Integration with HashiCorp supports secure encryption key storage


Baffle supports integration with HashiCorp Vault and Consul to function as a key management store and enable storage of encryption keys via a REST API. The integration establishes a two-tier key hierarchy which creates master keys (MK) and data encryption keys (DEK) via Vault and stores the encrypted key material in Consul.

The respective keys can be sourced using Baffle’s Advanced Data Protection to encrypt data in virtually any database or data store both on-premise or in cloud. Below is a quick demonstration that shows the integration and using HashiCorp as a key management store.


This diagram represents a simplified view of the integration with HashiCorp Vault and Consul. By utilizing Baffle’s key viritualization layer, the Baffle Shield sources encrypted DEKs which are decrypted using the master key and then mapped to respective fields and/or records to enable field/record level encryption in a database or data store.

Architecture Diagram

Configuration Steps

NOTE: Below is a high-level sequence of configuration steps. More detailed documentation is available from Baffle technical support.

  1. Configure Vault and Consul
  2. Enable a Vault user policy file
Configuration Steps
  1. Login with an admin token
  2. Write the user policy
  3. Create an auth token for the policy
  4. Configure Baffle Shield to use the kmstype = hashicorp
  5. Specify the auth token for the above user policy
  6. Create a data protection policy in Baffle
  7. Run data migration on the data set or access the data from your respective application

For more information on Baffle Advanced Data Protection click here.

Additional Partners

Schedule a live demo with one of our solutions experts to get answers to your questions