Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VaultTransitOperations.decrypt method returns a strange string, which expects the plaintext of the data key. #686

Open
kyupid opened this issue Mar 31, 2023 · 1 comment

Comments

@kyupid
Copy link

kyupid commented Mar 31, 2023

Describe the bug
I'm using Spring Cloud Vault to test decryption through Transit engine.

If I simply encrypt a string like "hello world" in the Transit engine and send the cipher text to VaultTransitOperations.decrypt, I can see hello world normally.

However, if I create a data key and put the received cipher text into VaultTransitOperations.decrypt and execute it, it responds with a strange string.

I don't know what else to do, so I'm reporting it here.

Sample

Test the cipher text received by encrypting hello world through transit engine.
2023-03-31_19-01-05

Test the cipher text received by generating a data key through the transit engine. The expected value is the plain text of the data key.
2023-03-31_19-02-32

@nbaars
Copy link

nbaars commented Jul 4, 2023

@kyupid I'm assuming you are referring to https://developer.hashicorp.com/vault/api-docs/secret/transit#generate-data-key?

In that case, you receive plaintext and cipher text as a response from Vault. You can encrypt the data with that plain text key. You can store the cipher text version of the key with the data. Once you want to decrypt it, you ask Vault to decrypt the cipher text of the key to receive the plaintext version of the key. With this key, you can decrypt the data again.

The use case is when you want to encrypt a large amount of data, say 2Gb, you don't want to send it all to Vault to receive the cipher text. In that case, using a data key would work where you only ask Vault for a key to be used to encrypt the data yourself (in code).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants