org.springframework.vault.core

Interface VaultTransitOperations

All Known Implementing Classes:

VaultTransitTemplate

public interface VaultTransitOperations

Interface that specifies operations using the transit backend.

Author:

Mark Paluch, Sven Schürmann, Praveendra Singh, Luander Ribeiro

See Also:

Transit Secret Backend

Method Summary

Modifier and Type	Method and Description
void	configureKey(String keyName, VaultTransitKeyConfiguration keyConfiguration) Create a new named encryption key given a name.
void	createKey(String keyName) Create a new named encryption key given a name.
void	createKey(String keyName, VaultTransitKeyCreationRequest createKeyRequest) Create a new named encryption key given a name and VaultTransitKeyCreationRequest.
Plaintext	decrypt(String keyName, Ciphertext ciphertext) Decrypts the provided plaintext using the named key.
List<VaultDecryptionResult>	decrypt(String keyName, List<Ciphertext> batchRequest) Decrypts the provided barch of ciphertext using the named key and context.
String	decrypt(String keyName, String ciphertext) Decrypts the provided plaintext using the named key.
byte[]	decrypt(String keyName, String ciphertext, VaultTransitContext transitContext) Decrypts the provided plaintext using the named key.
void	deleteKey(String keyName) Deletes a named encryption key.
String	encrypt(String keyName, byte[] plaintext, VaultTransitContext transitRequest) Encrypts the provided plaintext using the named key.
List<VaultEncryptionResult>	encrypt(String keyName, List<Plaintext> batchRequest) Encrypts the provided batch of plaintext using the named key and context.
Ciphertext	encrypt(String keyName, Plaintext plaintext) Encrypts the provided plaintext using the named key.
String	encrypt(String keyName, String plaintext) Encrypts the provided plaintext using the named key.
RawTransitKey	exportKey(String keyName, TransitKeyType type) Returns the value of the named encryption key.
Hmac	getHmac(String keyName, Plaintext plaintext) Create a HMAC using keyName of given Plaintext using the default hash algorithm.
Hmac	getHmac(String keyName, VaultHmacRequest request) Create a HMAC using keyName of given VaultHmacRequest using the default hash algorithm.
VaultTransitKey	getKey(String keyName) Return information about a named encryption key.
List<String>	getKeys() Get a List of transit key names.
String	rewrap(String keyName, String ciphertext) Rewrap the provided ciphertext using the latest version of the named key.
String	rewrap(String keyName, String ciphertext, VaultTransitContext transitContext) Rewrap the provided ciphertext using the latest version of the named key.
void	rotate(String keyName) Rotates the version of the named key.
Signature	sign(String keyName, Plaintext plaintext) Create a cryptographic signature using keyName of the given Plaintext and the default hash algorithm.
Signature	sign(String keyName, VaultSignRequest request) Create a cryptographic signature using keyName of the given VaultSignRequest and the specified hash algorithm.
boolean	verify(String keyName, Plaintext plaintext, Signature signature) Verify the cryptographic signature using keyName of the given Plaintext and Signature.
SignatureValidation	verify(String keyName, VaultSignatureVerificationRequest request) Verify the cryptographic signature using keyName of the given VaultSignRequest.

Method Detail

createKey

void createKey(String keyName)

Create a new named encryption key given a name.

Parameters:

keyName - must not be empty or null.

createKey

void createKey(String keyName,
               VaultTransitKeyCreationRequest createKeyRequest)

Create a new named encryption key given a name and VaultTransitKeyCreationRequest. The key options set here cannot be changed after key creation.

Parameters:

keyName - must not be empty or null.

createKeyRequest - must not be null.

getKeys

List<String> getKeys()

Get a List of transit key names.

Returns:

List of transit key names.

configureKey

void configureKey(String keyName,
                  VaultTransitKeyConfiguration keyConfiguration)

Create a new named encryption key given a name.

Parameters:

keyName - must not be empty or null.

keyConfiguration - must not be null.

exportKey

@Nullable
RawTransitKey exportKey(String keyName,
                                  TransitKeyType type)

Returns the value of the named encryption key. Depending on the type of key, different information may be returned. The key must be exportable to support this operation.

Parameters:

keyName - must not be empty or null.

type - must not be null.

Returns:

the RawTransitKey.

getKey

@Nullable
VaultTransitKey getKey(String keyName)

Return information about a named encryption key.

Parameters:

keyName - must not be empty or null.

Returns:

the VaultTransitKey.

deleteKey

void deleteKey(String keyName)

Deletes a named encryption key. It will no longer be possible to decrypt any data encrypted with the named key.

Parameters:

keyName - must not be empty or null.

rotate

void rotate(String keyName)

Rotates the version of the named key. After rotation, new plaintext requests will be encrypted with the new version of the key. To upgrade ciphertext to be encrypted with the latest version of the key, use rewrap(String, String).

Parameters:

keyName - must not be empty or null.

See Also:

rewrap(String, String)

encrypt

String encrypt(String keyName,
               String plaintext)

Encrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

plaintext - must not be empty or null.

Returns:

cipher text.

encrypt

Ciphertext encrypt(String keyName,
                   Plaintext plaintext)

Encrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

plaintext - must not be null.

Returns:

cipher text.

Since:

1.1

encrypt

String encrypt(String keyName,
               byte[] plaintext,
               VaultTransitContext transitRequest)

Encrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

plaintext - must not be empty or null.

transitRequest - must not be null. Use VaultTransitContext.empty() if no request options provided.

Returns:

cipher text.

encrypt

List<VaultEncryptionResult> encrypt(String keyName,
                                    List<Plaintext> batchRequest)

Encrypts the provided batch of plaintext using the named key and context. The encryption is done using transit backend's batch operation.

Parameters:

keyName - must not be empty or null.

batchRequest - a list of Plaintext which includes plaintext and an optional context.

Returns:

the encrypted result in the order of batchRequest plaintexts.

Since:

1.1

decrypt

String decrypt(String keyName,
               String ciphertext)

Decrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

Returns:

plain text.

decrypt

Plaintext decrypt(String keyName,
                  Ciphertext ciphertext)

Decrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

ciphertext - must not be null.

Returns:

plain text.

Since:

1.1

decrypt

byte[] decrypt(String keyName,
               String ciphertext,
               VaultTransitContext transitContext)

Decrypts the provided plaintext using the named key.

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

transitContext - must not be null. Use VaultTransitContext.empty() if no request options provided.

Returns:

cipher text.

decrypt

List<VaultDecryptionResult> decrypt(String keyName,
                                    List<Ciphertext> batchRequest)

Decrypts the provided barch of ciphertext using the named key and context. The* decryption is done using transit backend's batch operation.

Parameters:

keyName - must not be empty or null.

batchRequest - a list of Ciphertext which includes plaintext and an optional context.

Returns:

the decrypted result in the order of batchRequest ciphertexts.

Since:

1.1

rewrap

String rewrap(String keyName,
              String ciphertext)

Rewrap the provided ciphertext using the latest version of the named key. Because this never returns plaintext, it is possible to delegate this functionality to untrusted users or scripts.

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

Returns:

cipher text.

See Also:

rotate(String)

rewrap

String rewrap(String keyName,
              String ciphertext,
              VaultTransitContext transitContext)

Rewrap the provided ciphertext using the latest version of the named key. Because this never returns plaintext, it is possible to delegate this functionality to untrusted users or scripts.

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

transitContext - must not be null. Use VaultTransitContext.empty() if no request options provided.

Returns:

cipher text.

See Also:

rotate(String)

getHmac

Hmac getHmac(String keyName,
             Plaintext plaintext)

Create a HMAC using keyName of given Plaintext using the default hash algorithm. The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, the latest (current) version will be used.

Parameters:

keyName - must not be empty or null.

plaintext - must not be null.

Returns:

the digest of given data the default hash algorithm and the named key.

Since:

2.0

getHmac

Hmac getHmac(String keyName,
             VaultHmacRequest request)

Create a HMAC using keyName of given VaultHmacRequest using the default hash algorithm. The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, configured VaultHmacRequest.getKeyVersion() will be used.

Parameters:

keyName - must not be empty or null.

request - the VaultHmacRequest, must not be null.

Returns:

the digest of given data the default hash algorithm and the named key.

Since:

2.0

sign

Signature sign(String keyName,
               Plaintext plaintext)

Create a cryptographic signature using keyName of the given Plaintext and the default hash algorithm. The key must be of a type that supports signing.

Parameters:

keyName - must not be empty or null.

plaintext - must not be empty or null.

Returns:

Signature for Plaintext.

Since:

2.0

sign

Signature sign(String keyName,
               VaultSignRequest request)

Create a cryptographic signature using keyName of the given VaultSignRequest and the specified hash algorithm. The key must be of a type that supports signing.

Parameters:

keyName - must not be empty or null.

request - VaultSignRequest must not be empty or null.

Returns:

Signature for VaultSignRequest.

Since:

2.0

verify

boolean verify(String keyName,
               Plaintext plaintext,
               Signature signature)

Verify the cryptographic signature using keyName of the given Plaintext and Signature.

Parameters:

keyName - must not be empty or null.

plaintext - must not be null.

signature - Signature to be verified, must not be null.

Returns:

true if the signature is valid, false otherwise.

Since:

2.0

verify

SignatureValidation verify(String keyName,
                           VaultSignatureVerificationRequest request)

Verify the cryptographic signature using keyName of the given VaultSignRequest.

Parameters:

keyName - must not be empty or null.

request - VaultSignatureVerificationRequest must not be null.

Returns:

the resulting SignatureValidation.

Since:

2.0