Public private key encryption as a service?

Hello, I’m a bit lost and would like to know if it’s possible to do something like this using Vault.

Server asks Vault to generate public and private key pair.
Vault returns Public key to Server.
Server sends Public key to Its Client.
Client encodes data for the public key and sends it to Server.
Server stores encoded data in DB.
Other Process asks Vault to decrypt the data.

Only the Process should have permission to decode data.


This is a confusing question as you don’t define what a server or client are … Also Vault by default doesn’t have an engine that could create a public private key pair. I’m sure someone has or can create a plugin for it though.

For the rest of it … you can look into is the transit engine, which is a SaaS for encryption and decryption.

Server is web server and Client is frontend app (web, mobile, native). Process is some kind of worker.

Tho it doesn’t really matter who Client. Client has communication channel with Server.

As long as Vault can generate Public/Private key pair and not expose private key to Server but expose to Process then My issue is resolved.

Can you recommend any resource on how to create your own plugin?

Also transit engine documentation has mentions of public key but don’t quite see which operations I should perform to do what I need.

The basic purpose of the transit secrets engine can be summed up as “store keys and perform operations using them on request, subject to permissions defined in Vault policies - but never allow those keys outside of Vault”.

This isn’t exactly what you’ve asked for, but might be an alternative implementation you could use.

Alternatively, it is possible this third-party Vault plugin might be of use to you: GitHub - LeSuisse/vault-gpg-plugin: "Transit like" secret backend plugin for PGP/GPG in Hashicorp Vault

The “public key” that is mentioned in the docs isn’t a “priv/pub key pair” That’s a shareable encrypted value that you can send across to someone else who has access to the same Vault cluster that can then decrypt the key into the original value. It isn’t considered a secret in that form.

No it isn’t. It’s the unencrypted public key.

This endpoint returns information about a named encryption key. The keys object shows the creation time of each key version; the values are not the keys themselves. Depending on the type of key, different information may be returned, e.g. an asymmetric key will return its public key in a standard format for the type.

Doesn’t this mean that read key can be used to get public key?

Yes, you can get the public key of asymmetric keypairs via that API.

There’s also the export API for private keys (only if the keys are marked exportable).

You’re right. I had forgotten that it did show that in the json. All of our use cases have been same cluster between groups/namespaces.

Thanks for help!