How do I use the datakey feature...

921 views
Skip to first unread message

Fishstick Kitty

unread,
Sep 29, 2015, 10:33:28 AM9/29/15
to Vault
Hello Vault team, I am exploring the datakey feature from v0.3.  I'm able to get a datakey..and I understand that that is encrypted with the actual key in vault.  

I'm not sure how to use the datakey and what to do with it after.  So if I encrypt 100 things with the datakey, can I then use Vaults decrypt method to decrypt that data?  Or do I need to provide my own decryption?  If the latter, then do I need to store the datakey somewhere and use that for decryption (seems bad)?  I looked for tests in github that may shed light but was unable to locate any examples.

Thanks!!
Ed

Jeff Mitchell

unread,
Sep 29, 2015, 12:48:06 PM9/29/15
to vault...@googlegroups.com

Hi Ed,

The idea with datakeys is to allow applications to encrypt and decrypt data without round tripping through Vault.

If you have a 2GB base64 blob that you want encrypted, you probably don't want to send 2GB over the network and receive 2GB back. Instead, you get a datakey and encrypt it locally and can use the same datakey to decrypt it locally later.

The datakey is its own full key; you can't decrypt it with the transit key that it is wrapped with. However, because the data key is wrapped by a transit key, and thus protected, you can store it with the data. This way, you can allow any person or system that you want to decrypt the data to do so by giving them a Vault token allowing them access to decrypt the datakey.

Hope that helps!

--Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/45056701-1472-4c91-bb71-f7e3dea73495%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Fishstick Kitty

unread,
Sep 29, 2015, 12:53:31 PM9/29/15
to Vault
Ah...I think I get it...so when I get a datakey, I get a plaintext and a ciphertext of the same key.  I encrypt the data with the plain text, and then store the ciphertext datakey with the data...then when I need to decrypt, I have vault decrypt the cipertext datakey and it returns me the plaintext one back that I can use to decrypt?


Ed

Jeff Mitchell

unread,
Sep 29, 2015, 12:55:02 PM9/29/15
to vault...@googlegroups.com

That's it!

You could also store the datakey wherever you like, for instance in the generic backend with a restricted set of policies allowed to read it.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7ffdc22f-f4c7-4e59-90e0-bff659a29376%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages