Hi all!
I’ve been testing this API from a fresh instance with the official Docker image, and when using the endpoint for encryption, if the key provided doesn’t exist, a new aes256-gcm96 key is created with the provided name. I can’t find any section in the documentation that refers to this behaviour. Could you point at it for me, please? Can it be changed to throw an error if the key doesn’t exist or I must check if the key exist every time I must encrypt/decrypt?
Thanks!
https://developer.hashicorp.com/vault/api-docs/secret/transit#encrypt-data:
This endpoint encrypts the provided plaintext using the named key. This path supports the
createandupdatepolicy capabilities as follows: if the user has thecreatecapability for this endpoint in their policies, and the key does not exist, it will be upserted with default values (whether the key requires derivation depends on whether the context parameter is empty or not). If the user only hasupdatecapability and the key does not exist, an error will be returned.
Thanks @maxb! I missed it.