Documentation Module: backend/transit

Provides implementation for the Vault Transit APIs

Extends

Vaulted

Methods

<inner> decryptTransitCipherText( [mountName])

Decrypts the provided ciphertext using the named key.

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.body.ciphertext`	string			The ciphertext to decrypt, provided as returned by encrypt.
`options.body.context`	string	<optional>		The key derivation context, provided as base64 encoded. Must be provided if derivation is enabled.
`options.body.nonce`	string	<optional>		The nonce value, provided as base64 encoded. Must be provided if convergent encryption is enabled for this key.
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

<inner> deleteTransitKey( [mountName])

Deletes a named encryption key. It will no longer be possible to decrypt any data encrypted with the named key. Because this is a potentially catastrophic operation, the deletion_allowed tunable must be set in the key's /config endpoint

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

<inner> encryptTransitPlainText( [mountName])

Encrypts the provided plaintext using the named key. This path supports the create and update policy capabilities as follows: if the user has the create capability for this endpoint in their policies, and the key does not exist, it will be upserted with default values (whether the key requires derivation depends on whether the context parameter is empty or not). If the user only has update capability and the key does not exist, an error will be returned.

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.body.plaintext`	string			The plaintext to encrypt, provided as base64 encoded
`options.body.context`	string	<optional>		The key derivation context, provided as base64 encoded. Must be provided if derivation is enabled.
`options.body.nonce`	string	<optional>		The nonce value, provided as base64 encoded. Must be provided if convergent encryption is enabled for this key.
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

<inner> generateTransitPlainTextDataKey( [mountName])

Generate a new high-entropy key, the value encrypted with the named key, and the plaintext of the key.

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.body.context`	string	<optional>		The key derivation context, provided as base64 encoded. Must be provided if derivation is enabled.
`options.body.nonce`	string	<optional>		The nonce value, provided as base64 encoded. Must be provided if convergent encryption is enabled for this key.
`option.body.bits`	number	<optional>		The number of bits in the desired key. Can be 128, 256, or 512.
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

<inner> generateTransitWrappedDataKey( [mountName])

Generate a new high-entropy key and the value encrypted with the named key.

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.body.context`	string	<optional>		The key derivation context, provided as base64 encoded. Must be provided if derivation is enabled.
`options.body.nonce`	string	<optional>		The nonce value, provided as base64 encoded. Must be provided if convergent encryption is enabled for this key.
`option.body.bits`	number	<optional>		The number of bits in the desired key. Can be 128, 256, or 512.
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

<inner> getTransitKey( [mountName])

Returns information about a named encryption key. The keys object shows the creation time of each key version; the values are not the keys themselves.

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

<inner> rewrapTransitCipherText( [mountName])

Rewrap the provided ciphertext using the latest version of the named key.

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.body.ciphertext`	string			The ciphertext to decrypt, provided as returned by encrypt.
`options.body.context`	string	<optional>		The key derivation context, provided as base64 encoded. Must be provided if derivation is enabled.
`options.body.nonce`	string	<optional>		The nonce value, provided as base64 encoded. Must be provided if convergent encryption is enabled for this key.
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

<inner> rotateTransitKey( [mountName])

Rotates the version of the named key. After rotation, new plaintext requests will be encrypted with the new version of the key. To upgrade ciphertext to be encrypted with the latest version of the key, use the rewrap endpoint.

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

<inner> setTransitKey( [mountName])

Creates a new named encryption key. The values set here cannot be changed after key creation.

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.body.derived`	boolean	<optional>		Boolean flag indicating if key derivation MUST be used.
`options.body.convergent_encryption`	boolean	<optional>		If set, the key will support convergent encryption, where the same plaintext creates the same ciphertext.
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

<inner> setTransitKeyConfig( [mountName])

Allows tuning configuration values for a given key. (These values are returned during a read operation on the named key.)

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			unique identifier for the key
`options.body.min_decryption_version`	number	<optional>		The minimum version of ciphertext allowed to be decrypted.
`options.body.deletion_allowed`	boolean	<optional>		When set, the key is allowed to be deleted.
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	transit	path name the transit secret backend is mounted on

Returns:

Type: Promise

Module: backend/transit

Extends

Methods

<inner> decryptTransitCipherText( [mountName])

Parameters:

Returns:

<inner> deleteTransitKey( [mountName])

Parameters:

Returns:

<inner> encryptTransitPlainText( [mountName])

Parameters:

Returns:

<inner> generateTransitPlainTextDataKey( [mountName])

Parameters:

Returns:

<inner> generateTransitWrappedDataKey( [mountName])

Parameters:

Returns:

<inner> getTransitKey( [mountName])

Parameters:

Returns:

<inner> rewrapTransitCipherText( [mountName])

Parameters:

Returns:

<inner> rotateTransitKey( [mountName])

Parameters:

Returns:

<inner> setTransitKey( [mountName])

Parameters:

Returns:

<inner> setTransitKeyConfig( [mountName])

Parameters:

Returns:

Search results