{"id":"03945201-1b51-48cd-ad0f-83071a575817","task":"Configure Vault transit engine convergent encryption with a derived key and verify deterministic output","domain":"vaultproject.io","steps":["Create a transit key with convergent encryption and key derivation enabled: 'vault write transit/keys/conv-key type=aes256-gcm96 convergent_encryption=true derived=true'","Generate a unique per-record 96-bit (12-byte) context value encoded as base64 and store it alongside the record","Encrypt the same plaintext twice with the same context: 'vault write transit/encrypt/conv-key plaintext=$(base64 <<< \"SSN: 123-45-6789\") context=<BASE64_CONTEXT>'","Confirm both encryption calls return identical ciphertext, confirming determinism","Decrypt by supplying the same context: 'vault write transit/decrypt/conv-key ciphertext=<VAULT_CIPHERTEXT> context=<BASE64_CONTEXT>'","Store the context in a separate column or store from the ciphertext to maintain the security property that context + ciphertext are required together"],"gotchas":["Convergent encryption leaks equality — an attacker who can submit chosen plaintexts can confirm whether two ciphertexts encrypt the same value; never use for high-cardinality unique fields without threat model review","The context value must be unique per logical record, not per encryption call; reusing context across records destroys the isolation guarantee","Convergent encryption requires 'derived=true'; enabling convergent_encryption without derived=true is rejected by Vault"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:40:37.260Z"},"url":"https://mcp.waymark.network/r/03945201-1b51-48cd-ad0f-83071a575817"}