-
Notifications
You must be signed in to change notification settings - Fork 20
Transit Secrets Engine
github-actions[bot] edited this page Sep 15, 2025
·
1 revision
The Transit Secrets Engine provides cryptographic operations as a service, allowing you to encrypt, decrypt, sign, verify, and generate data keys without exposing the underlying cryptographic keys to your application.
- Create Keys: Generate encryption keys with various algorithms
- Read Key Configuration: Retrieve key metadata and configuration
- Update Key Configuration: Modify key settings like rotation periods
- List Keys: Get all keys in the transit engine
- Delete Keys: Remove keys (when deletion is allowed)
- Rotate Keys: Generate new key versions
- Export Keys: Export keys for backup (when exportable)
- Backup/Restore Keys: Create and restore key backups
- Encrypt/Decrypt: Symmetric encryption and decryption
- Rewrap: Re-encrypt data with a new key version
- Sign/Verify: Digital signatures with various algorithms
- HMAC Generation/Verification: Hash-based message authentication
- Data Key Generation: Generate wrapped or plaintext data keys
- Random Generation: Generate cryptographically secure random bytes
- Hashing: Generate hashes with various algorithms
- Batch Operations: Process multiple items in a single request
- Key Trimming: Remove old key versions to save space
- Convergent Encryption: Enable deterministic encryption
- Key Derivation: Enable key derivation for context-based encryption
-
aes256-gcm96- AES-256 in GCM mode with 96-bit IV -
chacha20-poly1305- ChaCha20-Poly1305 AEAD
-
ed25519- Ed25519 digital signature algorithm -
ecdsa-p256- ECDSA with P-256 curve -
ecdsa-p384- ECDSA with P-384 curve -
ecdsa-p521- ECDSA with P-521 curve -
rsa-2048- RSA with 2048-bit keys -
rsa-3072- RSA with 3072-bit keys -
rsa-4096- RSA with 4096-bit keys
await vc.transit.enable({
mountPath: 'transit',
type: 'transit',
description: 'Transit secrets engine'
});await vc.transit.createKey({
mountPath: 'transit',
name: 'my-key',
type: 'aes256-gcm96',
exportable: true,
allow_plaintext_backup: true,
deletion_allowed: true
});// Encrypt
const plaintext = Buffer.from('Hello World').toString('base64');
const { data: encrypted } = await vc.transit.encrypt({
mountPath: 'transit',
name: 'my-key',
plaintext
});
// Decrypt
const { data: decrypted } = await vc.transit.decrypt({
mountPath: 'transit',
name: 'my-key',
ciphertext: encrypted.ciphertext
});
const originalData = Buffer.from(decrypted.plaintext, 'base64').toString();// Sign
const input = Buffer.from('Hello World').toString('base64');
const { data: signed } = await vc.transit.sign({
mountPath: 'transit',
name: 'my-key',
input
});
// Verify
const { data: verified } = await vc.transit.verify({
mountPath: 'transit',
name: 'my-key',
algorithm: 'ed25519',
input,
signature: signed.signature
});await vc.transit.createKey({
mountPath: 'transit',
name: 'my-key',
type: 'aes256-gcm96',
exportable: true,
allow_plaintext_backup: true,
deletion_allowed: true
});const { data: keyInfo, error } = await vc.transit.readKey({
mountPath: 'transit',
name: 'my-key'
});await vc.transit.updateKey({
mountPath: 'transit',
name: 'my-key',
min_decryption_version: 1,
min_encryption_version: 1,
deletion_allowed: true,
auto_rotate_period: '24h'
});await vc.transit.rotateKey({
mountPath: 'transit',
name: 'my-key'
});const { data: result, error } = await vc.transit.encrypt({
mountPath: 'transit',
name: 'my-key',
plaintext: Buffer.from('Hello World').toString('base64')
});const { data: result, error } = await vc.transit.decrypt({
mountPath: 'transit',
name: 'my-key',
ciphertext: result.data.ciphertext
});const { data: result, error } = await vc.transit.encrypt({
mountPath: 'transit',
name: 'my-key',
plaintext: '', // Required for single operation
batch_input: [
{ plaintext: Buffer.from('Message 1').toString('base64') },
{ plaintext: Buffer.from('Message 2').toString('base64') }
]
});const { data: result, error } = await vc.transit.sign({
mountPath: 'transit',
name: 'my-key',
input: Buffer.from('Hello World').toString('base64')
});const { data: result, error } = await vc.transit.verify({
mountPath: 'transit',
name: 'my-key',
algorithm: 'ed25519',
input: Buffer.from('Hello World').toString('base64'),
signature: result.data.signature
});const { data: result, error } = await vc.transit.hmac({
mountPath: 'transit',
name: 'my-key',
input: Buffer.from('Hello World').toString('base64'),
algorithm: 'sha2-256'
});const { data: result, error } = await vc.transit.verifyHmac({
mountPath: 'transit',
name: 'my-key',
algorithm: 'sha2-256',
input: Buffer.from('Hello World').toString('base64'),
hmac: result.data.hmac
});const { data: result, error } = await vc.transit.generateDataKey({
mountPath: 'transit',
name: 'my-key',
type: 'wrapped',
bits: 256
});const { data: result, error } = await vc.transit.generateDataKey({
mountPath: 'transit',
name: 'my-key',
type: 'plaintext',
bits: 256
});const { data: result, error } = await vc.transit.generateRandom({
mountPath: 'transit',
source: 'platform',
bytes: 32,
format: 'hex'
});const { data: result, error } = await vc.transit.hash({
mountPath: 'transit',
algorithm: 'sha2-256',
input: Buffer.from('Hello World').toString('base64'),
format: 'hex'
});const { data: result, error } = await vc.transit.exportKey({
mountPath: 'transit',
name: 'my-key',
type: 'encryption-key'
});const { data: result, error } = await vc.transit.backupKey({
mountPath: 'transit',
name: 'my-key'
});await vc.transit.restoreKey({
mountPath: 'transit',
name: 'my-key',
backup: result.data.backup
});await vc.transit.trimKey({
mountPath: 'transit',
name: 'my-key',
min_available_version: 2
});-
type: Key algorithm type -
exportable: Allow key export (default: false) -
allow_plaintext_backup: Allow plaintext backup (default: false) -
deletion_allowed: Allow key deletion (default: false) -
convergent_encryption: Enable convergent encryption (default: false) -
derived: Enable key derivation (default: false) -
auto_rotate_period: Automatic rotation period
-
min_decryption_version: Minimum version for decryption -
min_encryption_version: Minimum version for encryption -
deletion_allowed: Allow key deletion -
exportable: Allow key export -
allow_plaintext_backup: Allow plaintext backup -
auto_rotate_period: Automatic rotation period
- Key Rotation: Regularly rotate keys to limit exposure
- Access Control: Use Vault policies to control access to transit operations
- Audit Logging: Enable audit logging for all transit operations
- Key Export: Only enable key export when necessary
- Backup Security: Secure key backups with proper encryption
- Version Management: Use appropriate minimum versions for encryption/decryption
- Batch Operations: Use batch operations for multiple items
- Key Caching: Vault caches keys for better performance
- Connection Pooling: Reuse client connections
- Async Operations: Use async/await for non-blocking operations
async function transitWorkflow() {
try {
// 1. Enable transit engine
await vc.transit.enable({
mountPath: 'transit',
type: 'transit',
description: 'My transit engine'
});
// 2. Create a key
await vc.transit.createKey({
mountPath: 'transit',
name: 'my-key',
type: 'aes256-gcm96',
exportable: true
});
// 3. Encrypt some data
const plaintext = Buffer.from('Sensitive data').toString('base64');
const { data: encrypted } = await vc.transit.encrypt({
mountPath: 'transit',
name: 'my-key',
plaintext
});
console.log('Encrypted:', encrypted.ciphertext);
// 4. Decrypt the data
const { data: decrypted } = await vc.transit.decrypt({
mountPath: 'transit',
name: 'my-key',
ciphertext: encrypted.ciphertext
});
const originalData = Buffer.from(decrypted.plaintext, 'base64').toString();
console.log('Decrypted:', originalData);
// 5. Rotate the key
await vc.transit.rotateKey({
mountPath: 'transit',
name: 'my-key'
});
console.log('Key rotated successfully');
} catch (error) {
console.error('Transit workflow failed:', error);
}
}