Transit keys are used to encode and decode data with a named key. This allows an application to work with encoded data without having to know the encryption key. Keys can be keep more secure and can more easily be managed, ie access controlled, rotated, and revoked. Multiple version of a key can be active at the same time to allow controlled rotation throughout a large distributed system.
Depending on the type of key it can be used for a number of different operations liken encrypt, decrypt, sign, verify, hmac etc.
| name required | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ |
| public-key | string A initial key can optionally be provided. |
| allow-plaintext-backup | boolean Default: false Allow the transit key to be backed up in plaintext. This allows a key to be backed up, but also restored on another tenant or site. |
| cipher | string <cipher-type> Default: "aes256-gcm96"
|
| convergent-encryption | boolean Default: false If enabled together with |
| deletion-allowed | boolean Default: false Controls if the key can be deleted or not. This is set
to |
| derived | boolean Default: false The key is derived from the common key and the provided context parameter. Encryption and decryption calls must provide the same context parameter. This allows for a large number of dynamically generated keys. |
| exportable | boolean Default: false If set to true then valid keys can be exported. Cannot be set to false once enabled. |
| openpgp-user-id | string This setting is used when displaying rsa and ed25519 public keys in openpgp format. A user id must be embedded in the key. It will default to 'Strongbox strongbox@avassa.io' |
| openpgp-key-usage | Array of strings <enumeration>
This setting is used when displaying rsa and ed25519 public keys in openpgp format. A user id must be embedded in the key. It will default to 'Strongbox strongbox@avassa.io' |
| openpgp-primary | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ This can be used to indicate the primary OpenPGP key in a keyblock. It is used when exporting a subkey in OpenPGP format. |
| default-encryption-version | integer <uint32> Default: 0 It is possible to specify a default version for encryption. Once a key has been rotated it might be desirable to delay using the new version until it has been distributed to all parties that need it. Setting the value to 0 indicates that the latest version should be used by default. |
| min-decryption-version | integer <uint32> Default: 0 It is possible to specify a minimal version for both encryption and decryption. It might be desirable to phase out an old key by increasing the minimal encryption version, while keeping the minimal decryption version until all data has been migrated to the new version, or become irrelevant. |
| min-encryption-version | integer <uint32> Default: 0 It is possible to specify a minimal version for both encryption and decryption. It might be desirable to phase out an old key by increasing the minimal encryption version, while keeping the minimal decryption version until all data has been migrated to the new version, or become irrelevant. |
object It is advisable to periodically rotate encryption keys, regardless of whether a security breach has occurred. According to NIST publication 800-38D, AES-GCM keys should be rotated once they approach approximately 2^32 encryptions. Operators should assess how frequently a key is used for encryption and set a rotation schedule that ensures this threshold is not exceeded. For instance, if a key is used for 40 million operations daily, rotating it every three months would be adequate. | |
to (object) or sites (object) or deployments (object) |
Created
Bad Request
Unauthorized
Forbidden
Not Found
Conflict (instance exists)
Service Unavailable (strongbox sealed)
name: import public-key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOtZk70H7MTVQOPOJFQPVzM0Kjc0B8wXj7OtrjtyBYVLoAoGCCqGSM49 AwEHoUQDQgAEZWoYC3Xg7WF6W/TZ4CLfnXSUCgw2fJAJiX5+P4AjRqPY6onal8AK /7UP/xJLQR4E06m7IrfXAlQEwC99s1WwxQ== -----END EC PRIVATE KEY----- allow-plaintext-backup: false cipher: ecdsa-p256 convergent-encryption: false deletion-allowed: false derived: false exportable: false openpgp-user-id: Admin <admin@telco.com> openpgp-key-usage: - sign openpgp-primary: pgp-signing default-encryption-version: 0 min-decryption-version: 0 min-encryption-version: 0 distribute: to: inherit
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| validate | string <enumeration> Validate the request but do not actually perform the requested operation |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
- name: import public-key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOtZk70H7MTVQOPOJFQPVzM0Kjc0B8wXj7OtrjtyBYVLoAoGCCqGSM49 AwEHoUQDQgAEZWoYC3Xg7WF6W/TZ4CLfnXSUCgw2fJAJiX5+P4AjRqPY6onal8AK /7UP/xJLQR4E06m7IrfXAlQEwC99s1WwxQ== -----END EC PRIVATE KEY----- allow-plaintext-backup: false cipher: ecdsa-p256 convergent-encryption: false deletion-allowed: false derived: false exportable: false openpgp-user-id: Admin <admin@telco.com> openpgp-key-usage: - sign openpgp-primary: pgp-signing default-encryption-version: 0 min-decryption-version: 0 min-encryption-version: 0 distribute: to: inherit
| name required | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ |
| public-key | string A initial key can optionally be provided. |
| allow-plaintext-backup | boolean Default: false Allow the transit key to be backed up in plaintext. This allows a key to be backed up, but also restored on another tenant or site. |
| cipher | string <cipher-type> Default: "aes256-gcm96"
|
| convergent-encryption | boolean Default: false If enabled together with |
| deletion-allowed | boolean Default: false Controls if the key can be deleted or not. This is set
to |
| derived | boolean Default: false The key is derived from the common key and the provided context parameter. Encryption and decryption calls must provide the same context parameter. This allows for a large number of dynamically generated keys. |
| exportable | boolean Default: false If set to true then valid keys can be exported. Cannot be set to false once enabled. |
| openpgp-user-id | string This setting is used when displaying rsa and ed25519 public keys in openpgp format. A user id must be embedded in the key. It will default to 'Strongbox strongbox@avassa.io' |
| openpgp-key-usage | Array of strings <enumeration>
This setting is used when displaying rsa and ed25519 public keys in openpgp format. A user id must be embedded in the key. It will default to 'Strongbox strongbox@avassa.io' |
| openpgp-primary | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ This can be used to indicate the primary OpenPGP key in a keyblock. It is used when exporting a subkey in OpenPGP format. |
| default-encryption-version | integer <uint32> Default: 0 It is possible to specify a default version for encryption. Once a key has been rotated it might be desirable to delay using the new version until it has been distributed to all parties that need it. Setting the value to 0 indicates that the latest version should be used by default. |
| min-decryption-version | integer <uint32> Default: 0 It is possible to specify a minimal version for both encryption and decryption. It might be desirable to phase out an old key by increasing the minimal encryption version, while keeping the minimal decryption version until all data has been migrated to the new version, or become irrelevant. |
| min-encryption-version | integer <uint32> Default: 0 It is possible to specify a minimal version for both encryption and decryption. It might be desirable to phase out an old key by increasing the minimal encryption version, while keeping the minimal decryption version until all data has been migrated to the new version, or become irrelevant. |
object It is advisable to periodically rotate encryption keys, regardless of whether a security breach has occurred. According to NIST publication 800-38D, AES-GCM keys should be rotated once they approach approximately 2^32 encryptions. Operators should assess how frequently a key is used for encryption and set a rotation schedule that ensures this threshold is not exceeded. For instance, if a key is used for 40 million operations daily, rotating it every three months would be adequate. | |
to (object) or sites (object) or deployments (object) |
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: import public-key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOtZk70H7MTVQOPOJFQPVzM0Kjc0B8wXj7OtrjtyBYVLoAoGCCqGSM49 AwEHoUQDQgAEZWoYC3Xg7WF6W/TZ4CLfnXSUCgw2fJAJiX5+P4AjRqPY6onal8AK /7UP/xJLQR4E06m7IrfXAlQEwC99s1WwxQ== -----END EC PRIVATE KEY----- allow-plaintext-backup: false cipher: ecdsa-p256 convergent-encryption: false deletion-allowed: false derived: false exportable: false openpgp-user-id: Admin <admin@telco.com> openpgp-key-usage: - sign openpgp-primary: pgp-signing default-encryption-version: 0 min-decryption-version: 0 min-encryption-version: 0 distribute: to: inherit
| name required | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ |
| public-key | string A initial key can optionally be provided. |
| allow-plaintext-backup | boolean Default: false Allow the transit key to be backed up in plaintext. This allows a key to be backed up, but also restored on another tenant or site. |
| cipher | string <cipher-type> Default: "aes256-gcm96"
|
| convergent-encryption | boolean Default: false If enabled together with |
| deletion-allowed | boolean Default: false Controls if the key can be deleted or not. This is set
to |
| derived | boolean Default: false The key is derived from the common key and the provided context parameter. Encryption and decryption calls must provide the same context parameter. This allows for a large number of dynamically generated keys. |
| exportable | boolean Default: false If set to true then valid keys can be exported. Cannot be set to false once enabled. |
| openpgp-user-id | string This setting is used when displaying rsa and ed25519 public keys in openpgp format. A user id must be embedded in the key. It will default to 'Strongbox strongbox@avassa.io' |
| openpgp-key-usage | Array of strings <enumeration>
This setting is used when displaying rsa and ed25519 public keys in openpgp format. A user id must be embedded in the key. It will default to 'Strongbox strongbox@avassa.io' |
| openpgp-primary | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ This can be used to indicate the primary OpenPGP key in a keyblock. It is used when exporting a subkey in OpenPGP format. |
| default-encryption-version | integer <uint32> Default: 0 It is possible to specify a default version for encryption. Once a key has been rotated it might be desirable to delay using the new version until it has been distributed to all parties that need it. Setting the value to 0 indicates that the latest version should be used by default. |
| min-decryption-version | integer <uint32> Default: 0 It is possible to specify a minimal version for both encryption and decryption. It might be desirable to phase out an old key by increasing the minimal encryption version, while keeping the minimal decryption version until all data has been migrated to the new version, or become irrelevant. |
| min-encryption-version | integer <uint32> Default: 0 It is possible to specify a minimal version for both encryption and decryption. It might be desirable to phase out an old key by increasing the minimal encryption version, while keeping the minimal decryption version until all data has been migrated to the new version, or become irrelevant. |
object It is advisable to periodically rotate encryption keys, regardless of whether a security breach has occurred. According to NIST publication 800-38D, AES-GCM keys should be rotated once they approach approximately 2^32 encryptions. Operators should assess how frequently a key is used for encryption and set a rotation schedule that ensures this threshold is not exceeded. For instance, if a key is used for 40 million operations daily, rotating it every three months would be adequate. | |
to (object) or sites (object) or deployments (object) |
Created
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: import public-key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOtZk70H7MTVQOPOJFQPVzM0Kjc0B8wXj7OtrjtyBYVLoAoGCCqGSM49 AwEHoUQDQgAEZWoYC3Xg7WF6W/TZ4CLfnXSUCgw2fJAJiX5+P4AjRqPY6onal8AK /7UP/xJLQR4E06m7IrfXAlQEwC99s1WwxQ== -----END EC PRIVATE KEY----- allow-plaintext-backup: false cipher: ecdsa-p256 convergent-encryption: false deletion-allowed: false derived: false exportable: false openpgp-user-id: Admin <admin@telco.com> openpgp-key-usage: - sign openpgp-primary: pgp-signing default-encryption-version: 0 min-decryption-version: 0 min-encryption-version: 0 distribute: to: inherit
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: import public-key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOtZk70H7MTVQOPOJFQPVzM0Kjc0B8wXj7OtrjtyBYVLoAoGCCqGSM49 AwEHoUQDQgAEZWoYC3Xg7WF6W/TZ4CLfnXSUCgw2fJAJiX5+P4AjRqPY6onal8AK /7UP/xJLQR4E06m7IrfXAlQEwC99s1WwxQ== -----END EC PRIVATE KEY----- allow-plaintext-backup: false cipher: ecdsa-p256 convergent-encryption: false deletion-allowed: false derived: false exportable: false openpgp-user-id: Admin <admin@telco.com> openpgp-key-usage: - sign openpgp-primary: pgp-signing default-encryption-version: 0 min-decryption-version: 0 min-encryption-version: 0 distribute: to: inherit
Imports OpenPGP keyblock into a transit-key. Subkeys are imported and stored in separate transit-keys with the name
<this-name>-<subkey-fingerprint>.
There must not be any existing transit keys with the same name.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
transit-key-name: pgp-signing keyblock: | -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEaUU9DRYJKwYBBAHaRw8BAQdAlGq13/0C9MaWZFqwbd58jsewb0X9tkJINcnV JfWpOiK0HUV4YW1wbGUgPGV4YW1wbGVAZXhhbXBsZS5jb20+iJMEExYKADsWIQSU y3AjRzMoSLkbkYVGBaI7JOtnwwUCaUU9DQIbAQULCQgHAgIiAgYVCgkICwIEFgID AQIeBwIXgAAKCRBGBaI7JOtnw+ufAP9J4XgBPDM4XB3Cx7VITl6VXk1JJiSy5amE qUqXP6/HSwEA3mB8U1ACe0zlu6RmshdC0idFtzGScJakKxR6284QmAe4MwRpRT0N FgkrBgEEAdpHDwEBB0Dr16x6ScxV8EKh/zM5/kcIP2C2Yiy3yOKX6nI8r7Cihojv BBgWCgAgFiEElMtwI0czKEi5G5GFRgWiOyTrZ8MFAmlFPQ0CGwIAgQkQRgWiOyTr Z8N2IAQZFgoAHRYhBEcp2KsmzrSKWlrP6Tn5BDt9AgnwBQJpRT0NAAoJEDn5BDt9 AgnwuLYBAKkptQnNkdGNd6y0CsC5eFABwVe9uzrzAS9nLNUnuNxDAP4z8WxteyIt xz7xj4HlcPVTwNIJDbA+ZhFc0dPI1b2TAB/aAP4uN2hKZAgGLp4WHikX67/QWwu7 KlBb2Xs/a2OisB96ngEAyhmozIpcp2VRFj5zQzkbCWXTum3vmgXdmK3h8pDSGAQ= =UNL5 -----END PGP PUBLIC KEY BLOCK-----
subkeys: - pgpsigning-42e01797f5ff1526
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
- name: import public-key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOtZk70H7MTVQOPOJFQPVzM0Kjc0B8wXj7OtrjtyBYVLoAoGCCqGSM49 AwEHoUQDQgAEZWoYC3Xg7WF6W/TZ4CLfnXSUCgw2fJAJiX5+P4AjRqPY6onal8AK /7UP/xJLQR4E06m7IrfXAlQEwC99s1WwxQ== -----END EC PRIVATE KEY----- allow-plaintext-backup: false cipher: ecdsa-p256 convergent-encryption: false deletion-allowed: false derived: false exportable: false openpgp-user-id: Admin <admin@telco.com> openpgp-key-usage: - sign openpgp-primary: pgp-signing default-encryption-version: 0 min-decryption-version: 0 min-encryption-version: 0 latest-version: 1 creation-time: 2022-01-12T17:42:06.266053Z distribute: to: inherit distribution-status: to: none supports-encryption: false supports-decryption: false supports-derivation: false supports-signing: false keys: - version: 1 data: "1642009326266053" creation-time: 2022-01-12T17:42:06.266053Z
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
name: import public-key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOtZk70H7MTVQOPOJFQPVzM0Kjc0B8wXj7OtrjtyBYVLoAoGCCqGSM49 AwEHoUQDQgAEZWoYC3Xg7WF6W/TZ4CLfnXSUCgw2fJAJiX5+P4AjRqPY6onal8AK /7UP/xJLQR4E06m7IrfXAlQEwC99s1WwxQ== -----END EC PRIVATE KEY----- allow-plaintext-backup: false cipher: ecdsa-p256 convergent-encryption: false deletion-allowed: false derived: false exportable: false openpgp-user-id: Admin <admin@telco.com> openpgp-key-usage: - sign openpgp-primary: pgp-signing default-encryption-version: 0 min-decryption-version: 0 min-encryption-version: 0 latest-version: 1 creation-time: 2022-01-12T17:42:06.266053Z distribute: to: inherit distribution-status: to: none supports-encryption: false supports-decryption: false supports-derivation: false supports-signing: false keys: - version: 1 data: "1642009326266053" creation-time: 2022-01-12T17:42:06.266053Z
Backup encryption key and entire state.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
key: g3QAAAAOZAAWYWxsb3ctcGxhaW50ZXh0LWJhY2t1cGQABHRydWVkAAZjaXBoZXJkAAxhZXMyNTYtZ2NtOTZkABVjb252ZXJnZW50LWVuY3J5cHRpb25kAAVmYWxzZWQADWNyZWF0aW9uLXRpbWVuBwAdVrusZNUFZAAaZGVmYXVsdC1lbmNyeXB0aW9uLXZlcnNpb25hAGQAEGRlbGV0aW9uLWFsbG93ZWRkAAVmYWxzZWQAB2Rlcml2ZWRkAAVmYWxzZWQACmRpc3RyaWJ1dGVkAAdpbmhlcml0ZAAKZXhwb3J0YWJsZWQABWZhbHNlZAAEa2V5c3QAAAADYQF0AAAAAmQADWNyZWF0aW9uLXRpbWVuBwAdVrusZNUFZAAFdmFsdWVtAAAAIFAAEhKAul6uSOKBhdoA5u9phUqNtYc9lmzdNyxN6+5XYQJ0AAAAAmQADWNyZWF0aW9uLXRpbWVuBwAEIsesZNUFZAAFdmFsdWVtAAAAIKJpio8+HhH9FhLanZLFQ0QlPlzwSnxsca4prbMPI/CYYQN0AAAAAmQADWNyZWF0aW9uLXRpbWVuBwApbtGsZNUFZAAFdmFsdWVtAAAAIHi25mJ8QkIYv0YrDzLBKl7xVuwA50SnBDRg9drqX6jZZAAObGF0ZXN0LXZlcnNpb25hA2QAFm1pbi1kZWNyeXB0aW9uLXZlcnNpb25hAmQAFm1pbi1lbmNyeXB0aW9uLXZlcnNpb25hAGQABG5hbWVtAAAAAngx
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
offset: 0s
rotated: true min-encryption-version-updated: true min-decryption-version-updated: true default-encryption-version-updated: true
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
ciphertext: sbox:v1:6Ie5+/43eQE4QrABNIBTkVIMZKknVqq3k2JLOm0IWITji0JI base64-encoded: true key-version: 1 context: some context additional-auth-data: my-db
plaintext: Zm9vIGJhcgo=
Encrypt some data using the named key. Additional auth-data may be supplied and it must match when decrypting.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
plaintext: Zm9vIGJhcgo base64-encoded: true key-version: 1 context: some context additional-auth-data: db
ciphertext: sbox:v1:6Ie5+/43eQE4QrABNIBTkVIMZKknVqq3k2JLOm0IWITji0JI
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
version: all format: pem
keys: - version: 1 value: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEArQWC8v6/1Y37a6NWGeIQcsZXxvEqDzCJmYI5RfO+qIVpdmAI UWMQ1O8Mr/t/2gCxRJ03rBAHl4R2/WyTW1lSnK/OdGgrraF5JaJc9IL5i0E0e59g jrY+LpsQ9X91907t9dsw1FUkReQspaKf5dxRwtpy3SQbAM/bmXUJz8wSFPSCVgja Pq8no+0vBjBsk/QoH5FHnubkloCff+yVcDeUbal6YoyXRQ+AUGK6TiXsVtzWcFrv QRkwIOoWCsJ6Flk7L7g4JhA9HaL8FTJyZdiixTK4IP+yR3v9y8fOplC2uCY9rynf abAPpAurP9tNkx9qCPVZNobKYWB+cTjk1MR8gwIDAQABAoIBAF6dSvSSdljToY9E 7IqO4qvA5rM1oehYhIZbffJQzgvdmMRQ03ueDtBCQM/jWhDenBGHX7BJu70RhPgk bZhgihqA0Qc7B9eVG2iHFwnmrYuHBqorh2PDKNHXnjiBkQLCOMJfMJ6MSJ+nnPqe qY3LIzLIvlNLsTCKee264LivQZwPCvOCdGOaUb4bzLZWcStJVY4P5zWzBheOuTKo WOWwGKzmNk+nLQAL6UZF0bI+63CLIvX9kAfUMAcPb3y+QZtd781fT7rCk76CJ1kO JHHzksNHXhWVAmPBBz0MNLM5Zx3Z4DU2I97tQUoGKeR2Kqzb6jvdT5nrLTVUYpCZ Yd6S4kECgYEA2u7O6aOTTHrjx5wK1G1VqdFtp5OtQhOfv60w+eqjNTtDhIs4OWU3 O+3u5tS3FkvqMEHNcKcvaPOsXK2IUj52bMNkzT68qS59QFiEuW0OLtKMKSgosGhq L2goPhlRrqGlYQ2F15bFaEHGwBFVbPtuEYt6p1IfkYRgVwUehac/+LMCgYEAylDF rU0+BRLpArVB0FAlewm17JuspIkonaNgVYvUeQxgIxZk1ZnVmbPKwny6jo6Qu6HT q3NwJMmNvSnBNBqUIu7L7kSAO+Du3CFUqfwP86J1obkzLyAmFgHDwRJjfe2qWXWM 0lAzhx2kBksGLSWKEHHhwvhXdL+sXUaAVM5dNPECgYBIfo0rVkvfJk4oeaYoYy/b dIqv07mqSJ88NBgkmSqD5OTdjdAHSVm50XarHsKlcmvQoOlrJSEQyqdHZPrf6OkD 6MuHHwAPsWIuHWGNmOv6WyOoOTEIAPswSXgR4AZpIgOGGJk6IyWo+Sbb0KGN3c+7 pYjuwMXNRJ02E27g6NnI+wKBgFaKAFRl4u6GrTbkU3eIoM+lUrUXzdw/cyki1jUh b8wrd//qN02K1Ow/FK7mbWJHJy+rRABli4Wg1Ukh0Cu6Zr0eigqsMHHsgB+W/kEL ucMMLeb0cilpRgFJ1fMDK52VCLXla0wW1EOqcRvkAYtUMF9iZyBf3ADrcA4h9wjP kNzxAoGBAMYxu7K1WFDj55M2rmrI3lp5yBxryPOP+UXTANsRwpkzMF5X0Y2DHvIq B5BSVxeQ7Cq1nIORHbm7IZv/c6ytAWw3Yj9lp1tBsAZlaRFDJ7YDEHQxaXzCHyc3 L6MXNmys9zpSoaFBeCJ9fCp+Imthz3n+zbUcuf8+AYxE9aMw4Min -----END RSA PRIVATE KEY-----
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
version: 1 openpgp-user-id: Admin <admin@telco.com>
keys: - version: 1 keyblock: | -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEaUU9DRYJKwYBBAHaRw8BAQdAlGq13/0C9MaWZFqwbd58jsewb0X9tkJINcnV JfWpOiK0HUV4YW1wbGUgPGV4YW1wbGVAZXhhbXBsZS5jb20+iJMEExYKADsWIQSU y3AjRzMoSLkbkYVGBaI7JOtnwwUCaUU9DQIbAQULCQgHAgIiAgYVCgkICwIEFgID AQIeBwIXgAAKCRBGBaI7JOtnw+ufAP9J4XgBPDM4XB3Cx7VITl6VXk1JJiSy5amE qUqXP6/HSwEA3mB8U1ACe0zlu6RmshdC0idFtzGScJakKxR6284QmAe4MwRpRT0N FgkrBgEEAdpHDwEBB0Dr16x6ScxV8EKh/zM5/kcIP2C2Yiy3yOKX6nI8r7Cihojv BBgWCgAgFiEElMtwI0czKEi5G5GFRgWiOyTrZ8MFAmlFPQ0CGwIAgQkQRgWiOyTr Z8N2IAQZFgoAHRYhBEcp2KsmzrSKWlrP6Tn5BDt9AgnwBQJpRT0NAAoJEDn5BDt9 AgnwuLYBAKkptQnNkdGNd6y0CsC5eFABwVe9uzrzAS9nLNUnuNxDAP4z8WxteyIt xz7xj4HlcPVTwNIJDbA+ZhFc0dPI1b2TAB/aAP4uN2hKZAgGLp4WHikX67/QWwu7 KlBb2Xs/a2OisB96ngEAyhmozIpcp2VRFj5zQzkbCWXTum3vmgXdmK3h8pDSGAQ= =UNL5 -----END PGP PUBLIC KEY BLOCK-----
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
bits: 256 type: plaintext key-version: 1 context: some context additional-auth-data: db
ciphertext: sbox:v3:2+LwgU0wTxRDRVD6LkmbKUdU7xmMwuMVmQVhmPZg/sQ22egu67gv+eME9pUBEDQV00iGZHfwaFB8rm4q plaintext: FijSLX2OZQyzdJt4N/10af4A4MGBYi/Uej8/Tjd5LIQ=
Calculate the HMAC with the given key.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
plaintext: the quick brown fox key-version: 1 context: some context algorithm: sha256 auto-setup: true base64-encoded: false
hmac: sbox:hashed:v1:oSoTBSIbKvBZT6wpRQLqFHXhUYE5Cg2IErx0kOyaIQc=
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
data: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOtZk70H7MTVQOPOJFQPVzM0Kjc0B8wXj7OtrjtyBYVLoAoGCCqGSM49 AwEHoUQDQgAEZWoYC3Xg7WF6W/TZ4CLfnXSUCgw2fJAJiX5+P4AjRqPY6onal8AK /7UP/xJLQR4E06m7IrfXAlQEwC99s1WwxQ== -----END EC PRIVATE KEY-----
Creates a OpenPGP detached signature.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
text: Zm9vIGJhcgo= base64-encoded: false key-version: 1 hash-algorithm: sha256 armor: true
signature: | -----BEGIN PGP SIGNATURE----- wnUEABYIAB0FAmlBXmoWIQQVzL4cLxwVM0MMZP50bcgukYIPUgAKCRB0bcgukYIP Um4lAQDV7rsSNEN/a9X91oLFeyv2HKpixzGl5IGxso1Iyj/AHwD/VKl2nitzJMxT G/jt/eJovK0XlkZRGtb6IPRYlO7N4wY= =J+zh -----END PGP SIGNATURE-----
Verifies a OpenPGP detached signature.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
text: Zm9vIGJhcgo= base64-encoded: false signature: | -----BEGIN PGP SIGNATURE----- wnUEABYIAB0FAmlBXmoWIQQVzL4cLxwVM0MMZP50bcgukYIPUgAKCRB0bcgukYIP Um4lAQDV7rsSNEN/a9X91oLFeyv2HKpixzGl5IGxso1Iyj/AHwD/VKl2nitzJMxT G/jt/eJovK0XlkZRGtb6IPRYlO7N4wY= =J+zh -----END PGP SIGNATURE----- key-version: 1 hash-algorithm: sha256
valid: true
Restore key from backup.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
key: g3QAAAAOZAAWYWxsb3ctcGxhaW50ZXh0LWJhY2t1cGQABHRydWVkAAZjaXBoZXJkAAxhZXMyNTYtZ2NtOTZkABVjb252ZXJnZW50LWVuY3J5cHRpb25kAAVmYWxzZWQADWNyZWF0aW9uLXRpbWVuBwAdVrusZNUFZAAaZGVmYXVsdC1lbmNyeXB0aW9uLXZlcnNpb25hAGQAEGRlbGV0aW9uLWFsbG93ZWRkAAVmYWxzZWQAB2Rlcml2ZWRkAAVmYWxzZWQACmRpc3RyaWJ1dGVkAAdpbmhlcml0ZAAKZXhwb3J0YWJsZWQABWZhbHNlZAAEa2V5c3QAAAADYQF0AAAAAmQADWNyZWF0aW9uLXRpbWVuBwAdVrusZNUFZAAFdmFsdWVtAAAAIFAAEhKAul6uSOKBhdoA5u9phUqNtYc9lmzdNyxN6+5XYQJ0AAAAAmQADWNyZWF0aW9uLXRpbWVuBwAEIsesZNUFZAAFdmFsdWVtAAAAIKJpio8+HhH9FhLanZLFQ0QlPlzwSnxsca4prbMPI/CYYQN0AAAAAmQADWNyZWF0aW9uLXRpbWVuBwApbtGsZNUFZAAFdmFsdWVtAAAAIHi25mJ8QkIYv0YrDzLBKl7xVuwA50SnBDRg9drqX6jZZAAObGF0ZXN0LXZlcnNpb25hA2QAFm1pbi1kZWNyeXB0aW9uLXZlcnNpb25hAmQAFm1pbi1lbmNyeXB0aW9uLXZlcnNpb25hAGQABG5hbWVtAAAAAngx
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
ciphertext: sbox:v2:xAzeNi0PqX1dy1rNVCAPmDdZgbg16PPEkwO/0Qqtce1cjUQB additional-auth-data: db key-version: 1
ciphertext: sbox:v3:4XZRmyckd4nG+7+zeOZtG8ThwwM1ieNEUcKaTZsm2QYpNviM
Rotate the transit key. A new version will be created. It is still possible to decrypt data encrypted with the old key and new data can be encrypted with an old key, provided a version is specified.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
text: Zm9vIGJhcgo= base64-encoded: true key-version: 1 hash-algorithm: sha256
signature: sbox:v1:d4E3eAPI2T/li655H8n6ESikJlpZVRB370Qst7s1c+rEIH6HqPWwLcoAhWUThMlB9iYDF5hK8Q7r4F8rMy6KIeCXvWodglQ6eh0s8eYrQrFXeA7arZLBQ1dq4mVZJcfMF3UGZttjO8bkMVGriG+Na8at1MKyv3k48gaTHCO0cex+8xk58CN64aaArYpFcLQLSRituGUVyTqWSI2rmpY/pTSWb7VC/S7YQ+JHLnpvgVAL5Mh9o6JSMqvYPIaEKuQh/5MDtz4r8V+lEOuPhEBaYHzc4Opm4ZOYdziUL/5o2Z/vE8XG9DSJIypoR/7iVPJ08VMl5I/4grWkcemyLWtSPQ==
Remove previous version of the key. Once removed they cannot be recoved.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
min-available-version: 2
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
text: Zm9vIGJhcgo= base64-encoded: true signature: sbox:v1:d4E3eAPI2T/li655H8n6ESikJlpZVRB370Qst7s1c+rEIH6HqPWwLcoAhWUThMlB9iYDF5hK8Q7r4F8rMy6KIeCXvWodglQ6eh0s8eYrQrFXeA7arZLBQ1dq4mVZJcfMF3UGZttjO8bkMVGriG+Na8at1MKyv3k48gaTHCO0cex+8xk58CN64aaArYpFcLQLSRituGUVyTqWSI2rmpY/pTSWb7VC/S7YQ+JHLnpvgVAL5Mh9o6JSMqvYPIaEKuQh/5MDtz4r8V+lEOuPhEBaYHzc4Opm4ZOYdziUL/5o2Z/vE8XG9DSJIypoR/7iVPJ08VMl5I/4grWkcemyLWtSPQ== key-version: 1 hash-algorithm: sha256
valid: true