Tokenize data

Tokenization converts sensitive data into nonsensitive data called tokens. Tokens are helpful when you send sensitive data remotely, such as client authentication like GitHub login authentication, credit card numbers, banking credentials, or any other systems which require external authentication or data exchange.

Why should you tokenize data?

Tokenizing data provides security benefits beyond encryption. When you tokenize data, you replace sensitive information with a non-sensitive token that has no exploitable value if exposed. The original data is stored securely in a separate system, and only the services use the token.

Unlike encrypted data, which can be decrypted if the encryption keys are compromised, tokens cannot be reversed without access to the secure tokenization system. Not having access to the tokenization systems reduces the risk if tokens are leaked, simplifies compliance, and limits the impact of data breaches.

Tokenize data with Vault

You can use HashiCorp Vault to create tokens to secure data. Vault Transform secrets engine can tokenize data to replace highly sensitive data, like credit card numbers, with unique values (tokens) that are unrelated to the original value in any algorithmic sense. Therefore, the tokens do not risk exposing the critical data satisfying the Payment Card Industry Data Security Standard (PCI-DSS) guidance.

The following diagram shows how Vault can take sensitive data, such as a customer's credit card number, encrypt the value, and allow the application to use that credit card securely.

HashiCorp resources:

Next steps

In this section of how to Secure data, you learned about how to tokenize your data using HashiCorp Vault Enterprise. Tokenize data is part of the Secure systems pillar.