Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault-5619: Transit BYOK Documentation #15817

Merged
merged 11 commits into from
Jun 17, 2022
Merged

Vault-5619: Transit BYOK Documentation #15817

merged 11 commits into from
Jun 17, 2022

Conversation

rculpepper
Copy link
Contributor

Docs changes for Transit BYOK API endpoints and description for constructing the ciphertext for the key

taoism4504
taoism4504 reviewed Jun 6, 2022
View reviewed changes
website/content/api-docs/secret/transit.mdx Outdated
- `allow_rotation` `(bool: false)` - If set, the imported key can be rotated
within Vault by using the `rotate` endpoint.

**NOTE**: Once an imported key is rotated within Vault, it will no longer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**NOTE**: Once an imported key is rotated within Vault, it will no longer
~> **Note:** Once an imported key is rotated within Vault, it will no longer

taoism4504
taoism4504 reviewed Jun 6, 2022
View reviewed changes
website/content/api-docs/secret/transit.mdx Outdated

This endpoint imports new key material into an existing imported key.

**Note**: Keys whose material was generated by Vault do not support
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**Note**: Keys whose material was generated by Vault do not support
~> **Note:** Keys whose material was generated by Vault do not support

taoism4504
taoism4504 reviewed Jun 6, 2022
View reviewed changes
website/content/api-docs/secret/transit.mdx Outdated
@@ -266,6 +416,10 @@ ciphertext to be encrypted with the latest version of the key, use the `rewrap`
endpoint. This is only supported with keys that support encryption and
decryption operations.

**Note**: For imported keys, rotation is only supported if the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**Note**: For imported keys, rotation is only supported if the
~> **Note:** For imported keys, rotation is only supported if the

taoism4504
taoism4504 reviewed Jun 6, 2022
View reviewed changes
website/content/docs/secrets/transit.mdx Outdated
@@ -235,6 +235,58 @@ the proper permission, it can use this secrets engine.
data, since the process would not be able to get access to the plaintext
data.

## Bring Your Own Key (BYOK)

*Note:* Key import functionality supports cases in which there is a need to bring
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
*Note:* Key import functionality supports cases in which there is a need to bring
~> **Note:** Key import functionality supports cases in which there is a need to bring

taoism4504
taoism4504 approved these changes Jun 6, 2022
View reviewed changes
Copy link
Contributor

@taoism4504 taoism4504 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nits, but otherwise LG. Please ensure to specify the 1.11 label if these changes only apply to the upcoming Vault 1.11 and you don't want these changes published until the release. Otherwise, please set the label to backlog/1.10.x

stevendpclark
stevendpclark reviewed Jun 17, 2022
View reviewed changes
website/content/api-docs/secret/transit.mdx Outdated
provided AES key. The wrapped AES key should be the first 512 bytes of the
ciphertext, and the encrypted key material should be the remaining bytes.

- `hash_function` `(string: "SHA-256")` - The hash function used for the
Copy link
Contributor

@stevendpclark stevendpclark Jun 17, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comparing against the code looks like we are expecting non-dashed versions of the hash function names such as SHA256...

Note the same issue exists below for the import version hash_function doc.

stevendpclark
stevendpclark reviewed Jun 17, 2022
View reviewed changes
website/content/api-docs/secret/transit.mdx
This endpoint imports existing key material into a new transit-managed encryption key.
To import key material into an existing key, see the `import_version/` endpoint.

### Parameters
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we are missing the context parameter.

@rculpepper rculpepper merged commit b0cbc03 into main Jun 17, 2022
@rculpepper rculpepper deleted the docs/transit-byok branch June 17, 2022 19:53
Merged
@rculpepper rculpepper mentioned this pull request Jun 21, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taoism4504 taoism4504 taoism4504 approved these changes

@stevendpclark stevendpclark stevendpclark approved these changes

Assignees
No one assigned
Labels
pr/no-changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rculpepper @stevendpclark @taoism4504