1--- 2layout: "docs" 3page_title: "Vault Transit - Seals - Configuration" 4sidebar_title: "Vault Transit" 5sidebar_current: "docs-configuration-seal-transit" 6description: |- 7 The Transit seal configures Vault to use Vault's Transit Secret Engine as the 8 autoseal mechanism. 9--- 10 11# `transit` Seal 12 13The Transit seal configures Vault to use Vault's Transit Secret Engine as the 14autoseal mechanism. 15The Transit seal is activated by one of the following: 16 17* The presence of a `seal "transit"` block in Vault's configuration file 18* The presence of the environment variable `VAULT_SEAL_TYPE` set to `transit`. 19 20## `transit` Example 21 22This example shows configuring Transit seal through the Vault configuration file 23by providing all the required values: 24 25```hcl 26seal "transit" { 27 address = "https://vault:8200" 28 token = "s.Qf1s5zigZ4OX6akYjQXJC1jY" 29 disable_renewal = "false" 30 31 // Key configuration 32 key_name = "transit_key_name" 33 mount_path = "transit/" 34 namespace = "ns1/" 35 36 // TLS Configuration 37 tls_ca_cert = "/etc/vault/ca_cert.pem" 38 tls_client_cert = "/etc/vault/client_cert.pem" 39 tls_client_key = "/etc/vault/ca_cert.pem" 40 tls_server_name = "vault" 41 tls_skip_verify = "false" 42} 43``` 44 45## `transit` Parameters 46 47These parameters apply to the `seal` stanza in the Vault configuration file: 48 49- `address` `(string: <required>)`: The full address to the Vault cluster. 50 This may also be specified by the `VAULT_ADDR` environment variable. 51 52- `token` `(string: <required>)`: The Vault token to use. This may also be 53 specified by the `VAULT_TOKEN` environment variable. 54 55- `key_name` `(string: <required>)`: The transit key to use for encryption and 56 decryption. This may also be supplied using the `VAULT_TRANSIT_SEAL_KEY_NAME` 57 environment variable. 58 59- `mount_path` `(string: <required>)`: The mount path to the transit secret engine. 60 This may also be supplied using the `VAULT_TRANSIT_SEAL_MOUNT_PATH` environment 61 variable. 62 63- `namespace` `(string: "")`: The namespace path to the transit secret engine. 64 This may also be supplied using the `VAULT_NAMESPACE` environment variable. 65 66- `disable_renewal` `(string: "false")`: Disables the automatic renewal of the token 67 in case the lifecycle of the token is managed with some other mechanism outside of 68 Vault, such as Vault Agent. This may also be specified using the 69 `VAULT_TRANSIT_SEAL_DISABLE_RENEWAL` environment variable. 70 71- `tls_ca_cert` `(string: "")`: Specifies the path to the CA certificate file used 72 for communication with the Vault server. This may also be specified using the 73 `VAULT_CA_CERT` environment variable. 74 75- `tls_client_cert` `(string: "")`: Specifies the path to the client certificate 76 for communication with the Vault server. This may also be specified using the 77 `VAULT_CLIENT_CERT` environment variable. 78 79- `tls_client_key` `(string: "")`: Specifies the path to the private key for 80 communication with the Vault server. This may also be specified using the 81 `VAULT_CLIENT_KEY` environment variable. 82 83- `tls_server_name` `(string: "")`: Name to use as the SNI host when connecting 84 to the Vault server via TLS. This may also be specified via the 85 `VAULT_TLS_SERVER_NAME` environment variable. 86 87- `tls_skip_verify` `(bool: "false")`: Disable verification of TLS certificates. 88 Using this option is highly discouraged and decreases the security of data 89 transmissions to and from the Vault server. This may also be specified using the 90 `VAULT_SKIP_VERIFY` environment variable. 91 92## Authentication 93 94Authentication-related values must be provided, either as environment 95variables or as configuration parameters. 96 97~> **Note:** Although the configuration file allows you to pass in 98`VAULT_TOKEN` as part of the seal's parameters, it is *strongly* recommended 99to set these values via environment variables. 100 101The Vault token used to authenticate needs the following permissions on the 102transit key: 103 104```hcl 105path "<mount path>/encrypt/<key name>" { 106 capabilities = ["update"] 107} 108 109path "<mount path>/decrypt/<key name>" { 110 capabilities = ["update"] 111} 112``` 113 114## Key Rotation 115 116This seal supports key rotation using the Transit Secret Engine's key rotation endpoints. See 117[doc](/api/secret/transit/index.html#rotate-key). Old keys must not be disabled or deleted and are 118used to decrypt older data. 119 120## Learn 121 122Refer to the [Auto-unseal using Transit Secrets Engine](https://learn.hashicorp.com/vault/operations/autounseal-transit) 123guide for a step-by-step tutorial. 124