Skip to content

Add docs for new datakeys endpoint #843

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 25, 2025
Merged

Add docs for new datakeys endpoint #843

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c49bf1d
add docs for datakeys endpoint
rculpepper Aug 11, 2025
4860217
Apply suggestions from code review
rculpepper Sep 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions content/vault/v1.21.x (rc)/content/api-docs/secret/transit.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1201,6 +1201,79 @@ $ curl \
}
```

## Generate multiple data keys

The data keys endpoint generates the specified number of new, high-entropy keys.
Vault always returns keys encrypted with the provided named and optionally
returns the associated plaintext.

You can use Vault ACL policies to control which users can retrieve the plaintext
value of the keys. For example, to allow untrusted users or operations to
generate keys that are then available to trusted users.

| Method | Path |
| :----- | :----------------------------- |
| `POST` | `/transit/datakeys/:type/:name` |

### Path parameters

- `type` `(enum: <required>)` – Specifies the type of keys to generate.
- `plaintext` - return the plaintext keys along with the ciphertexts
- `wrapped` - only return the ciphertext values.

- `name` `(string: <required>)` – Specifies the name of the encryption key to
use to encrypt the datakeys.

### Request parameters

- `count` `(int: <required>)` - Specifies the number of keys to generate.

- `bits` `(int: 256)` – Specifies the number of bits in the desired keys. Can be
128, 256, or 512.

- `key_version` `(int: 0)` – Specifies the version of the key to use for the
operation. Leave `key_version` unset to use the latest version. `key_version`
must be unset or greater than or equal to the associated
`min_encryption_version` value.

### Sample payload

```json
{
"count": "2"
}
```

### Sample request

```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/transit/datakey/plaintext/my-key
```

### Sample response

```json
{
"data": {
"key_pairs": [
{
"ciphertext": "vault:v1:MA8yD4Neu2VtwrDbU8rcxPWGvkjK0ARquXyyiNMI+j34RNagvo0cu3l3e1HjEKL55I2k0PfTfAOisZMB",
"plaintext": "HT/dnq7RO9c5RloxMHGPDWUjscqdHLa0KAful8X12wg="
},
{
"ciphertext": "vault:v1:yOLlOVe6azNVuoZYARps+RHHJYr5x0Jror6DmjcAcXTFmXwfqiSjaEcl3GNdbofohfKfBawM4jxrtN+3",
"plaintext": "0srJIA4MVjNVkm9JR2in8KlMAmN0n+l8RLT7S9W9ESs="
}
],
"key_version": 1
}
}
```

## Generate random bytes

This endpoint returns high-quality random bytes of the specified length.
Expand Down
Loading