How to use Data key ( plain text ) to encrypt with SecretKeySpec ?

[eyalmar100]

Hi
I want to use the Vault plain text key to encrypt data .
When I do it with DESedeKeySpec - every thing is fine.
But when I try to do it like this :
..............
SecretKeySpec key = new SecretKeySpec(keyVault.getBytes(), "AES");

SecretKeySpec key1 = new SecretKeySpec(key.getEncoded(), keyVault);

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key1);

..........

I get " InvalidKeyException: Invalid AES key length: 44 bytes "
in the line : cipher.init(Cipher.ENCRYPT_MODE, key1);
Is it possible to use SecretKeySpec with Vault key ?
If yesm than how ?..
Thanks

[Joel Thompson]

It looks like you're passing in a base64-encoded the AES256 key -- base64-encoding 32 bytes will result in a 44-byte output. I'm assuming you're using the Bouncy Castle java libraries, which I'm not too familiar with. What java API client you're using for Vault?

As Vault communicates via JSON, the data key is returned to clients base64-decrypted, so I'd check that to see if the Vault API client is base64-decoding the key first, and if not, base64-decode it yourself.

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f50203d0-b349-4520-87cf-44b1707abdef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.