---
layout: guides
page_title: Encryption as a Service - Guides
sidebar_title: Encryption as a Service
description: |-
  The transit secrets engine handles cryptographic functions on data in-transit.
  Vault doesn't store the data sent to the secrets engine. It can also be viewed
  as "cryptography as a service" or "encryption as a service".
---

# Encryption as a Service

Vault provides Encryption as a Service (EaaS) to enable security teams to
fortify data during transit and at rest. So even if an intrusion occurs, your
data is encrypted and the attacker would never get a hold of the raw data.

This guide walks you through Encryption as a Service topics.

- [Encryption as a Service](/guides/encryption/transit) guide walks you
  through the usage of the `transit` secrets engine in Vault.
  Read this guide first before proceeding to the [Transit Secrets
  Re-wrapping](/guides/encryption/transit-rewrap) guide or [Java Application
  Demo](/guides/encryption/spring-demo) guide.

- [Java Application Demo](/guides/encryption/spring-demo) guide walks
  through a sample application which relies on Vault to generate database
  credentials as well as encrypting sensitive data. This guide is for anyone who
  wishes to reproduce the demo introduced in
  the [Manage secrets, access, and encryption in the public cloud with Vault](https://www.hashicorp.com/resources/solutions-engineering-webinar-series-episode-2-vault)
  webinar.

- [Transit Secrets Re-wrapping](/guides/encryption/transit-rewrap) guide
  demonstrates one possible way to re-wrap data after rotating an encryption key
  in the transit engine in Vault.