Create a transit key with convergent encryption and key derivation enabled: 'vault write transit/keys/conv-key type=aes256-gcm96 convergent_encryption=true derived=true'
Generate a unique per-record 96-bit (12-byte) context value encoded as base64 and store it alongside the record
Encrypt the same plaintext twice with the same context: 'vault write transit/encrypt/conv-key plaintext=$(base64 <<< "SSN: 123-45-6789") context=<BASE64_CONTEXT>'
Confirm both encryption calls return identical ciphertext, confirming determinism
Decrypt by supplying the same context: 'vault write transit/decrypt/conv-key ciphertext=<VAULT_CIPHERTEXT> context=<BASE64_CONTEXT>'
Store the context in a separate column or store from the ciphertext to maintain the security property that context + ciphertext are required together
Known gotchas
Convergent encryption leaks equality — an attacker who can submit chosen plaintexts can confirm whether two ciphertexts encrypt the same value; never use for high-cardinality unique fields without threat model review
The context value must be unique per logical record, not per encryption call; reusing context across records destroys the isolation guarantee
Convergent encryption requires 'derived=true'; enabling convergent_encryption without derived=true is rejected by Vault
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp