Skip to main content


Transformations provide a mechanism to present data held in Vault in a way that reduces data exposure. This is very helpful when a server is compromised, as it prevents attackers from accessing all the data.

For example, a phone number can be masked so that only the last four digits are readable, like this ***-****-2795. Each transformation is associated with a data type.

Combined with Vault’s access policies, transformations enable you to enforce and restrict access to specific views of the data, practically reducing exposure risk. For example, a public web application collects SSNs and stores them in Vault. An access policy can be configured to allow the application to read a masked SSN value only, reducing the potential of exposing SSNs stored in the system. The SSNs are now protected, even in the case of a compromised web server (through IDOR, SQL injection, remote-code execution, etc.).

SSN use caseSSN use case

You can customize your own data types and transformations (a beta feature, see Custom types and transformations), or use the built-in transformations to:

  • Mask sensitive data types, such as SSN, email, phone number, credit card number, and bank account number.
  • Transform resolutions. For example, turning a birth date into an age or an address into a city.
  • Enforce privacy controls. For instance, disallow marketing users access to email addresses if consent is not given.
  • Allow exclusive access to SSNs by their owner by validating the end-user's JWT token, mitigating OWASP's A01:2021 – Broken Access Control.
  • Disallow US-based admins from accessing EU persons' data.

See Manage transformations for more information on transformations.