Integration with HashiCorp supports secure encryption key storage


Baffle supports integration with HashiCorp Vault to function as a key management store and enable storage of encryption keys via a REST API. The integration establishes a two-tier key hierarchy which creates key-encryption-keys (KEK) and data encryption keys (DEK) via Vault.

The respective keys can be sourced using Baffle’s Advanced Data Protection to encrypt data in virtually any database or data store both on-premise or in cloud. Below is a quick demonstration that shows the integration and using HashiCorp as a key management store.


This diagram represents a simplified view of the integration with HashiCorp Vault. By utilizing Baffle's key virtualization layer, the Baffle Shield sources encrypted DEKs which are decrypted using the Key Encryption Key (KEK) and then mapped to respective fields and/or records to enable field/record level encryption in a database or data store.

Architecture Diagram

Configuration Steps

NOTE: Below is a high-level sequence of configuration steps. More detailed documentation is available from Baffle technical support.

  1. Configure Vault
  2. Enable a Vault user policy
    #DEK Access for V1 and V2 KV engine - with namespace
    path "baffle/baffle-manager/secret/*"
      capabilities = ["create", "read", "update", "delete", "list"]
    # Wide access to transit engine within baffle/sdk-team namespace
    path "baffle/baffle-manager/transit/*" {
      capabilities = [ "create", "read", "update", "delete", "list" ]
  3. Create an auth token for the above policy
  4. Configure Baffle to use Hashicorp Vault by specifying the auth token
  5. Create a data protection policy in Baffle
  6. Run data migration on the data set or access the data from your respective application

For more information on Baffle Advanced Data Protection click here

Additional Partners

Schedule a live demo with one of our solutions experts to get answers to your questions