Interface VaultTransitOperations

All Known Implementing Classes:
VaultTransitTemplate

public interface VaultTransitOperations
Interface that specifies operations using the transit backend.
Author:
Mark Paluch, Sven Schürmann, Praveendra Singh, Luander Ribeiro
See Also:
  • Method Details

    • createKey

      void createKey(String keyName)
      Create a new named encryption key given a name.
      Parameters:
      keyName - must not be empty or null.
    • createKey

      void createKey(String keyName, VaultTransitKeyCreationRequest createKeyRequest)
      Create a new named encryption key given a name and VaultTransitKeyCreationRequest. The key options set here cannot be changed after key creation.
      Parameters:
      keyName - must not be empty or null.
      createKeyRequest - must not be null.
    • getKeys

      List<String> getKeys()
      Get a List of transit key names.
      Returns:
      List of transit key names.
    • configureKey

      void configureKey(String keyName, VaultTransitKeyConfiguration keyConfiguration)
      Create a new named encryption key given a name.
      Parameters:
      keyName - must not be empty or null.
      keyConfiguration - must not be null.
    • exportKey

      @Nullable RawTransitKey exportKey(String keyName, TransitKeyType type)
      Returns the value of the named encryption key. Depending on the type of key, different information may be returned. The key must be exportable to support this operation.
      Parameters:
      keyName - must not be empty or null.
      type - must not be null.
      Returns:
      the RawTransitKey.
    • getKey

      @Nullable VaultTransitKey getKey(String keyName)
      Return information about a named encryption key.
      Parameters:
      keyName - must not be empty or null.
      Returns:
      the VaultTransitKey.
    • deleteKey

      void deleteKey(String keyName)
      Deletes a named encryption key. It will no longer be possible to decrypt any data encrypted with the named key.
      Parameters:
      keyName - must not be empty or null.
    • rotate

      void rotate(String keyName)
      Rotates the version of the named key. After rotation, new plain text requests will be encrypted with the new version of the key. To upgrade ciphertext to be encrypted with the latest version of the key, use rewrap(String, String).
      Parameters:
      keyName - must not be empty or null.
      See Also:
    • encrypt

      String encrypt(String keyName, String plaintext)
      Encrypts the provided plain text using the named key. The given plaintext is encoded into bytes using the default charset. Use encrypt(String, org.springframework.vault.support.Plaintext) to construct a Plaintext object from bytes to avoid Charset mismatches.
      Parameters:
      keyName - must not be empty or null.
      plaintext - must not be empty or null.
      Returns:
      cipher text.
    • encrypt

      Ciphertext encrypt(String keyName, Plaintext plaintext)
      Encrypts the provided plaintext using the named key.
      Parameters:
      keyName - must not be empty or null.
      plaintext - must not be null.
      Returns:
      cipher text.
      Since:
      1.1
    • encrypt

      String encrypt(String keyName, byte[] plaintext, VaultTransitContext transitRequest)
      Encrypts the provided plaintext using the named key.
      Parameters:
      keyName - must not be empty or null.
      plaintext - must not be empty or null.
      transitRequest - must not be null. Use VaultTransitContext.empty() if no request options provided.
      Returns:
      cipher text.
    • encrypt

      List<VaultEncryptionResult> encrypt(String keyName, List<Plaintext> batchRequest)
      Encrypts the provided batch of plaintext using the named key and context. The encryption is done using transit backend's batch operation.
      Parameters:
      keyName - must not be empty or null.
      batchRequest - a list of Plaintext which includes plain text and an optional context.
      Returns:
      the encrypted result in the order of batchRequest plaintexts.
      Since:
      1.1
    • decrypt

      String decrypt(String keyName, String ciphertext)
      Decrypts the provided plain text using the named key. The decoded plaintext is decoded into String the default charset. Use decrypt(String, org.springframework.vault.support.Ciphertext) to obtain a Ciphertext object that allows to control the Charset for later consumption.
      Parameters:
      keyName - must not be empty or null.
      ciphertext - must not be empty or null.
      Returns:
      plain text.
    • decrypt

      Plaintext decrypt(String keyName, Ciphertext ciphertext)
      Decrypts the provided cipher text using the named key.
      Parameters:
      keyName - must not be empty or null.
      ciphertext - must not be null.
      Returns:
      plain text.
      Since:
      1.1
    • decrypt

      byte[] decrypt(String keyName, String ciphertext, VaultTransitContext transitContext)
      Decrypts the provided ciphertext using the named key.
      Parameters:
      keyName - must not be empty or null.
      ciphertext - must not be empty or null.
      transitContext - must not be null. Use VaultTransitContext.empty() if no request options provided.
      Returns:
      cipher text.
    • decrypt

      List<VaultDecryptionResult> decrypt(String keyName, List<Ciphertext> batchRequest)
      Decrypts the provided barch of cipher text using the named key and context. The* decryption is done using transit backend's batch operation.
      Parameters:
      keyName - must not be empty or null.
      batchRequest - a list of Ciphertext which includes plain text and an optional context.
      Returns:
      the decrypted result in the order of batchRequest ciphertexts.
      Since:
      1.1
    • rewrap

      String rewrap(String keyName, String ciphertext)
      Rewrap the provided cipher text using the latest version of the named key. Because this never returns plain text, it is possible to delegate this functionality to untrusted users or scripts.
      Parameters:
      keyName - must not be empty or null.
      ciphertext - must not be empty or null.
      Returns:
      cipher text.
      See Also:
    • rewrap

      String rewrap(String keyName, String ciphertext, VaultTransitContext transitContext)
      Rewrap the provided cipher text using the latest version of the named key. Because this never returns plain text, it is possible to delegate this functionality to untrusted users or scripts.
      Parameters:
      keyName - must not be empty or null.
      ciphertext - must not be empty or null.
      transitContext - must not be null. Use VaultTransitContext.empty() if no request options provided.
      Returns:
      cipher text.
      See Also:
    • getHmac

      Hmac getHmac(String keyName, Plaintext plaintext)
      Create a HMAC using keyName of given Plaintext using the default hash algorithm. The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, the latest (current) version will be used.
      Parameters:
      keyName - must not be empty or null.
      plaintext - must not be null.
      Returns:
      the digest of given data the default hash algorithm and the named key.
      Since:
      2.0
    • getHmac

      Hmac getHmac(String keyName, VaultHmacRequest request)
      Create a HMAC using keyName of given VaultHmacRequest using the default hash algorithm. The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, configured VaultHmacRequest.getKeyVersion() will be used.
      Parameters:
      keyName - must not be empty or null.
      request - the VaultHmacRequest, must not be null.
      Returns:
      the digest of given data the default hash algorithm and the named key.
      Since:
      2.0
    • sign

      Signature sign(String keyName, Plaintext plaintext)
      Create a cryptographic signature using keyName of the given Plaintext and the default hash algorithm. The key must be of a type that supports signing.
      Parameters:
      keyName - must not be empty or null.
      plaintext - must not be empty or null.
      Returns:
      Signature for Plaintext.
      Since:
      2.0
    • sign

      Signature sign(String keyName, VaultSignRequest request)
      Create a cryptographic signature using keyName of the given VaultSignRequest and the specified hash algorithm. The key must be of a type that supports signing.
      Parameters:
      keyName - must not be empty or null.
      request - VaultSignRequest must not be empty or null.
      Returns:
      Signature for VaultSignRequest.
      Since:
      2.0
    • verify

      boolean verify(String keyName, Plaintext plaintext, Signature signature)
      Verify the cryptographic signature using keyName of the given Plaintext and Signature.
      Parameters:
      keyName - must not be empty or null.
      plaintext - must not be null.
      signature - Signature to be verified, must not be null.
      Returns:
      true if the signature is valid, false otherwise.
      Since:
      2.0
    • verify

      Verify the cryptographic signature using keyName of the given VaultSignRequest.
      Parameters:
      keyName - must not be empty or null.
      request - VaultSignatureVerificationRequest must not be null.
      Returns:
      the resulting SignatureValidation.
      Since:
      2.0