN="root"
# Change the path to your license file
export VAULT_LICENSE=$(cat $HOME/vault-enterprise/vault_local/data/vault.hclic)
docker run -d --rm --name vault-enterprise --cap-add=IPC_LOCK \
-v $LOGS_PATH:/vault_logs \
-e "VAULT_DEV_ROOT_TOKEN_ID=${VAULT_TOKEN}" \
-e "VAULT_DEV_LISTEN_ADDRESS=:${VAULT_PORT}" \
-e "VAULT_LICENSE=${VAULT_LICENSE}" \
-p ${VAULT_PORT}:${VAULT_PORT} hashicorp/vault-enterprise:latest

# Vault Transit Engine
This section demonstrates the base encryption/decryption functions.

Ref: https://developer.hashicorp.com/vault/docs/secrets/transit

In [None]:
# Enable transit engine at the default mount path
vault secrets disable transit
vault secrets enable transit

In [57]:
# Create a key
vault write -f transit/keys/demo-key

# Policy sample to use key
# Ref: https://developer.hashicorp.com/vault/tutorials/encryption-as-a-service/eaas-transit?variants=vault-deploy%3Aselfhosted#create-a-token-for-vault-clients

[0mKey                       Value
---                       -----
allow_plaintext_backup    false
auto_rotate_period        0s
deletion_allowed          false
derived                   false
exportable                false
imported_key              false
keys                      map[1:1695865864]
latest_version            1
min_available_version     0
min_decryption_version    1
min_encryption_version    0
name                      demo-key
supports_decryption       true
supports_derivation       true
supports_encryption       true
supports_signing          false
type                      aes256-gcm96[0m


In [58]:
# Encrypt plain text with key and store cipher text
# Before encrypting, value will be base64 encoded
vault write -f transit/encrypt/demo-key plaintext=$(base64 <<< "4111 1111 1111 1111")

# Store cipher text
export CIPHERTEXT=$(vault write -f -field=ciphertext transit/encrypt/demo-key plaintext=$(base64 <<< "4111 1111 1111 1111"))
echo
echo "Encrypted value: $CIPHERTEXT"

[0mKey            Value
---            -----
ciphertext     vault:v1:dsXH4vMGztnSNK1zACKcAwgOEnATp0znoW+hBfqNKfffmvcfkJnZnZ1yJIVSRFAg
key_version    1[0m

Encrypted value: vault:v1:pDhW6glcvdF4B8ZBxfw1dhfKTXERL2xqn6LgUawppki8GhK6kaT/7hrVAp1ooVNF


In [59]:
# Decrypt cipher text
echo "Encrypted value: $CIPHERTEXT"
echo
echo "Decrypted value: $(base64 --decode <<< $(vault write -field=plaintext transit/decrypt/demo-key ciphertext=$CIPHERTEXT))"


Encrypted value: vault:v1:pDhW6glcvdF4B8ZBxfw1dhfKTXERL2xqn6LgUawppki8GhK6kaT/7hrVAp1ooVNF

Decrypted value: 4111 1111 1111 1111


In [60]:
# Demo key rotation
vault write -f transit/keys/demo-key/rotate

[0mKey                       Value
---                       -----
allow_plaintext_backup    false
auto_rotate_period        0s
deletion_allowed          false
derived                   false
exportable                false
imported_key              false
keys                      map[1:1695865864 2:1695865871]
latest_version            2
min_available_version     0
min_decryption_version    1
min_encryption_version    0
name                      demo-key
supports_decryption       true
supports_derivation       true
supports_encryption       true
supports_signing          false
type                      aes256-gcm96[0m


In [61]:
# Show that the key_version is now incremented
vault write -f transit/encrypt/demo-key plaintext=$(base64 <<< "4111 1111 1111 1111")

[0mKey            Value
---            -----
ciphertext     vault:v2:gV0/H6LAhKo8B9Ud5/+0yQF2QvQd4SnchwDRP5C2toPUQBPuLnBLUhybFvdUVxiH
key_version    2[0m


In [62]:
# Show that you cannot export a key if it is not marked exportable
vault read transit/export/encryption-key/demo-key

# Show that you cannot backup the key
vault read transit/backup/demo-key

# Show that you cannot delete a key if it is not marked as deletion allowed
vault delete transit/keys/demo-key

[91mError reading transit/export/encryption-key/demo-key: Error making API request.

URL: GET http://127.0.0.1:8200/v1/transit/export/encryption-key/demo-key
Code: 400. Errors:

* private key material is not exportable[0m
[91mError reading transit/backup/demo-key: Error making API request.

URL: GET http://127.0.0.1:8200/v1/transit/backup/demo-key
Code: 500. Errors:

* 1 error occurred:
	* exporting is disallowed on the policy

[0m
[91mError deleting transit/keys/demo-key: Error making API request.

URL: DELETE http://127.0.0.1:8200/v1/transit/keys/demo-key
Code: 400. Errors:

* error deleting policy demo-key: deletion is not allowed for this key[0m


: 2

In [None]:
# Let's create a new key to show export and deletion capability

# Mark as exportable on creation
vault write -f transit/keys/demo-key2 exportable=true

In [63]:
# Configure allow deletion and allows backup/restore in plaintext format
vault write transit/keys/demo-key2/config deletion_allowed=true allow_plaintext_backup=true

[0mKey                       Value
---                       -----
allow_plaintext_backup    false
auto_rotate_period        0s
deletion_allowed          false
derived                   false
exportable                true
imported_key              false
keys                      map[1:1695865885]
latest_version            1
min_available_version     0
min_decryption_version    1
min_encryption_version    0
name                      demo-key2
supports_decryption       true
supports_derivation       true
supports_encryption       true
supports_signing          false
type                      aes256-gcm96[0m

[0mKey                       Value
---                       -----
allow_plaintext_backup    true
auto_rotate_period        0s
deletion_allowed          true
derived                   false
exportable                true
imported_key              false
keys                      map[1:1695865885]
latest_version            1
min_available_version     0
min_decryption_version    1
m

In [64]:
# Show that you can now export the key
vault read transit/export/encryption-key/demo-key2
echo
# Show that you can do a backup of the key
vault read transit/backup/demo-key2
export KEY_BACKUP=$(vault read -field=backup transit/backup/demo-key2)

[0mKey     Value
---     -----
keys    map[1:sDb+4XUBJdmrMQmIxMec5YhGafIwELK0wpyBRyVXxoo=]
name    demo-key2
type    aes256-gcm96[0m

[0mKey       Value
---       -----
backup    eyJwb2xpY3kiOnsibmFtZSI6ImRlbW8ta2V5MiIsImtleXMiOnsiMSI6eyJrZXkiOiJzRGIrNFhVQkpkbXJNUW1JeE1lYzVZaEdhZkl3RUxLMHdweUJSeVZYeG9vPSIsImhtYWNfa2V5IjoiQWFmQjIrdWl3U2lpajlTdTlkcXdnZkpXaHFtaVBIUGRtR3FUY0FFaVZZQT0iLCJ0aW1lIjoiMjAyMy0wOS0yOFQwMTo1MToyNS45NDM5ODgyMTVaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicnNhX3B1YmxpY19rZXkiOm51bGwsInB1YmxpY19rZXkiOiIiLCJjb252ZXJnZW50X3ZlcnNpb24iOjAsImNyZWF0aW9uX3RpbWUiOjE2OTU4NjU4ODV9fSwiZGVyaXZlZCI6ZmFsc2UsImtkZiI6MCwiY29udmVyZ2VudF9lbmNyeXB0aW9uIjpmYWxzZSwiZXhwb3J0YWJsZSI6dHJ1ZSwibWluX2RlY3J5cHRpb25fdmVyc2lvbiI6MSwibWluX2VuY3J5cHRpb25fdmVyc2lvbiI6MCwibGF0ZXN0X3ZlcnNpb24iOjEsImFyY2hpdmVfdmVyc2lvbiI6MSwiYXJjaGl2ZV9taW5fdmVyc2lvbiI6MCwibWluX2F2YWlsYWJsZV92ZXJzaW9uIjowLCJkZWxldGlvbl9hbGxvd2VkIjp0cnVlLCJjb252ZXJnZW50X3ZlcnNpb24iOjAsInR5cGUiOjAsImJhY2t1cF

In [65]:
# Show that you can delete the key now
vault delete transit/keys/demo-key2

# Show that the key is deleted
vault read transit/export/encryption-key/demo-key2

[0mSuccess! Data deleted (if it existed) at: transit/keys/demo-key2[0m
[91mNo value found at transit/export/encryption-key/demo-key2[0m


: 2

In [66]:
# Let's restore the key now
echo "Key Backup: $KEY_BACKUP"
# Restore the key
vault write transit/restore/demo-key2 backup=$KEY_BACKUP
echo
# Show that the key is restored
vault read transit/export/encryption-key/demo-key2

Key Backup: eyJwb2xpY3kiOnsibmFtZSI6ImRlbW8ta2V5MiIsImtleXMiOnsiMSI6eyJrZXkiOiJzRGIrNFhVQkpkbXJNUW1JeE1lYzVZaEdhZkl3RUxLMHdweUJSeVZYeG9vPSIsImhtYWNfa2V5IjoiQWFmQjIrdWl3U2lpajlTdTlkcXdnZkpXaHFtaVBIUGRtR3FUY0FFaVZZQT0iLCJ0aW1lIjoiMjAyMy0wOS0yOFQwMTo1MToyNS45NDM5ODgyMTVaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicnNhX3B1YmxpY19rZXkiOm51bGwsInB1YmxpY19rZXkiOiIiLCJjb252ZXJnZW50X3ZlcnNpb24iOjAsImNyZWF0aW9uX3RpbWUiOjE2OTU4NjU4ODV9fSwiZGVyaXZlZCI6ZmFsc2UsImtkZiI6MCwiY29udmVyZ2VudF9lbmNyeXB0aW9uIjpmYWxzZSwiZXhwb3J0YWJsZSI6dHJ1ZSwibWluX2RlY3J5cHRpb25fdmVyc2lvbiI6MSwibWluX2VuY3J5cHRpb25fdmVyc2lvbiI6MCwibGF0ZXN0X3ZlcnNpb24iOjEsImFyY2hpdmVfdmVyc2lvbiI6MSwiYXJjaGl2ZV9taW5fdmVyc2lvbiI6MCwibWluX2F2YWlsYWJsZV92ZXJzaW9uIjowLCJkZWxldGlvbl9hbGxvd2VkIjp0cnVlLCJjb252ZXJnZW50X3ZlcnNpb24iOjAsInR5cGUiOjAsImJhY2t1cF9pbmZvIjp7InRpbWUiOiIyMDIzLTA5LTI4VDAxOjUyOjI4LjM5NzA3Nzc1OFoiLCJ2ZXJzaW9uIjoxfSwicmVzdG9yZV9pbmZvIjpudWxsLCJhbGxvd19wbGFpbnRleHRfYmFja3VwIjp0cnVlLCJ2ZXJzaW9uX3RlbXBsYXRl

## Setup Vault's Transform Engine (ADP Feature)

In [None]:
# Enable transform engine at the default mount path
# Policy for configuration - https://developer.hashicorp.com/vault/tutorials/adp/transform#policy-requirements
vault secrets enable transform

# Format Preserving Encryption (FPE) Demo - Credit Card Number

In [None]:
# Create a role named "payments" with "card-number" transformation attached
vault write transform/role/payments transformations=card-number

In [None]:
# Verify the role "payments" is created
vault list transform/role

In [None]:
# View existing templates.  Show that we will be using "builtin/creditcardnumber"
vault list transform/template

In [None]:
# Create a transformation named "card-number" which will be used by role "payments" to transform credit card numbers.
# This uses the built-in template builtin/creditcardnumber to perform format-preserving encryption (FPE). 
vault write transform/transformations/fpe/card-number \
    template="builtin/creditcardnumber" \
    tweak_source=internal \
    allowed_roles=payments

In [None]:
# Verify the "card-number" transformation is created
vault list transform/transformations/fpe

In [None]:
# View the "card-number" transformation details
# https://developer.hashicorp.com/vault/tutorials/adp/transform#policy-requirements
vault read transform/transformations/fpe/card-number

In [None]:
# Encode credit card number using FPE
vault write transform/encode/payments value=1111-2222-3333-4444 transformation=card-number

# Store encoded value
export FPE_ENCODED_VALUE=$(vault write -format json transform/encode/payments value=1111-2222-3333-4444 \
  transformation=card-number | jq -r .data.encoded_value)

In [None]:
# Decode credit card number
vault write transform/decode/payments value=$FPE_ENCODED_VALUE transformation=card-number

# FPE Demo - NRIC

In [None]:
# Create template for Singapore NRIC.  Note that we are not changing the front and ending letters.  
vault write transform/template/sg-nric-tmpl \
    type=regex \
    pattern="[stfgSTFG](\d{7})[a-zA-Z]" \
    alphabet=builtin/numeric 

In [None]:
# View added template
vault list transform/template

In [None]:
# Create transformation named "sg-nric" with the "sg-nric-tmpl" template
vault write transform/transformations/fpe/sg-nric \
    template=sg-nric-tmpl \
    tweak_source=internal \
    allowed_roles=hr-role


In [None]:
# Create a role named "hr-role" with "sg-nric" transformation attached
vault write transform/role/hr-role transformations=sg-nric

In [None]:
# Encode a NRIC value
vault write transform/encode/hr-role value="S7012345Z" transformation=sg-nric

export FPE_ENCODED_VALUE=$(vault write -format json transform/encode/hr-role value="S7012345Z" transformation=sg-nric | jq -r .data.encoded_value)

In [None]:
# Decode NRIC
echo -e "FPE Encoded Value is: $FPE_ENCODED_VALUE\n"
vault write transform/decode/hr-role value=$FPE_ENCODED_VALUE transformation=sg-nric

# Data Masking Demo - IP Address

In [None]:
# Create template for IP address.  I want to mask all digits.
vault write transform/template/ip-address-tmpl type=regex \
    pattern="(2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\.(2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\.(2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\.(2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])" \
    alphabet=builtin/numeric

In [None]:
# View added template
vault list transform/template

In [None]:
# Create a transformation named "ip-address" which will be used by role "logging-role" 
vault write transform/transformations/masking/ip-address \
    template=ip-address-tmpl \
    masking_character=# \
    allowed_roles='logging-role'


In [None]:
# Create a role named "logging-role" with "ip-address" transformation attached
vault write transform/role/logging-role transformations=ip-address



In [None]:
# Mask a valid IP address
vault write transform/encode/logging-role value="10.100.1.87" \
    transformation=ip-address

# Tokenization Demo - Credit Card Number

In [None]:
# Run a PostgreSQL database for tokenization demo
docker run --name postgres \
     -p 5432:5432 \
     --rm \
     -e POSTGRES_USER=root \
     -e POSTGRES_PASSWORD=mypassword \
     -d postgres

In [None]:
# Verify Postgres database is running
docker ps

In [None]:
# Create a role named "mobile-pay" with a transformation named "credit-card"
vault write transform/role/mobile-pay transformations=credit-card

In [None]:
# Assumes your Vault is running on docker and connecting via the docker bridge network
# Obtain IP address of the postgres database for configuration
export POSTGRES_DB_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' postgres)
echo -e "Postgres IP Address is: $POSTGRES_DB_IP\n"
# Create a store which points to the postgres database
vault write transform/stores/postgres \
   type=sql \
   driver=postgres \
   supported_transformations=tokenization \
   connection_string="postgresql://{{username}}:{{password}}@$POSTGRES_DB_IP/root?sslmode=disable" \
   username=root \
   password=mypassword


In [None]:
# Show that there is a new postgres store created
vault list transform/stores
echo
vault read transform/stores/postgres

In [None]:
# Create a schema in postgres to store tokeniation artifacts
vault write transform/stores/postgres/schema transformation_type=tokenization \
    username=root password=mypassword

In [None]:
# Create a transformation named "credit-card" which sets the generated token's max time-to-live (TTL) to 24 hours.
# Specify the postgres store
vault write transform/transformations/tokenization/credit-card \
  allowed_roles=mobile-pay \
  stores=postgres \
  max_ttl=24h


In [None]:
# You can read back the properties of the transformation
vault read transform/transformations/tokenization/credit-card

In [None]:
# Tokenize a credit card number.  Specify token time to live as 30 secs.
# Note policy to use tokenization - https://developer.hashicorp.com/vault/tutorials/adp/tokenization#tokenize-secrets

# vault write transform/encode/mobile-pay value=1111-2222-3333-4444 \
#      transformation=credit-card \
#      ttl=30s \
#      metadata="Organization=HashiCorp" \
#      metadata="Purpose=Travel" \
#      metadata="Type=AMEX"

export TOKEN_ENCODED_VALUE=$(vault write -format json transform/encode/mobile-pay value=1111-2222-3333-4444 \
     transformation=credit-card \
     ttl=30s \
     metadata="Organization=HashiCorp" \
     metadata="Purpose=Travel" \
     metadata="Type=AMEX" \
     | jq -r .data.encoded_value)
echo "encoded_value is : $TOKEN_ENCODED_VALUE"

# Note you can show the operation below within the 30s window and see the behaviour.

In [None]:
# Retrieve metadata of the token
vault write transform/metadata/mobile-pay value=$TOKEN_ENCODED_VALUE transformation=credit-card

In [None]:
# Validate the token value
vault write transform/validate/mobile-pay value=$TOKEN_ENCODED_VALUE transformation=credit-card

In [None]:
# Validate if the credit card number has been tokenized already
vault write transform/tokenized/mobile-pay value=1111-2222-3333-4444 transformation=credit-card

In [None]:
# Detokenize to retrieve the original plaintext credit card value

# vault write transform/decode/mobile-pay transformation=credit-card value=$TOKEN_ENCODED_VALUE

vault write -format json transform/decode/mobile-pay transformation=credit-card value=$TOKEN_ENCODED_VALUE | jq -r .data.decoded_value

# View Contents of PostgreSQL Database

In [None]:
# Setup psql alias to the container
alias psql="docker exec -it postgres psql -U root"

# View tokens in the postgres store
psql -c '\x auto;' -c 'select * from tokens;'

# Cleanup

In [67]:
# Cleanup
# stop PostgreSQL container
docker stop postgres

# Disable transit engine
vault secrets disable transit

# Disable transform engine
vault secrets disable transform

# Stop Vault container
docker stop vault-enterprise

[0mSuccess! Disabled the secrets engine (if it existed) at: transit/[0m
