{"id":"66a78787-17e5-49d5-935a-15f46ab50769","task":"Encrypt and rewrap secrets using HashiCorp Vault Transit secrets engine","domain":"developer.hashicorp.com","steps":["Enable the transit secrets engine at a chosen path (e.g., vault secrets enable transit) and create a named encryption key with vault write transit/keys/<name>","Encrypt plaintext by posting base64-encoded data to transit/encrypt/<name>; Vault returns a ciphertext string prefixed with vault:v<version>:","Store the Vault ciphertext string in your database; the plaintext never leaves Vault — only the ciphertext is stored by the application","Decrypt by posting the ciphertext to transit/decrypt/<name>; Vault returns base64-encoded plaintext which the application decodes","Rotate the encryption key with vault write -f transit/keys/<name>/rotate; new encryptions use the latest version while old ciphertexts remain decryptable","Rewrap old ciphertexts to the current key version by calling transit/rewrap/<name> with the old ciphertext; this migrates stored data to the current key without application-layer decryption"],"gotchas":["The transit engine is a cryptography-as-a-service API; it does not store your data — the application is responsible for storing the returned ciphertext","If the transit key is deleted, all ciphertexts encrypted under it become permanently unrecoverable; enable deletion protection on transit keys in production","Key rotation does not automatically rewrap existing ciphertexts; run a rewrap job before setting a minimum decryption version to enforce rotation of stored data"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:40.307Z"},"url":"https://mcp.waymark.network/r/66a78787-17e5-49d5-935a-15f46ab50769"}