Skip to content

Add api docs for new derivedkeys endpoint #844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Parent: [PUBLISH] vault/1.21.x
merged 4 commits into from
Oct 7, 2025
Merged

Add api docs for new derivedkeys endpoint #844

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8c446ae
add api docs for derivedkeys
rculpepper Aug 19, 2025
976a647
Apply suggestions from code review
rculpepper Sep 16, 2025
33566cb
Merge branch 'vault/1.21.x' into rculpepper/vault-39104
rculpepper Sep 30, 2025
5739e14
Merge branch 'vault/1.21.x' into rculpepper/vault-39104
rculpepper Oct 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 74 additions & 2 deletions content/vault/v1.21.x (rc)/content/api-docs/secret/transit.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1219,8 +1219,8 @@ You can use Vault ACL policies to control which users can retrieve the plaintext
value of the keys. For example, to allow untrusted users or operations to
generate keys that are then available to trusted users.

| Method | Path |
| :----- | :----------------------------- |
| Method | Path |
| :----- | :------------------------------ |
| `POST` | `/transit/datakeys/:type/:name` |

### Path parameters
Expand Down Expand Up @@ -1282,6 +1282,78 @@ $ curl \
}
```

## Generate Derived Keys

The derived keys endpoint generates new keys based on the HMAC key associated
with the provided key name. Vault always returns keys encrypted with the
provided named and optionally returns the associated plaintext.

You can use Vault ACL policies to control which users can retrieve the plaintext
value of the keys. For example, to allow untrusted users or operations to
generate keys that are then available to trusted users.

| Method | Path |
| :----- | :--------------------------------- |
| `POST` | `/transit/derivedkeys/:type/:name` |

### Path parameters

- `type` `(enum: <required>)` – Specifies the type of keys to generate.
- `plaintext` - return the plaintext keys along with the ciphertexts
- `wrapped` - only return the ciphertext values.

- `name` `(string: <required>)` – Specifies the name of the encryption key to
use to encrypt the keys.

### Request parameters

- `salt` `(string: <required>)` - The salt input to derivation

- `key_index_from` `(int: <required>)` - The starting index for keys to return

- `key_index_to` `(int: <required>)` - The ending index (non-inclusive) for keys to return

- `bits` `(int: 256)` – Specifies the number of bits in the desired keys. Can be
128, 256, or 512.

- `key_version` `(int: 0)` – The version of the Vault key to use for encryption
of the data key. Must be 0 (for latest) or a value greater than or equal to the
min_encryption_version configured on the key.

- `info` `(string: "")` – The info string input to derivation

### Sample payload

```json
{
"key_index_from": 0,
"key_index_to": 1,
"salt": "sodium chloride"
}
```

### Sample request

```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/transit/derivedkeys/plaintext/my-key
```

### Sample response

```json
{
"0": {
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo=",
"ciphertext": "vault:v1:abcdefgh"
},
"key_version": 0
}
```

## Generate random bytes

This endpoint returns high-quality random bytes of the specified length.
Expand Down
Loading