Data Encryption
About Data Encryption
You can use Vault service for encryption and decryption of data used or generated by applications.
Application developers can use Vault to encrypt and store data in a primary data store and do not need to develop additional functionality for encryption and decryption of their data. Vault service generates logs for every encryption and decryption event. Therefore all data encryption and decryption activity is recorded.
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__creating_new_encryption_key
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__retrieving_info_of_encryption_key
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__retrieving_list_of_keys
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__deleting_specified_encryption_key
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__configuring_specified_key
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__rotating_specified_key
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__retrieving_specific_type_of_key
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__encrypting_plain_text
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__decrypting_specified_ciphertext
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__rewraping_specified_ciphertext
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__generating_new_high_entropy_key
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__returning_random_bytes
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__returning_hash_of_specified_data
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__returning_digest_of_specified_data
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__generating_crypto_signature
- vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__returning_validity_of_signature
APIs: Data Encryption
You can use APIs to use the data encryption feature of Vault service.
Creating New Encryption Key
API | /encryption/keys/ |
Description |
Creates a new named encryption key of the specified type. The values set here cannot be changed after key creation. |
Method | POST |
URL | /encryption/keys/<name> |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns | A 204 response code. |
Retrieving Information of an Encryption Key
API | /encryption/keys/ |
Description | Returns information about a specified encryption key. In the returned value, the keys object shows the creation time of each key version. The returned values are not the keys themselves. The returned information varies by the type of key. For example, an asymmetric key returns its public key in a standard format for the type. |
Method | GET |
URL | /encryption/keys/<name> |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns |
|
Retrieving a List of Keys
API | /encryption/keys/ |
Description | Returns a list of names of the keys. |
Method | LIST/GET |
URL | /encryption/keys (LIST) or /encryption/keys?list=true (GET) |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns |
|
Deleting a Specified Encryption Key
API | /encryption/keys/ |
Description | Deletes a specified encryption key. After this operation, the key cannot be used to decrypt any data encrypted using this key. Note: You must set the deletion_allowed parameter in the /config endpoint of the key. |
Method | DELETE |
URL | /encryption/keys/<name> |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns | A 204 response code. |
Configuring a Specified Key
API | /encryption/keys/config |
Description | Specify configuration values for a specified key. The configuration values are used during a read operation on the specified key. |
Method | POST |
URL | /encryption/keys/<name>/config |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns | A 204 response code. |
Rotating a Specified Version of the Key
API | /encryption/keys/rotate/ |
Description | Rotates the version of the specified key. When you rotate a key, any new plaintext request is encrypted with the new version of the key. This parameter is only supported with keys that supports encryption and decryption operations. Note: To upgrade ciphertext to be encrypted with the latest version of the key, use the rewrap endpoint. See vault-service-data-encryption.html#reference_36decd1d-6189-41a6-81d6-31b68f01f4a5__rewraping_specified_ciphertext. |
Method | POST |
URL | /encryption/keys/<name>/rotate |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns | A 204 response code. |
Retrieving a Specific Type of Key
API | /encryption/export/encryption-key/<name>(/<version>)
|
Description | Returns the specified key. The key object shows the value of the key for each version. To retrieve a specific version, use the version option. To retrieve the current key, use the latest option. Depending on the type of key, different information may be returned. To support this operation, the key must be created with the exportable parameter and must have a valid version. |
Method | GET |
URL | /encryption/export/<key-type>/<name>/<version> |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns |
|
Encrypting Plain Text
API | /encryption/encrypt/ |
Description | Encrypts the specified plaintext using the specified key. This operation only supports symmetric keys (aes256-gcm96 ). |
Method | POST |
URL | /encryption/encrypt/<name> |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|
Decrypting the Specified Ciphertext
API | /encryption/decrypt/ |
Description | Decrypts the specified ciphertext using the specified key. This operation only supports symmetric keys (aes256-gcm96 ). |
Method | POST |
URL | /encryption/decrypt/<name> |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|
Rewraping the Specified Ciphertext
API | /encryption/rewrap/ |
Description | Rewrap the specified ciphertext using the latest version of the specified key. This parameter does not return plain-text. Therefore you can use this API with untrusted users or scripts. |
Method | POST |
URL | /encryption/rewrap/<name> |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|
Generating a New High-Entropy Key
API | /encryption/datakey/ |
Description | Generate a new high-entropy key and the value encrypted with the specified key. Optionally, you can return the plain-text of the key as well. |
Method | POST |
URL | /encryption/datakey/<plaintext|wrapped>/<name> |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|
Generating Random Bytes
API | /encryption/random |
Description | Generates an string of high-quality random bytes of specified length that can be used for cryptographic encryption. |
Method | POST |
URL | /encryption/random(/<bytes>) |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|
Generating Hash of a Specified Data
API | /encryption/hash |
Description | Generates the hash of given data using the specified algorithm. |
Method | POST |
URL | /encryption/hash(/<algorithm>) |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|
Generating the Digest of the Data
API | /encryption/hmac/ |
Description | Generates the digest of the given data using the specified hash algorithm and the specified key. The key can be of the type that is supported by the encryption API. A raw key is marshalled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, the latest (current) version of the key is used. |
Method | POST |
URL | /encryption/hmac/<name>(/<algorithm>) |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|
Generating the Cryptographic Signature of the Specified Data
API | /encryption/sign/ |
Description | Generates the cryptographic signature of the given data using the specified key and the specified hash algorithm. The key must be of a type that supports key signing. |
Method | POST |
URL | /encryption/sign/<name>(/<algorithm>) |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|
Validating a Signature
API | /encryption/verify/ |
Description | Validates the provided signature for the given data. |
Method | POST |
URL | /encryption/verify/<name>(/<algorithm>) |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|