Skip to main content


Data encryption

Piiano Vault encrypts data at three levels:

  1. Inside Vault, all data is stored encrypted at field level, preventing even the database's administrator from seeing plain data.

  2. Data in transit between an application and Vault is protected using TLS. Among others, this includes:

    • Communication from applications to Piiano Vault
    • Communication from Piiano Vault to the back-end storage
    • Communication from Piiano Vault to Amazon S3
  3. The Vault database is encrypted at rest (aka disk-level encryption). This is enforced as part of the deployment. This encryption mechanism includes:

    • Back-end storage
    • Files
    • Properties of objects
    • Data of value tokens

From an application's perspective, accessing and querying encrypted properties and handling encryption is transparent.

Vault manages key provisioning and rotation for the encryption keys.

Key management service

Vault relies on a master key to generate encryption keys for property encryption, decryption, data signing, and verification. Use the Amazon Web Services (AWS), Google Cloud Platform (GCP) KMS, or Azure Key Vault to ensure secure property encryption when implementing Vault in a cloud environment. However, if you prefer to manage the keys independently or do not want to rely on a cloud provider, you can provide a seed for generating a secure master key.