Encryption in Vault
Vault supports the encryption of data at rest and data in transit. Encryption for data at rest supports hard disk level encryption by the database backend used by Vault (for example, AWS RDS) and application level encryption by Vault.
Both encryption types use keys stored in a KMS. If, for example, Vault is deployed on AWS, then AWS KMS is used by default. Regardless of the deployment method, you can provide your own KMS service in Vault's configuration.
For application-level encryption, all data types in Vault are encrypted by default.
Vault provides for rotation of encryption keys, using the rotate data encryption keys REST API operation.
Learn how to secure an existing Piiano Vault deployment
📄️ Encryption of data in transit (TLS)
Learn how Piiano Vault encrypts data in transit with Transport Layer Security (TLS) to protect communication with applications, back-end storage, and Amazon S3.
📄️ Encryption of data at rest
Learn that Piiano Vault encrypts back-end storage, files, properties of objects, and data of value tokens while they are at rest.
Learn how to detect tampering attempts, find reports of detected events, and enable your system after a suspected tampering attempt.