transit_secret
- client.sys.enable_secrets_engine(
backend_type='transit',
)
Note
The following helper method is used various of the examples included here.
transit_secret
import sys
- def base64ify(bytes_or_str):
"""Helper method to perform base64 encoding across Python 2.7 and Python 3.X""" if sys.version_info[0] >= 3 and isinstance(bytes_or_str, str): input_bytes = bytes_or_str.encode('utf8') else: input_bytes = bytes_or_str
output_bytes = base64.urlsafe_b64encode(input_bytes) if sys.version_info[0] >= 3: return output_bytes.decode('ascii') else: return output_bytes
hvac.api.secrets_engines.Transit.create_key
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
client.secrets.transit.create_key(name='hvac-key')
hvac.api.secrets_engines.Transit.read_key
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
read_key_response = client.secrets.transit.read_key(name='hvac-key') latest_version = read_key_response['data']['latest_version'] print('Latest version for key "hvac-key" is: {ver}'.format(ver=latest_version))
Example output:
transit_secret
Latest version for key "hvac-key" is: 1
hvac.api.secrets_engines.Transit.list_keys
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
list_keys_response = client.secrets.transit.read_key(name='hvac-key') keys = list_keys_response['data']['keys'] print('Currently configured keys: {keys}'.format(keys=keys))
Example output:
transit_secret
Currently configured keys: {'1': ...}
hvac.api.secrets_engines.Transit.delete_key
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
key_name = 'gonna-delete-this-key'
- client.secrets.transit.create_key(
name=key_name,
)
# Update key subsequently to allow deletion... client.secrets.transit.update_key_configuration( name=key_name, deletion_allowed=True, )
# Finally, delete the key client.secrets.transit.delete_key(name=key_name)
hvac.api.secrets_engines.Transit.update_key_configuration
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
# allow key "hvac-key" to be exported in subsequent requests client.secrets.transit.update_key_configuration( name='hvac-key', exportable=True, )
hvac.api.secrets_engines.Transit.rotate_key
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200') client.secrets.transit.rotate_key(name='hvac-key')
hvac.api.secrets_engines.Transit.export_key
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200') export_key_response = client.secrets.transit.export_key( name='hvac-key', key_type='hmac-key', )
print('Exported keys: %s' % export_key_response['data']['keys'])
Example output:
transit_secret
Exported keys: {...}
hvac.api.secrets_engines.Transit.encrypt_data
transit_secret
import base64 import hvac client = hvac.Client(url='https://127.0.0.1:8200')
- encrypt_data_response = client.secrets.transit.encrypt_data(
name='hvac-key', plaintext=base64ify('hi its me hvac'.encode()),
) ciphertext = encrypt_data_response['data']['ciphertext'] print('Encrypted plaintext ciphertext is: {cipher}'.format(cipher=ciphertext))
Example output:
transit_secret
Encrypted plaintext ciphertext is: vault:...
hvac.api.secrets_engines.Transit.decrypt_data
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
- decrypt_data_response = client.secrets.transit.decrypt_data(
name='hvac-key', ciphertext=ciphertext,
) plaintext = decrypt_data_response['data']['plaintext'] print('Decrypted plaintext is: {text}'.format(text=plaintext))
Example output:
transit_secret
Decrypted plaintext is: ...
hvac.api.secrets_engines.Transit.rewrap_data
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
- encrypt_data_response = client.secrets.transit.rewrap_data(
name='hvac-key', ciphertext=ciphertext,
) rewrapped_ciphertext = encrypt_data_response['data']['ciphertext'] print('Rewrapped ciphertext is: {cipher}'.format(cipher=rewrapped_ciphertext))
Example output:
transit_secret
Rewrapped ciphertext is: vault:...
hvac.api.secrets_engines.Transit.generate_data_key
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200') gen_key_response = client.secrets.transit.generate_data_key( name='hvac-key', key_type='plaintext', ) ciphertext = gen_key_response['data']['ciphertext'] print('Generated data key ciphertext is: {cipher}'.format(cipher=ciphertext))
Example output:
transit_secret
Generated data key ciphertext is: vault:...
hvac.api.secrets_engines.Transit.generate_random_bytes
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
gen_bytes_response = client.secrets.transit.generate_random_bytes(n_bytes=32) random_bytes = gen_bytes_response['data']['random_bytes'] print('Here are some random bytes: {bytes}'.format(bytes=random_bytes))
Example output:
transit_secret
Here are some random bytes: ...
hvac.api.secrets_engines.Transit.hash_data
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
- hash_data_response = client.secrets.transit.hash_data(
hash_input=base64ify('hi its me hvac'), algorithm='sha2-256',
) sum = hash_data_response['data']['sum'] print('Hashed data is: {sum}'.format(sum=sum))
Example output:
transit_secret
Hashed data is: ...
hvac.api.secrets_engines.Transit.generate_hmac
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
- generate_hmac_response = client.secrets.transit.generate_hmac(
name='hvac-key', hash_input=base64ify('hi its me hvac'), algorithm='sha2-256',
) hmac = generate_hmac_response['data'] print("HMAC'd data is: {hmac}".format(hmac=hmac))
Example output:
transit_secret
HMAC'd data is: {'hmac': 'vault:...'}
hvac.api.secrets_engines.Transit.sign_data
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
key_name = 'hvac-signing-key'
# Note: some key types do no support signing... # E.g., "key type aes256-gcm96 does not support verification" client.secrets.transit.create_key( name=key_name, key_type='ed25519', )
- sign_data_response = client.secrets.transit.sign_data(
name=key_name, hash_input=base64ify('hi its me hvac'),
) signature = sign_data_response['data']['signature'] print('Signature is: {signature}'.format(signature=signature))
Example output:
transit_secret
Signature is: vault:...
hvac.api.secrets_engines.Transit.verify_signed_data
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
- verify_signed_data_response = client.secrets.transit.verify_signed_data(
name='hvac-signing-key', hash_input=base64ify('hi its me hvac'), signature=signature,
) valid = verify_signed_data_response['data']['valid'] print('Signature is valid?: {valid}'.format(valid=valid))
Example output:
transit_secret
Signature is valid?: True
hvac.api.secrets_engines.Transit.backup_key
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
key_name = 'hvac-key'
# Update the key configuration to allow exporting client.secrets.transit.update_key_configuration( name=key_name, exportable=True, allow_plaintext_backup=True, )
- backup_key_response = client.secrets.transit.backup_key(
name=key_name,
)
backed_up_key = backup_key_response['data']['backup'] print('Backed up key: %s' % backed_up_key)
Example output:
transit_secret
Backed up key: ...
hvac.api.secrets_engines.Transit.restore_key
transit_secret
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
- client.secrets.transit.update_key_configuration(
name=key_name, deletion_allowed=True,
) delete_resp = client.secrets.transit.delete_key(name=key_name)
# Restore a key after deletion client.secrets.transit.restore_key(backup=backed_up_key)
hvac.api.secrets_engines.Transit.trim_key
Note
Transit key trimming was added for Vault versions >=0.11.4.
transit_secret
import hvac client = hvac.Client(url='https://127.0.0.1:8200')
key_name = 'hvac-key'
- for _ in range(0, 10):
# Rotate the key a bunch... client.secrets.transit.rotate_key( name=key_name, )
# Set a minimum encryption version client.secrets.transit.update_key_configuration( name=key_name, min_decryption_version=3, min_encryption_version=5, )
# Trim any unneeded versions remaining of the key... client.secrets.transit.trim_key( name='hvac-key', min_version=3, )
transit_secret
client.sys.disable_secrets_engine('transit')