A healthcare application needs to encrypt sensitive patient data before storing it in a legacy database that does not support encryption. The team wants to use Vault's encryption as a service. However, the application is running on a restricted network that cannot make outbound HTTP requests to Vault. Which solution should the team implement?
Trap 1: Set up Vault replication from a central Vault to a local Vault…
Replication does not eliminate the need for outbound calls.
Trap 2: Use Vault's HTTP API from the application to encrypt data directly.
The application cannot make outbound HTTP requests.
Trap 3: Enable the transit secrets engine and call Vault's encrypt endpoint.
Same network issue; requires outbound calls.
- A
Set up Vault replication from a central Vault to a local Vault instance.
Why wrong: Replication does not eliminate the need for outbound calls.
- B
Deploy Vault Agent in sidecar mode with a configured encrypt stanza to handle encryption locally.
Vault Agent can process encryption locally via a Unix socket.
- C
Use Vault's HTTP API from the application to encrypt data directly.
Why wrong: The application cannot make outbound HTTP requests.
- D
Enable the transit secrets engine and call Vault's encrypt endpoint.
Why wrong: Same network issue; requires outbound calls.