[Vault]Convergent Encryption in Vault

Hi there.

I’m new to Vault, have some question.

Q1) Why does Convergent Encryption is working without Nonce Parameter(I omit Nonce in my REST API Request.)?

Q2) Because my convergent key is Version3?

Q3) Is convergent key in Version 3 generate Nonce using context or plaintext?

Q4) So Can I omit the Nonce parameter in Convergent Encryption?

Q5) Can I use this Context Parameters like below?

  • Context = SHA256($hiddenConstantValue)

Q6) vault read transit/keys/$endpoint, convergent_encryption_version return -1 in my request. Who know why?

Thanks in advance for the reply.

I think the docs answer most of your questions, have you read this?


1 Like

Thanks to your reply.

Yep, I read it, So enought to answer about Q1, 2 ,3, and 4.

I wish to know “Is it ok to do like Q5”.
Does context need to variably value??


Anyone who know Q6? Could you please asnwer me?

That’s invalid syntax. I don’t think any Vault CLI takes a comma(,)
What are you trying to read?

I wish to know my Key’s Convergent Encryption Version.

vault read transit/keys/$endpoint << return the Key Information(Key Meta-Data)

and convergent_encryption_version is in returned Message(Key Information).

In my case convergent_encryption_version is “-1” not 1, 2 or 3.