Enable the transit secrets engine: `vault secrets enable transit`
Create a named encryption key: `vault write -f transit/keys/YOUR_KEY_NAME`; optionally specify key type (e.g., `aes256-gcm96`) and enable key rotation
Grant your application's Vault policy `encrypt` and `decrypt` capabilities on the `transit/encrypt/YOUR_KEY_NAME` and `transit/decrypt/YOUR_KEY_NAME` paths
In your application, call the Vault API to encrypt plaintext (base64-encoded) — the API returns a ciphertext string prefixed with `vault:v1:...`; store this ciphertext in your database
To decrypt, send the ciphertext back to `transit/decrypt/YOUR_KEY_NAME`; Vault returns the base64-encoded plaintext — decode it in your application
Rotate the key with `vault write -f transit/keys/YOUR_KEY_NAME/rotate`; re-wrap existing ciphertexts with `transit/rewrap/YOUR_KEY_NAME` to migrate them to the new key version
Known gotchas
Plaintext sent to the transit API must be base64-encoded; sending raw binary or unencoded strings results in an error or silently incorrect output
Key rotation does not automatically re-encrypt stored ciphertexts — old versions remain decryptable until you rewrap and set `min_decryption_version` to retire them
Transit ciphertexts include the key version (`v1`, `v2`, etc.) so Vault selects the correct key automatically at decrypt time — do not strip or modify the prefix when storing
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp