diff --git a/auth_approle_tf_vault.tf b/auth_approle_tf_vault.tf
index f554e74..3e552b3 100644
--- a/auth_approle_tf_vault.tf
+++ b/auth_approle_tf_vault.tf
@@ -15,11 +15,12 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
     "pki_int/pki_int_roles_admin",
     "pki_root/pki_root_roles_admin",
     "ssh-host-signer/ssh-host-signer_roles_admin",
-    "sshca_roles_admin",
+    "sshca/sshca_roles_admin",
     "kv/service/glauth/services/svc_vault_read",
     "sys/sys_auth_admin",
     "sys/sys_mounts_admin",
     "sys/sys_policy_admin",
+    "transit/keys/admin",
   ]
   token_ttl     = 60
   token_max_ttl = 120
diff --git a/engine_transit.tf b/engine_transit.tf
new file mode 100644
index 0000000..c596b9b
--- /dev/null
+++ b/engine_transit.tf
@@ -0,0 +1,13 @@
+resource "vault_mount" "transit" {
+  path                      = "transit"
+  type                      = "transit"
+  description               = "Transit Engine"
+  default_lease_ttl_seconds = 3600
+  max_lease_ttl_seconds     = 86400
+}
+
+resource "vault_transit_secret_backend_key" "key" {
+  backend = vault_mount.transit.path
+  name    = "au-syd1-k8s-vso"
+  type    = "aes256-gcm96"
+}
diff --git a/policies.tf b/policies.tf
index 2c20a35..4fe0947 100644
--- a/policies.tf
+++ b/policies.tf
@@ -13,6 +13,9 @@ locals {
     "policies/rundeck",
     "policies/ssh-host-signer",
     "policies/sshca",
+    "policies/transit/decrypt",
+    "policies/transit/encrypt",
+    "policies/transit/keys",
     "policies/kv/service/glauth/services",
     "policies/kv/service/incus",
     "policies/kv/service/packer",
diff --git a/policies/transit/decrypt/au-syd1-k8s-vso.hcl b/policies/transit/decrypt/au-syd1-k8s-vso.hcl
new file mode 100644
index 0000000..e345e7e
--- /dev/null
+++ b/policies/transit/decrypt/au-syd1-k8s-vso.hcl
@@ -0,0 +1,4 @@
+# Allow decryption with the au-syd1-k8s-vso key
+path "transit/decrypt/au-syd1-k8s-vso" {
+  capabilities = ["create", "update"]
+}
diff --git a/policies/transit/encrypt/au-syd1-k8s-vso.hcl b/policies/transit/encrypt/au-syd1-k8s-vso.hcl
new file mode 100644
index 0000000..bc9b4ac
--- /dev/null
+++ b/policies/transit/encrypt/au-syd1-k8s-vso.hcl
@@ -0,0 +1,4 @@
+# Allow encryption with the au-syd1-k8s-vso key
+path "transit/encrypt/au-syd1-k8s-vso" {
+  capabilities = ["create", "update"]
+}
diff --git a/policies/transit/keys/admin.hcl b/policies/transit/keys/admin.hcl
new file mode 100644
index 0000000..59f8d1a
--- /dev/null
+++ b/policies/transit/keys/admin.hcl
@@ -0,0 +1,8 @@
+# Allow management of keys (create, update, delete, list, and read)
+path "transit/keys/*" {
+  capabilities = ["create", "update", "delete", "read", "list"]
+}
+# Allow listing of available keys
+path "transit/keys" {
+  capabilities = ["read", "list"]
+}