Skip to content

Instantly share code, notes, and snippets.

@ruanbekker

ruanbekker/vault_api_transit_secrets.md

Created April 7, 2019 16:51
Download ZIP

Revisions

  1. ruanbekker created this gist Apr 7, 2019.
    109 changes: 109 additions & 0 deletions vault_api_transit_secrets.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,109 @@
    ## Description

    Vault's transit secrets engine handles cryptographic functions on data-in-transit. Vault doesn't store the data sent to the secrets engine, so it can also be viewed as encryption as a service

    ![](https://learn.hashicorp.com/assets/images/vault-encryption.png)

    ### Enable:

    Enable transit secret engine using the /sys/mounts endpoint:

    ```
    $ curl --header "X-Vault-Token: $VAULT_TOKEN" -XPOST -d '{"type": "transit", "description": "encs encryption"}' http://127.0.0.1:8200/v1/sys/mounts/transit
    ```

    ### Create the Key Ring:

    Create an encryption key ring named `fookey` using the transit/keys endpoint:

    ```
    $ curl -s --header "X-Vault-Token: $VAULT_TOKEN" -XGET http://127.0.0.1:8200/v1/transit/keys/fookey | jq
    {
    "request_id": "8375227a-4a9f-a108-0b89-84c448419e80",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
    "allow_plaintext_backup": false,
    "deletion_allowed": false,
    "derived": false,
    "exportable": false,
    "keys": {
    "1": 1554654295
    },
    "latest_version": 1,
    "min_available_version": 0,
    "min_decryption_version": 1,
    "min_encryption_version": 0,
    "name": "fookey",
    "supports_decryption": true,
    "supports_derivation": true,
    "supports_encryption": true,
    "supports_signing": false,
    "type": "aes256-gcm96"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
    }
    ```

    Encode your string:

    ```
    $ base64 <<< "hello world"
    aGVsbG8gd29ybGQK
    ```

    ### Encrypt

    To encrypt your secret, use the transit/encrypt endpoint:

    ```
    $ curl -s --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"plaintext": "aGVsbG8gd29ybGQK"}' http://127.0.0.1:8200/v1/transit/encrypt/fookey | jq
    {
    "request_id": "ab00ba0f-9e45-0aca-e3c1-7765fd83fc3c",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
    "ciphertext": "vault:v1:Yo4U6xXFM2FoBOaUrw0w3EpSlJS6gmsa4HP1xKtjrk0+xSqi5Rvjvg=="
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
    }
    ```

    ### Decrypt:

    Use the transit/decrypt endpoint to decrypt the ciphertext:

    ```
    $ curl -s --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"ciphertext": "vault:v1:Yo4U6xXFM2FoBOaUrw0w3EpSlJS6gmsa4HP1xKtjrk0+xSqi5Rvjvg=="}' http://127.0.0.1:8200/v1/transit/decrypt/fookey | jq
    {
    "request_id": "3d9743a0-2daf-823c-f413-8c8a90753479",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
    "plaintext": "aGVsbG8gd29ybGQK"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
    }
    ```

    Decode the response:

    ```
    $ base64 --decode <<< "aGVsbG8gd29ybGQK"
    hello world
    ```

    ### More Info

    Resources:

    - https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit