Vaultx.Secrets.Transit (Vaultx v0.7.0)
View SourceUnified Transit secrets engine interface for HashiCorp Vault.
This module provides a comprehensive, enterprise-grade interface for the Transit secrets engine, offering encryption-as-a-service functionality with advanced key management, data encryption/decryption, digital signatures, HMAC operations, and cryptographically secure random data generation.
Enterprise Encryption-as-a-Service
- Advanced Key Management: Create, read, update, rotate, and securely delete encryption keys
- High-Performance Encryption: Symmetric and asymmetric encryption/decryption operations
- Digital Signature Services: Sign and verify data with industry-standard algorithms
- HMAC Authentication: Generate and verify HMAC signatures for data integrity
- Batch Operations: High-throughput batch processing for enterprise workloads
- Multi-Tenant Key Derivation: Context-based key derivation for secure multi-tenancy
- Convergent Encryption: Deterministic encryption for deduplication and storage efficiency
- Secure Random Generation: Cryptographically secure random data for enterprise applications
Usage Examples
# Key management
:ok = Vaultx.Secrets.Transit.create_key("my-app-key", "aes256-gcm96")
{:ok, key_info} = Vaultx.Secrets.Transit.read_key("my-app-key")
:ok = Vaultx.Secrets.Transit.rotate_key("my-app-key")
# Encryption operations
{:ok, result} = Vaultx.Secrets.Transit.encrypt("my-key", "dGVzdCBkYXRh")
{:ok, plaintext} = Vaultx.Secrets.Transit.decrypt("my-key", result.ciphertext)
# Digital signatures
{:ok, signature} = Vaultx.Secrets.Transit.sign("signing-key", "dGVzdCBkYXRh")
{:ok, valid} = Vaultx.Secrets.Transit.verify("signing-key", "dGVzdCBkYXRh", signature.signature)
# HMAC operations
{:ok, hmac} = Vaultx.Secrets.Transit.hmac("hmac-key", "dGVzdCBkYXRh")
{:ok, valid} = Vaultx.Secrets.Transit.verify_hmac("hmac-key", "dGVzdCBkYXRh", hmac.hmac)
# Random data generation
{:ok, random} = Vaultx.Secrets.Transit.generate_random(32)Configuration
# Enable Transit engine
vault secrets enable transit
# Enable at custom path
vault secrets enable -path=encryption transitKey Types
Symmetric Encryption
aes128-gcm96- AES-128 with GCM (96-bit nonce)aes256-gcm96- AES-256 with GCM (96-bit nonce, default)chacha20-poly1305- ChaCha20-Poly1305 AEAD
Asymmetric Encryption/Signing
rsa-2048,rsa-3072,rsa-4096- RSA keysecdsa-p256,ecdsa-p384,ecdsa-p521- ECDSA keysed25519- Ed25519 keys
Special Purpose
hmac- HMAC key generation and verification
Security Best Practices
- Use key derivation for multi-tenant applications
- Rotate keys regularly using the rotate_key function
- Use convergent encryption carefully (requires unique nonces)
- Always validate signatures and HMAC values
- Use appropriate key types for your use case
- Monitor key usage through telemetry events
API Compliance
Fully implements HashiCorp Vault Transit secrets engine:
Summary
Functions
Encrypts multiple plaintext items in a single request.
Re-encrypts ciphertext with the latest version of the named key.
Functions
Encrypts multiple plaintext items in a single request.
Parameters
key_name- The name of the encryption key to usebatch_items- List of items to encryptopts- Additional options
Returns
{:ok, results}- Batch encryption successful{:error, reason}- Batch encryption failed
Examples
iex> batch_items = [
...> %{plaintext: "dGVzdDE="},
...> %{plaintext: "dGVzdDI=", context: "Y29udGV4dA=="}
...> ]
iex> batch_encrypt("my-key", batch_items)
{:ok, [%{ciphertext: "vault:v1:...", key_version: 1}, ...]}Re-encrypts ciphertext with the latest version of the named key.
Parameters
key_name- The name of the encryption key to useciphertext- The ciphertext to rewrapopts- Additional options
Returns
{:ok, result}- Rewrap successful{:error, reason}- Rewrap failed
Examples
iex> rewrap("my-key", "vault:v1:old-ciphertext")
{:ok, %{ciphertext: "vault:v2:new-ciphertext", key_version: 2}}