1--- 2layout: docs 3page_title: Vault Transit - Seals - Configuration 4description: |- 5 The Transit seal configures Vault to use Vault's Transit Secret Engine as the 6 autoseal mechanism. 7--- 8 9# `transit` Seal 10 11The Transit seal configures Vault to use Vault's Transit Secret Engine as the 12autoseal mechanism. 13The Transit seal is activated by one of the following: 14 15- The presence of a `seal "transit"` block in Vault's configuration file 16- The presence of the environment variable `VAULT_SEAL_TYPE` set to `transit`. 17 18## `transit` Example 19 20This example shows configuring Transit seal through the Vault configuration file 21by providing all the required values: 22 23```hcl 24seal "transit" { 25 address = "https://vault:8200" 26 token = "s.Qf1s5zigZ4OX6akYjQXJC1jY" 27 disable_renewal = "false" 28 29 // Key configuration 30 key_name = "transit_key_name" 31 mount_path = "transit/" 32 namespace = "ns1/" 33 34 // TLS Configuration 35 tls_ca_cert = "/etc/vault/ca_cert.pem" 36 tls_client_cert = "/etc/vault/client_cert.pem" 37 tls_client_key = "/etc/vault/ca_cert.pem" 38 tls_server_name = "vault" 39 tls_skip_verify = "false" 40} 41``` 42 43## `transit` Parameters 44 45These parameters apply to the `seal` stanza in the Vault configuration file: 46 47- `address` `(string: <required>)`: The full address to the Vault cluster. 48 This may also be specified by the `VAULT_ADDR` environment variable. 49 50- `token` `(string: <required>)`: The Vault token to use. This may also be 51 specified by the `VAULT_TOKEN` environment variable. 52 53- `key_name` `(string: <required>)`: The transit key to use for encryption and 54 decryption. This may also be supplied using the `VAULT_TRANSIT_SEAL_KEY_NAME` 55 environment variable. 56 57- `mount_path` `(string: <required>)`: The mount path to the transit secret engine. 58 This may also be supplied using the `VAULT_TRANSIT_SEAL_MOUNT_PATH` environment 59 variable. 60 61- `namespace` `(string: "")`: The namespace path to the transit secret engine. 62 This may also be supplied using the `VAULT_NAMESPACE` environment variable. 63 64- `disable_renewal` `(string: "false")`: Disables the automatic renewal of the token 65 in case the lifecycle of the token is managed with some other mechanism outside of 66 Vault, such as Vault Agent. This may also be specified using the 67 `VAULT_TRANSIT_SEAL_DISABLE_RENEWAL` environment variable. 68 69- `tls_ca_cert` `(string: "")`: Specifies the path to the CA certificate file used 70 for communication with the Vault server. This may also be specified using the 71 `VAULT_CACERT` environment variable. 72 73- `tls_client_cert` `(string: "")`: Specifies the path to the client certificate 74 for communication with the Vault server. This may also be specified using the 75 `VAULT_CLIENT_CERT` environment variable. 76 77- `tls_client_key` `(string: "")`: Specifies the path to the private key for 78 communication with the Vault server. This may also be specified using the 79 `VAULT_CLIENT_KEY` environment variable. 80 81- `tls_server_name` `(string: "")`: Name to use as the SNI host when connecting 82 to the Vault server via TLS. This may also be specified via the 83 `VAULT_TLS_SERVER_NAME` environment variable. 84 85- `tls_skip_verify` `(bool: "false")`: Disable verification of TLS certificates. 86 Using this option is highly discouraged and decreases the security of data 87 transmissions to and from the Vault server. This may also be specified using the 88 `VAULT_SKIP_VERIFY` environment variable. 89 90## Authentication 91 92Authentication-related values must be provided, either as environment 93variables or as configuration parameters. 94 95~> **Note:** Although the configuration file allows you to pass in 96`VAULT_TOKEN` as part of the seal's parameters, it is _strongly_ recommended 97to set these values via environment variables. 98 99The Vault token used to authenticate needs the following permissions on the 100transit key: 101 102```hcl 103path "<mount path>/encrypt/<key name>" { 104 capabilities = ["update"] 105} 106 107path "<mount path>/decrypt/<key name>" { 108 capabilities = ["update"] 109} 110``` 111 112## Key Rotation 113 114This seal supports key rotation using the Transit Secret Engine's key rotation endpoints. See 115[doc](/api/secret/transit#rotate-key). Old keys must not be disabled or deleted and are 116used to decrypt older data. 117 118## Learn 119 120Refer to the [Auto-unseal using Transit Secrets Engine](https://learn.hashicorp.com/vault/operations/autounseal-transit) 121guide for a step-by-step tutorial. 122