luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Transform doc fix (#10383) 

* Add tokenization

* Fixes
This commit is contained in:
Scott Miller 2020-11-11 12:54:11 -06:00 committed by GitHub
parent 3cdad923f4
commit d17917341c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
website/pages/docs/secrets/transform/index.mdx
View File

@ -20,8 +20,8 @@ cryptographic standards such as [format-preserving encryption
can also be pseudonymous transformations of the data through other means, such
as masking.
The secret engine currently supports `fpe` and `masking` as data transformation
types.
The secret engine currently supports `fpe`, `masking`, and `tokenization` as
data transformation types.
## Setup
@ -224,7 +224,7 @@ preserve any of the contents or format of the input.
Tokenization is not format preserving. The token output is a Base58 encoded
string value of unrelated length, and is not rendered by a template.
The decoded value is returned verbatim as it was before encoding..
The decoded value is returned verbatim as it was before encoding.
#### Metadata
@ -241,19 +241,25 @@ additional operations:
* Retrieve metadata given a token.
* Check whether an input value has a valid, unexpired token.
#### Stores
Tokenization is stateful. Tokenized state can be stored internally (the
default) or in an external store. Currently only PostgreSQL is supported
for external storage.
#### Mapping Modes
[Tokenization](transform/tokenization) stores the results of an encode operation in storage using a
cryptographic construct that enhances the safety of its values. In the
<code>default</code> mapping mode, the token itself is transformed via a one way
[Tokenization](transform/tokenization) stores the results of an encode operation
in storage using a cryptographic construct that enhances the safety of its values.
In the `default` mapping mode, the token itself is transformed via a one way
function involving the transform key and elements of the token. As Vault does
not store the token, the values in Vault storage themselves cannot be used to
retrieve original input.
A second mapping mode, <code>exportable</code> is provided for cases where
A second mapping mode, `exportable` is provided for cases where
operators may need to recover the full set of decoded inputs in an emergency via
the export operation. It is strongly recommended that one use the
<code>default</code> mode if possible, as it is resistant to more types of attack.
the export operation. It is strongly recommended that one use the `default` mode if
possible, as it is resistant to more types of attack.
## Deletion Behavior