Encryption and Decryption

The following keys can perform encryption and decryption tasks:

  • AES-256-GCM

  • ChaCha20

  • RSA

Encryption

Encrypt

POST https://vault.provide.services/api/v1/vaults/:id/keys/:key_id/encrypt

Encrypts data using a specified key

Path Parameters

Name
Type
Description

id

string

id of

Vault

hosting specified key

key_id

string

id of key to be used for encryption

Headers

Name
Type
Description

authorization

string

bearer scoped to an

Application

,

Organization

or

User

Request Body

Name
Type
Description

data

string

data to be encrypted

{
    "data": "b90e56f5cdd0d619ef78df3d8ab85e0651211e4926967bd915e7cc3d124247ced395dc2fa97b882448ae069b5950147f944ebddc869c02742948728109ece39e104cd4ee82b6992e8a1636bfc8d8f502862db19bc2cbc3"}
curl -i -XPOST \
    -H 'authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5ODM1ODEzLCJpYXQiOjE1OTk3NDk0MTMsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjUzMDFhZjAwLTEyNjMtNGMxNC04Mjc0LTI2NWYzOTNlZDJiNSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.fJL7wi5IfZdIZBoTXX0hFDBJuMtfU2Ub03oc0x7lD75MY9JSJ4DRdLCjiBK0DdYAv2D-V3erq9BtuooTkhUEsTAqciBhoxBygFAwvhnlxbdG_L_Fl9IyLQDow7LV7WY5odS4p1h8OAH_mpwfABDsc50uRLeJKtsWsOWzgahciIZgXGJrx-ogX-vEOrLHonytVcNZmWIeRDswO_SoZyc9Msx_Ywt6bMxVSC1ZS8t-5Spq-_xZqbGTDiM6MS0fAEsUidPZRPuZiXn473jj_dqkPbXt8pYHt4H9tdsMRGrFZbMRVxB-ebXeRhgIuTXrxrAmq6oLpw_WZ7pTrODVCeLqkRflkFculO3U1f8izsizXIX41goejOHECuE-VNXKGTr-dtOaDIlXzeejzuO-k4OjP7S2UFl98sNtj_eRjKLh4QTjd4HrPIpwjPUubA-tog76g1edeCHFkKUQzg3HGu1Lh-11tUXJeabdliRCeTrHTCAToAGUrLnihuTZRk7c9-ONeAbeKGALsciZIKMgDM-_wCQLdLbjokw_FlGiWhedp9xqFJJDpkenxElPfOesnmFaHqzAa_eFQuiC7wgdaeb06LdFOV3YmfQkmCHLdxGkRmz1mvjQZnmyoqwmKOBc8vVF9LScH6IsHn0gHn7vWUPnf2HGj3KUWevuoFmi7_2VlsA' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/730afe0f-a62d-48e0-9d67-1e07c118fbf8/keys/9975e23f-b445-4349-a09f-dbbb4e8850c2/encrypt \
    -d '{
      "data": "text to be encrypted"
    }'
HTTP/2 200

Response JSON:

{
  "data": "7e415ad7f603db114a40a1a2f9aa28f6db546c6888cc10bb14e116b5f87cc0ffbe8cb4377af2cb8973de18fd8195caec"
}

The data returned in the response is hex-encoded.

Decryption

Decrypt

POST https://vault.provide.services/api/v1/vaults/:id/keys/:key_id/decrypt

Decrypts data using a specified key

Path Parameters

Name
Type
Description

id

string

id of

Vault

hosting specified key

key_id

string

id of key to be used for decryption

Headers

Name
Type
Description

authorization

string

bearer scoped to an

Application

,

Organization

or

User

Request Body

Name
Type
Description

data

string

data to be decrypted

{
    "data": "This data will be encrypted. If you can read it then it has been decrypted."
}
curl -i -XPOST \
    -H 'authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5ODM1ODEzLCJpYXQiOjE1OTk3NDk0MTMsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjUzMDFhZjAwLTEyNjMtNGMxNC04Mjc0LTI2NWYzOTNlZDJiNSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.fJL7wi5IfZdIZBoTXX0hFDBJuMtfU2Ub03oc0x7lD75MY9JSJ4DRdLCjiBK0DdYAv2D-V3erq9BtuooTkhUEsTAqciBhoxBygFAwvhnlxbdG_L_Fl9IyLQDow7LV7WY5odS4p1h8OAH_mpwfABDsc50uRLeJKtsWsOWzgahciIZgXGJrx-ogX-vEOrLHonytVcNZmWIeRDswO_SoZyc9Msx_Ywt6bMxVSC1ZS8t-5Spq-_xZqbGTDiM6MS0fAEsUidPZRPuZiXn473jj_dqkPbXt8pYHt4H9tdsMRGrFZbMRVxB-ebXeRhgIuTXrxrAmq6oLpw_WZ7pTrODVCeLqkRflkFculO3U1f8izsizXIX41goejOHECuE-VNXKGTr-dtOaDIlXzeejzuO-k4OjP7S2UFl98sNtj_eRjKLh4QTjd4HrPIpwjPUubA-tog76g1edeCHFkKUQzg3HGu1Lh-11tUXJeabdliRCeTrHTCAToAGUrLnihuTZRk7c9-ONeAbeKGALsciZIKMgDM-_wCQLdLbjokw_FlGiWhedp9xqFJJDpkenxElPfOesnmFaHqzAa_eFQuiC7wgdaeb06LdFOV3YmfQkmCHLdxGkRmz1mvjQZnmyoqwmKOBc8vVF9LScH6IsHn0gHn7vWUPnf2HGj3KUWevuoFmi7_2VlsA' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/730afe0f-a62d-48e0-9d67-1e07c118fbf8/keys/9975e23f-b445-4349-a09f-dbbb4e8850c2/decrypt \
    -d '{
      "data": "7e415ad7f603db114a40a1a2f9aa28f6db546c6888cc10bb14e116b5f87cc0ffbe8cb4377af2cb8973de18fd8195caec"
    }'
HTTP/2 200

Response JSON:

{
  "data": "text to be encrypted"
}

Optional Nonce Usage

For ChaCha20 and AES-256-GCM keys, a 12-byte nonce is auto-generated and returned as part of the encrypted data response. Never encrypt with the same key more than 2³² times to reduce the risk of a nonce-repeat which will expose the key.

If you prefer to provide a nonce to remove the risk of a nonce repeat, typically by providing a sequential nonce, then the additional nonce details should be added to the post data. As the nonce is prepended to the encrypted hex-encoded response data, the nonce is not required in the post data when decrypting.

curl -i -XPOST \
    -H 'authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5ODM1ODEzLCJpYXQiOjE1OTk3NDk0MTMsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjUzMDFhZjAwLTEyNjMtNGMxNC04Mjc0LTI2NWYzOTNlZDJiNSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.fJL7wi5IfZdIZBoTXX0hFDBJuMtfU2Ub03oc0x7lD75MY9JSJ4DRdLCjiBK0DdYAv2D-V3erq9BtuooTkhUEsTAqciBhoxBygFAwvhnlxbdG_L_Fl9IyLQDow7LV7WY5odS4p1h8OAH_mpwfABDsc50uRLeJKtsWsOWzgahciIZgXGJrx-ogX-vEOrLHonytVcNZmWIeRDswO_SoZyc9Msx_Ywt6bMxVSC1ZS8t-5Spq-_xZqbGTDiM6MS0fAEsUidPZRPuZiXn473jj_dqkPbXt8pYHt4H9tdsMRGrFZbMRVxB-ebXeRhgIuTXrxrAmq6oLpw_WZ7pTrODVCeLqkRflkFculO3U1f8izsizXIX41goejOHECuE-VNXKGTr-dtOaDIlXzeejzuO-k4OjP7S2UFl98sNtj_eRjKLh4QTjd4HrPIpwjPUubA-tog76g1edeCHFkKUQzg3HGu1Lh-11tUXJeabdliRCeTrHTCAToAGUrLnihuTZRk7c9-ONeAbeKGALsciZIKMgDM-_wCQLdLbjokw_FlGiWhedp9xqFJJDpkenxElPfOesnmFaHqzAa_eFQuiC7wgdaeb06LdFOV3YmfQkmCHLdxGkRmz1mvjQZnmyoqwmKOBc8vVF9LScH6IsHn0gHn7vWUPnf2HGj3KUWevuoFmi7_2VlsA' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/730afe0f-a62d-48e0-9d67-1e07c118fbf8/keys/9975e23f-b445-4349-a09f-dbbb4e8850c2/encrypt \
    -d '{
      "data": "text to be encrypted",
      "nonce": 1
    }'
HTTP/2 200

Encrypting with RSA

RSA keys are asymmetric keypairs which can also be used to encrypt and decrypt. RSA does not use a nonce for encryption, so any nonce data passed to an RSA key for encryption will be ignored.

The maximum length of data that can be encrypted by RSA (we currently only implement the RSAES_OAEP_SHA_256encryption algorithm which uses the SHA-256 hash function) is keylength(bytes) - 66. So an RSA-4096keypair cannot encrypt more than 446-bytes of data (4096/8 - 66).

Last updated