This demo showcases how HashiCorp Vault's transit secrets engine can be used to protect sensitive data before sending it to an Amazon Bedrock Knowledge Base created by Terraform. The process involves encrypting the names of hosts using convergent encryption, which ensures that a plaintext host name results in the same ciphertext. This allows the LLM to analyze each rental listing for similarities between hosts without knowing the actual host name. The demo uses an HCP Vault cluster with the transit secrets engine enabled and demonstrates how to create a data source from S3, configure a vector store using Amazon OpenSearch Serverless, and set up an Amazon Bedrock Knowledge Base for the S3 bucket with rental listings. The knowledge base requires sufficient IAM access to the S3 bucket, OpenSearch collection, and embedding model. It also defines field mappings defined in the OpenSearch index for the vector embeddings. By encrypting sensitive data before augmenting a LLM with RAG, you can protect access to the data and prevent leakage of sensitive information. Vault offers additional advanced data protection techniques such as format-preserving encryption, masking, and data tokenization using the transform secrets engine.