- Enable transit encryption and create a key: https://www.vaultproject.io/docs/secrets/transit#setup
- Create a policy to grant encryption key access:
vault policy write transit -<<EOF
path "transit/encrypt/my-key" {
capabilities = [ "update" ]
}
path "transit/decrypt/my-key" {
capabilities = [ "update" ]