Encryption in Vault
Vault supports the encryption of data at rest and data in transit. Encryption for data at rest supports hard disk level encryption by the database backend used by Vault (for example, AWS RDS) and application level encryption by Vault.
Both encryption types use keys stored in a KMS. If, for example, Vault is deployed on AWS, then AWS KMS is used by default. Regardless of the deployment method, you can provide your own KMS service in Vault's configuration.
For application-level encryption, all data types in Vault are encrypted by default.
Vault provides for rotation of encryption keys, using the rotate data encryption keys REST API operation.
Learn how to secure an existing Piiano Vault deployment
📄️ Configure a KMS
Learn how to configure a Key management service (KMS) to provide the keys used by Piiano Vault when it encrypts data.
Learn how to detect tampering attempts, find reports of detected events, and enable your system after a suspected tampering attempt.