I have uploaded a private key and a public key into vault with an intension to use them in encryption and decryption, but I could not find any documentation in this regard. I am able to encrypt and decrypt with transit key generated within vault. I am looking for similar solution but with the keys uploaded into the Vault. Please advise.
I don’t believe this is possible with the built-in secrets engines.
With Transit you could do the opposite (create a key and export it), but then you run into repudiation issues in that you cannot track all decryption activity for that particular key.
You could potentially try the restore method but I don’t know if that would work.
In general I would advise against importing a known key to continue encrypting data as you have no guarantee that nobody/nothing else has seen or obtained a copy of that key, which could impact the confidentiality of your secrets.
Thank you for taking time to reply. I agree with you, there is a risk in uploading a private key generated outside of Vault. WE would look at using Transit. However I see an issue with Transit, when the public is exported from the Transit I had following issues
- I couldn’t open it in openssl to convert it into X509. The public key appears to be RSA
- Using this public I was able to encrypt some plain text using Java API 1, however the decryption using the Vault not successful. I used the following commands
vault secrets enable transit
curl --header “X-Vault-Token: root” --request POST -d “{“type”: “rsa-2048”}” http://127.0.0.1:8200/v1/transit/keys/ProductsAsymm
Get respective public key
curl --header “X-Vault-Token: root” http://127.0.0.1:8200/v1/transit/keys/ProductsAsymm
curl --header “X-Vault-Token: root” http://127.0.0.1:8200/v1/transit/decrypt/ProductsAsymm -d “{“ciphertext”:“vault:v1:j0+g8TYDd/VWXJR/w==”}”