Skip to main content


Transformations provide a mechanism to present the data held in Vault in a way that reduces data exposure. For example, a phone number can be masked so that only the last four digits are readable, like this ***-****-2795. Each transformation is associated with a data type.

Combined with Vault’s access policies, transformations enable you to enforce and restrict access to specific views of the data, practically reducing exposure risk. For example, a public web application collects SSNs and stores them in Vault. An access policy can be configured to allow the application to read a masked SSN value only, reducing the potential of exposing SSNs stored in the system. The SSNs are now protected, even in the case of a compromised web server (through SQL injection, remote-code execution, etc.).

The built-in transformations include:

  • mask for an SSN, email, phone number, credit card number, and bank account number.
  • transformation of a birthday date into a day, month, or year only. (Coming soon 🎁)
  • transformation of an address into a city. (Coming soon 🎁)

The Vault roadmap includes additional built-in transformations and the ability to specify custom transformations.

See Manage transformations for more information on transformations.