Hi Bruno,
Meeting those kinds of needs in transit is definitely on our roadmap. I can't go into specifics now, but more features will be starting to appear in transit. In 0.6.1 we have convergent encryption...I am hoping more will be in 0.6.2 but it's too early to tell. What I can say for sure is that it is a use case we at HC are very interested in.
One question for you specifically though: is there a reason that you must use RSA keys for this workflow, especially since you are ending up with the information symmetrically encrypted in the end? Vault's ACLs allow you to give out tokens that can encrypt with a given key but not decrypt with it...ingressing customer data on servers that cannot actually be used to exfiltrate said data (since they have no decryption access) is a common Vault use case here. Would that work for you at least in the interim?
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CACGxCHONXr073Fhrh1DmmMS8sZN6c3DjmeVJAFveDeTdapGw4g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GEAtiQtRdRx6S2u0oHB%2B3TT4H_kQOfM8igoiXm5Ctt7%2Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CACGxCHONXr073Fhrh1DmmMS8sZN6c3DjmeVJAFveDeTdapGw4g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GEAtiQtRdRx6S2u0oHB%2B3TT4H_kQOfM8igoiXm5Ctt7%2Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/63a53c1e-a8ad-4cbc-b145-ea86517e0c25%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CACGxCHOCvjY7dr7KqbHbW2vvrkXBdfiGXSe9kAnc74K6E185Eg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/63a53c1e-a8ad-4cbc-b145-ea86517e0c25%40googlegroups.com.
--Bruno Mattarollo | CTO & co-founder | @bmatt | Skype: brunomattarollo
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
This endpoint encrypts the provided plaintext using the named key. Currently, this only supports symmetric keys. This path supports thecreate
andupdate
policy capabilities as follows: if the user has thecreate
capability for this endpoint in their policies, and the key does not exist, it will be upserted with default values (whether the key requires derivation depends on whether the context parameter is empty or not). If the user only hasupdate
capability and the key does not exist, an error will be returned.
Hi,
Since 0.9.0, the Transit backend supports encryption/decryption, and
signing/verification using 2048 and 4096 bit RSA keys.
Regards,
Vishal
$ echo -n "encrypt this" | base64 -w 0 | vault write -format=json transit/encrypt/rsa plaintext=- | jq -r '.data.ciphertext' | vault write -format=json transit/decrypt/rsa ciphertext=- | jq -r '.data.plaintext' | base64 -d
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/cecd69f6-04be-4a2b-bbac-d8edc1ddb440%40googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHZE7T2sHQKJ3Kb9is7ymns_fzVzXSq97KwVY27ZJLNWA%40mail.gmail.com.
Thank you Jeff, this is very helpful. Small issue is that the encryption caps on 117 characters with error
RSA_padding_add_PKCS1_OAEP_mgf1:data too large for key size
did anybody figured if there is a way to flip the keys to GPG format or/and bypass this 117 characters limit?
thank you
RSA_padding_add_PKCS1_OAEP_mgf1:data too large for key siz
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b4833027-7fa1-4168-a684-770b7fae363d%40googlegroups.com.