Keys
Last updated
Last updated
This section describes the elliptic curves and key specifications which are currently supported by the API. Supported curves and key specs are defined with a type of either or symmetric or asymmetric. Certain symmetric keys support key derivation (i.e., such as the ChaCha20 stream cipher). Other key specs, such as RSA, are provided for convenience and to achieve table-stakes feature-parity with industry-standard key management solutions such as AWS Key Management Service, Azure Key Vault, Hashicorp Vault, etc.
| Key Spec | Description |
|---|---|
| Key Spec | Description |
|---|---|
Additional information about keys can be found on the Keys services page.
GET https://vault.provide.services/api/v1/vaults/:id/keys
Returns a list of keys in a specified
Vault
DELETE https://vault.provide.services/api/v1/vaults/:id/keys/:key_id
Deletes a specified key
POST https://vault.provide.services/api/v1/vaults/:id/keys/:key_id/derive
Derives a specified key; derivation of keys is currently restricted to
Chacha20
spec keys.
POST https://vault.provide.services/api/v1/vaults/:id/keys/:key_id/encrypt
Encrypts data using a specified key
POST https://vault.provide.services/api/v1/vaults/:id/keys/:key_id/decrypt
Decrypts data using a specified key
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
AES-256-GCM
default encryption for the master key of each Vault instance
ChaCha20
stream cipher useful with double-ratchet messaging algorithm
RSA
2048, 3072 and 4096-bit
RSASSA-PSS and RSASSA-PKCS1-V1_5-SIGN for sign/verify operations;
RSAES_OAEP_SHA_256 for encrypt/decrypt operations
babyJubJub
a twisted Edwards elliptic curve designed for zk-SNARK circuits
BIP39
BIP39 hierarchical deterministic (HD) wallet for deriving secp256k1 keys
C25519
elliptic curve designed for Diffie-Hellman (ECDH) key exchange
Ed25519
EdDSA signature scheme using SHA-512 (SHA-2)
RSA
2048, 3072 and 4096-bit
PSS and PKCS for sign/verify operations
OAEPSHA256 for encrypt/decrypt operations
secp256k1
elliptic curve used with ECDSA (i.e., ETH, BTC)
id
string
id of host
Vault
containing the desired keys
authorization
string
bearer scoped to an
Application
,
Organization
or
User
key_id
string
id of key to be deleted
id
string
id of host
Vault
authorization
string
bearer scoped to an
Application
,
Organization
or
User
key_id
string
id of key to be used for derivation
id
string
id of target host
Vault
authorization
string
bearer scoped to an
Application
,
Organization
or
User
context
string
machine-readable string describing the key derivation context
description
string
brief description for key to be derived
name
string
name for key to be derived
nonce
string
random 32-bit integer or incrementing counter which must only be used once to avoid exposing the underlying secret; if not provided, a random 32-bit integer is used
id
string
id of
Vault
hosting specified key
key_id
string
id of key to be used for encryption
authorization
string
bearer scoped to an
Application
,
Organization
or
User
data
string
data to be encrypted
id
string
id of
Vault
hosting specified key
key_id
string
id of key to be used for decryption
authorization
string
bearer scoped to an
Application
,
Organization
or
User
data
string
data to be decrypted