Transit Engine Convergent Encryption with BYOK

matthew.smith · July 30, 2025, 9:44pm

I’m trying to use convergent AES-GCM encryption to provide an IV (nonce) generated in our application to send to be encrypted in the Vault transit engine. Using the python hvac lib, I keep seeing the following error when I attempt to specify the plaintext, nonce, and enable convergent encryption:
hvac.exceptions.InvalidRequest: provided nonce not allowed for this key

During the import process, I’m not seeing the ability to specify convergent_encryption for the imported key using the /transit/keys/:name/import endpoint, while it is available for the /transit/keys/:name endpoint
Reference:

I did also see this bulletin discussing user-provided nonces without specifying convergent encryption:

Am I able to import a key and allow it to be used with convergent encryption?

jonathanfrappier · August 4, 2025, 2:54pm

Have you tried importing, then using the /transit/keys/:name to enable convergent encryption?

matthew.smith · August 4, 2025, 4:24pm

That endpoint fails if a key already exists with that name, unfortunately.

jonathanfrappier · August 4, 2025, 5:33pm

Okay - asked around and yea, looks like convergent is not supported on import:

github.com/hashicorp/vault

builtin/logical/transit/path_import.go

fb6982b5e


      
          	name := d.Get("name").(string)
          	derived := d.Get("derived").(bool)
          	keyType := d.Get("type").(string)
          	exportable := d.Get("exportable").(bool)
          	allowPlaintextBackup := d.Get("allow_plaintext_backup").(bool)
          	autoRotatePeriod := time.Second * time.Duration(d.Get("auto_rotate_period").(int))
          	allowRotation := d.Get("allow_rotation").(bool)
          
          	// Ensure the caller didn't supply "convergent_encryption" as a field, since it's not supported on import.
          	if _, ok := d.Raw["convergent_encryption"]; ok {
          		return nil, errors.New("import cannot be used on keys with convergent encryption enabled")
          	}
          
          	if autoRotatePeriod > 0 && !allowRotation {
          		return nil, errors.New("allow_rotation must be set to true if auto-rotation is enabled")
          	}
          
          	// Ensure that at least on `key` field has been set
          	isCiphertextSet, err := checkKeyFieldsSet(d)
          	if err != nil {
          		return nil, err

matthew.smith · August 4, 2025, 5:54pm

Copy that, appreciate the quick response!

jonathanfrappier · August 4, 2025, 6:02pm

Engineer I was chatting with also confirmed there are limitations on doing this, so probably not worth an FR.

Topic		Replies	Views
[Vault]Convergent Encryption in Vault Vault	4	1064	July 12, 2021
HCSEC-2023-28 - Vault’s Transit Secrets Engine Allowed Nonce Specified without Convergent Encryption Security security-vault	0	8476	September 14, 2023
Version of convergent encryption Vault	2	620	July 9, 2021
What is the Vault ciphertext format (in case I want to parse it)? Vault	9	6759	November 12, 2019
Importing pre-existing rsa-4096 key as a transit key Vault	0	371	July 1, 2021

Transit Engine Convergent Encryption with BYOK

Related topics