org.springframework.vault.core

Interface VaultTransitOperations

All Known Implementing Classes:

VaultTransitTemplate

public interface VaultTransitOperations

Interface that specifies operations using the transit backend.

Author:

Mark Paluch, Sven Schürmann

See Also:

Transit Secret Backend

Method Summary

Modifier and Type	Method and Description
void	configureKey(String keyName, VaultTransitKeyConfiguration keyConfiguration) Create a new named encryption key given a name.
void	createKey(String keyName) Create a new named encryption key given a name.
void	createKey(String keyName, VaultTransitKeyCreationRequest createKeyRequest) Create a new named encryption key given a name and VaultTransitKeyCreationRequest.
String	decrypt(String keyName, String ciphertext) Decrypts the provided plaintext using the named key.
byte[]	decrypt(String keyName, String ciphertext, VaultTransitContext transitContext) Decrypts the provided plaintext using the named key.
void	deleteKey(String keyName) Deletes a named encryption key.
String	encrypt(String keyName, byte[] plaintext, VaultTransitContext transitRequest) Encrypts the provided plaintext using the named key.
String	encrypt(String keyName, String plaintext) Encrypts the provided plaintext using the named key.
RawTransitKey	exportKey(String keyName, TransitKeyType type) Returns the value of the named encryption key.
VaultTransitKey	getKey(String keyName) Return information about a named encryption key.
List<String>	getKeys() Get a List of transit key names.
String	rewrap(String keyName, String ciphertext) Rewrap the provided ciphertext using the latest version of the named key.
String	rewrap(String keyName, String ciphertext, VaultTransitContext transitContext) Rewrap the provided ciphertext using the latest version of the named key.
void	rotate(String keyName) Rotates the version of the named key.

Method Detail

createKey

void createKey(String keyName)

Create a new named encryption key given a name.

Parameters:

keyName - must not be empty or null.

createKey

void createKey(String keyName,
               VaultTransitKeyCreationRequest createKeyRequest)

Create a new named encryption key given a name and VaultTransitKeyCreationRequest. The key options set here cannot be changed after key creation.

Parameters:

keyName - must not be empty or null.

createKeyRequest - must not be null.

getKeys

List<String> getKeys()

Get a List of transit key names.

Returns:

List of transit key names.

configureKey

void configureKey(String keyName,
                  VaultTransitKeyConfiguration keyConfiguration)

Create a new named encryption key given a name.

Parameters:

keyName - must not be empty or null.

keyConfiguration - must not be null.

exportKey

@Nullable
RawTransitKey exportKey(String keyName,
                                  TransitKeyType type)

Returns the value of the named encryption key. Depending on the type of key, different information may be returned. The key must be exportable to support this operation.

Parameters:

keyName - must not be empty or null.

type - must not be null.

Returns:

the RawTransitKey.

getKey

@Nullable
VaultTransitKey getKey(String keyName)

Return information about a named encryption key.

Parameters:

keyName - must not be empty or null.

Returns:

the VaultTransitKey.

deleteKey

void deleteKey(String keyName)

Deletes a named encryption key. It will no longer be possible to decrypt any data encrypted with the named key.

Parameters:

keyName - must not be empty or null.

rotate

void rotate(String keyName)

Rotates the version of the named key. After rotation, new plaintext requests will be encrypted with the new version of the key. To upgrade ciphertext to be encrypted with the latest version of the key, use rewrap(String, String).

Parameters:

keyName - must not be empty or null.

See Also:

rewrap(String, String)

encrypt

String encrypt(String keyName,
               String plaintext)

Encrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

plaintext - must not be empty or null.

Returns:

cipher text.

encrypt

String encrypt(String keyName,
               byte[] plaintext,
               VaultTransitContext transitRequest)

Encrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

plaintext - must not be empty or null.

transitRequest - must not be null. Use VaultTransitContext.empty() if no request options provided.

Returns:

cipher text.

decrypt

String decrypt(String keyName,
               String ciphertext)

Decrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

Returns:

plain text.

decrypt

byte[] decrypt(String keyName,
               String ciphertext,
               VaultTransitContext transitContext)

Decrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

transitContext - must not be null. Use VaultTransitContext.empty() if no request options provided.

Returns:

cipher text.

rewrap

String rewrap(String keyName,
              String ciphertext)

Rewrap the provided ciphertext using the latest version of the named key. Because this never returns plaintext, it is possible to delegate this functionality to untrusted users or scripts.

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

Returns:

cipher text.

See Also:

rotate(String)

rewrap

String rewrap(String keyName,
              String ciphertext,
              VaultTransitContext transitContext)

Rewrap the provided ciphertext using the latest version of the named key. Because this never returns plaintext, it is possible to delegate this functionality to untrusted users or scripts.

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

transitContext - must not be null. Use VaultTransitContext.empty() if no request options provided.

Returns:

cipher text.

See Also:

rotate(String)