The HashiCorp Vault Enterprise team has released a new feature called Transform, which is a Secrets Engine that allows Vault to encode and decode sensitive values residing in external systems. This enables Vault to protect application secrets stored in untrusted or semi-trusted systems while maintaining compliance requirements such as PCI-DSS and HIPAA. The Transform feature uses two types of transformations: Masking, which anonymizes data using a custom character mask, and two-way transformation, which protects the input structure while maintaining the same data type of the encoded ciphertext. Unlike traditional tokenization methods, Vault Transform procedure generates ciphertext that retains the data's structure and format while ensuring security. The feature uses AES FF3-1 algorithm for encryption and does not store protected secrets, maximizing decode performance and minimizing exposure risks. This empowers developers, operations, and security staff to securely work with sensitive information while maintaining compliance and governance, all within a single endpoint.