Package io.quarkus.vault

Class VaultTransitSecretEngine

  • @ApplicationScoped
public class VaultTransitSecretEngine
extends Object
    A service that interacts with Hashicorp's Vault Transit secret engine to encrypt, decrypt and sign arbitrary data.
    See Also:
    Transit Secrets Engine

    • Method Detail

      • encrypt

        public String encrypt​(String keyName,
                      String clearData)
        Encrypt a regular string with a Vault key configured in the transit secret engine. Equivalent to: encrypt(keyName, ClearData.from(clearData), null);

        This method is usually used in conjunction with decrypt(String, String)

        Parameters:
        keyName - the key to encrypt the data with
        clearData - the string to encrypt
        Returns:
        cipher text
        See Also:
        encrypt data

      • encrypt

        public String encrypt​(String keyName,
                      ClearData clearData,
                      TransitContext transitContext)
        Encrypt a regular string with a Vault key configured in the transit secret engine. If the key does not exist, and the policy specifies a create capability the key will be lazily created (i.e. upsert). The key can be further customized by specifying transit encryption-key configuration properties.
        Parameters:
        keyName - the key to encrypt the data with
        clearData - the data to encrypt
        transitContext - optional transit context used for key derivation
        Returns:
        cipher text
        See Also:
        encrypt data

      • encrypt

        public Map<EncryptionRequest,​String> encrypt​(String keyName,
                                                   List<EncryptionRequest> requests)
        Encrypt a list of elements. This will return a list of cipher texts. Each element shall specify the data to encrypt, an optional key version and an optional transit context, used for key derivation if applicable. If any error occurs, the service will throw a VaultEncryptionBatchException
        Parameters:
        keyName - the key to encrypt the data with
        requests - the list of elements to encrypt
        Returns:
        a map of each request and its corresponding cipher text
        See Also:
        encrypt data

      • decrypt

        public ClearData decrypt​(String keyName,
                         String ciphertext)
        Decrypt the encrypted data with the specified key, and return unencrypted data.
        Parameters:
        keyName - the key that was used to encrypt the original data
        ciphertext - the encrypted data
        Returns:
        the unencrypted data
        See Also:
        decrypt data

      • decrypt

        public ClearData decrypt​(String keyName,
                         String ciphertext,
                         TransitContext transitContext)
        Decrypt the encrypted data with the specified key and a transit context used for key derivation.
        Parameters:
        keyName - the key that was used to encrypt the original data
        ciphertext - data to decrypt
        transitContext - optional transit context used for key derivation
        Returns:
        the unencrypted data
        See Also:
        decrypt data, create key derived attribute

      • decrypt

        public Map<DecryptionRequest,​ClearData> decrypt​(String keyName,
                                                      List<DecryptionRequest> requests)
        Decrypt a list of encrypted data items. Each item shall specify the encrypted data plus an optional transit context used for key derivation (if applicable). If any error occurs, the service will throw a VaultDecryptionBatchException
        Parameters:
        keyName - the key that was used to encrypt the original data
        requests - the list of encrypted data items
        Returns:
        a map of each request with its corresponding decrypted data item
        See Also:
        decrypt data

      • rewrap

        public String rewrap​(String keyName,
                     String ciphertext)
        Reencrypt into a new cipher text a cipher text that was obtained from encryption using an old key version with the last key version
        Parameters:
        keyName - the encryption key that was used for the previous encryption
        ciphertext - the old cipher text that needs rewrapping
        Returns:
        the reencrypted cipher text with last key version as a new cipher text
        See Also:
        rewrap data, working set management

      • rewrap

        public String rewrap​(String keyName,
                     String ciphertext,
                     TransitContext transitContext)
        Reencrypt into a new cipher text a cipher text that was obtained from encryption using an old key version with the last key version and an optional transit context used for key derivation
        Parameters:
        keyName - the encryption key that was used for the previous encryption
        ciphertext - the old cipher text that needs rewrapping
        transitContext - optional transit context used for key derivation
        Returns:
        the reencrypted cipher text with last key version as a new cipher text
        See Also:
        rewrap data, working set management

      • rewrap

        public Map<RewrappingRequest,​String> rewrap​(String keyName,
                                                  List<RewrappingRequest> requests)
        Reencrypt a list of encrypted data items with the last version of the specified key. Each item shall specify a cipher text to reencrypt, an optional key version, and an optional transit context used for key derivation, if applicable. If any error occurs, the service will throw a VaultRewrappingBatchException
        Parameters:
        keyName - the encryption key that was used for the previous encryptions
        requests - the list of items to reencrypt
        Returns:
        a map of each request with its corresponding reencrypted data item
        See Also:
        rewrap data, working set management

      • sign

        public String sign​(String keyName,
                   String input)
        Sign an input string with the specified key.
        Parameters:
        keyName - the signing key to use
        input - String to sign
        Returns:
        the signature
        See Also:
        sign data

      • sign

        public String sign​(String keyName,
                   SigningInput input,
                   TransitContext transitContext)
        Sign the input with the specified key and an optional transit context used for key derivation, if applicable.
        Parameters:
        keyName - the signing key to use
        input - data to sign
        transitContext - optional transit context used for key derivation
        Returns:
        the signature
        See Also:
        sign data

      • sign

        public String sign​(String keyName,
                   SigningInput input,
                   SignVerifyOptions options,
                   TransitContext transitContext)
        Sign the input with the specified key and an optional explicit sign/verify options and an optional transit context used for key derivation, if applicable.
        Parameters:
        keyName - the signing key to use
        input - data to sign
        options - optional explicit sign/verify options
        transitContext - optional transit context used for key derivation
        Returns:
        the signature
        See Also:
        sign data

      • sign

        public Map<SigningRequest,​String> sign​(String keyName,
                                             List<SigningRequest> requests)
        Sign a list of inputs items. Each item shall specify the input to sign, an optional key version, and an optional transit context used for key derivation, if applicable. If any error occurs, the service will throw a VaultSigningBatchException
        Parameters:
        keyName - the signing key to use
        requests - the list of inputs to sign
        Returns:
        a map of each request with its corresponding signature item
        See Also:
        sign data

      • sign

        public Map<SigningRequest,​String> sign​(String keyName,
                                             List<SigningRequest> requests,
                                             SignVerifyOptions options)
        Sign a list of inputs items and an optional explicit sign/verify options. Each item shall specify the input to sign, an optional key version, and an optional transit context used for key derivation, if applicable. If any error occurs, the service will throw a VaultSigningBatchException
        Parameters:
        keyName - the signing key to use
        requests - the list of inputs to sign
        options - optional explicit sign/verify options
        Returns:
        a map of each request with its corresponding signature item
        See Also:
        sign data

      • verifySignature

        public void verifySignature​(String keyName,
                            String signature,
                            String input)
        Checks that the signature was obtained from signing the input with the specified key. The service will throw a VaultException if this is not the case.
        Parameters:
        keyName - the key that was used to sign the input
        signature - the signature obtained from one of the sign methods
        input - the original input data
        See Also:
        verify signed data

      • verifySignature

        public void verifySignature​(String keyName,
                            String signature,
                            SigningInput input,
                            TransitContext transitContext)
        Checks that the signature was obtained from signing the input with the specified key. The service will throw a VaultException if this is not the case.
        Parameters:
        keyName - the key that was used to sign the input
        signature - the signature obtained from one of the sign methods
        input - the original input data
        transitContext - optional transit context used for key derivation
        See Also:
        verify signed data

      • verifySignature

        public void verifySignature​(String keyName,
                            String signature,
                            SigningInput input,
                            SignVerifyOptions options,
                            TransitContext transitContext)
        Checks that the signature was obtained from signing the input with the specified key an an optional explicit sign/verify options. The service will throw a VaultException if this is not the case.
        Parameters:
        keyName - the key that was used to sign the input
        signature - the signature obtained from one of the sign methods
        input - the original input data
        options - optional explicit sign/verify options
        transitContext - optional transit context used for key derivation
        See Also:
        verify signed data

      • verifySignature

        public void verifySignature​(String keyName,
                            List<VerificationRequest> requests)
        Checks a list of verification requests. Each request shall specify an input and the signature we want to match against, and an optional transit context used for key derivation, if applicable. If the signature does not match, or if any other error occurs, the service will throw a VaultVerificationBatchException
        Parameters:
        keyName - the key that was used to sign the input
        requests - a list of items specifying an input and a signature to match against
        See Also:
        verify signed data

      • verifySignature

        public void verifySignature​(String keyName,
                            List<VerificationRequest> requests,
                            SignVerifyOptions options)
        Checks a list of verification requests. Each request shall specify an input and the signature we want to match against, and an optional explicit sign/verify options and an optionals transit context used for key derivation, if applicable. If the signature does not match, or if any other error occurs, the service will throw a VaultVerificationBatchException
        Parameters:
        keyName - the key that was used to sign the input
        requests - a list of items specifying an input and a signature to match against
        options - optional explicit sign/verify options
        See Also:
        verify signed data

      • createKey

        public void createKey​(String keyName,
                      KeyCreationRequestDetail detail)
        Create a new Transit key.
        Parameters:
        keyName - key name
        detail - key creation detail or null
        See Also:
        create key

      • updateKeyConfiguration

        public void updateKeyConfiguration​(String keyName,
                                   KeyConfigRequestDetail detail)
        Update the configuration of a Transit key. The key must exist.
        Parameters:
        keyName - key name
        detail - key configuration detail
        See Also:
        update key configuration

      • deleteKey

        public void deleteKey​(String keyName)
        Delete a Transit key. Key must have been configured with deletion allowed. The key must exist.
        Parameters:
        keyName - key name
        See Also:
        delete key

      • exportKey

        public VaultTransitKeyExportDetail exportKey​(String keyName,
                                             VaultTransitExportKeyType keyType,
                                             String keyVersion)
        Export a Transit Key. Key must have made exportable through creation or configuration update. The key must exist.
        Parameters:
        keyName - name of the key
        keyType - key type
        keyVersion - null, "latest" or a valid version number as a String. If null all versions will be returned
        Returns:
        All specified key versions
        See Also:
        export key

      • readKey

        public Optional<VaultTransitKeyDetail<?>> readKey​(String keyName)
        Read the configuration of a Transit key.
        Parameters:
        keyName - key name
        Returns:
        key detail, or null if the key does not exist
        See Also:
        read key

      • listKeys

        public List<String> listKeys()
        List all Transit keys.
        Returns:
        key names
        See Also:
        list keys