Skip to main content

Transit Keys

Transit keys can be used to encrypt and decrypt data before it is transmitted or stored without storing the encryption keys in the application, or even exposing the key to the application.

However, if large amounts of data needs to processed it may be better to give the application temporary access to the key and let the application do bulk processing. Storing and managing the key can still be done by Strongbox.

Setup a transit key

Setup a new symmetric transit key for encrypting customer data before sending it along.

supctl create strongbox transit-keys <<EOF
name: customer-data
cipher: aes256-gcm96
distribute:
  to: all
EOF

Import a transit key

Import an existing key to sign data packages before dispatching.

First setup a transit key with the proper cipher type and other parameters.

supctl create strongbox transit-keys <<EOF
name: external-data
cipher: rsa-2048
distribute:
  to: all
EOF

Then import the existing key. Note that we can only import keys of the same type as the existing entry. The imported key will and up as a new key version. The original key will remain as version 1.

supctl do strongbox transit-keys external-data import --input - <<EOF
data: |
     -----BEGIN RSA PRIVATE KEY-----
    MIIEogIBAAKCAQEApkQkQ5xzb3CrqhxtZM/hU+NwzCv6Jgqa0R77usiV61Qlwe9F
    cx9n8nYmtB+QXz4RYVyvzXU7ceKttQO2IivAGlYtRwLIzTif4+a9KFsR2r4x//95
    mCczQNgdZoSv0Cp8Bm1o50/qwzbU9QSFXOg8eTkInrLJ68lx8ImddnOD29xQiAA2
    cJPYHeoC1ZkFUVw3NDa0j+jpdXr/Ld6upZ1rOYUp5GavcBQ3k7U8me0zKgzzPf96
    a2fAJBs3HLD6WKcIZ9RRl6Sk074dcSDhDIJ65EI1q5s5eJLZM8DS0oiZDgibcHGR
    TxUSsP5dVwTZjJxgsqTwWmkXJxIOItoVu6m2GQIDAQABAoIBAGxAH1A501pyBAJM
    YdjqE62XfkAgPcx4yRVwU7rnj9xYvACJNTFf+EB/NnG9vzSTZ6N5QijFs/9Q84HQ
    OcwDqh47j10VbgFXZZpvByb4LCa8ADfJcLRkiVUln/a4WvNwRbG1mEBJ4vJYh8xC
    tkWoGn9eZ8NTam3uiRVvs6qESQxiVw4KA5niB/jAGysM7KJ2NEX8Vj7UyV8se9wP
    1qD77dQsiDagNkrFJ+RPvetixwV2maoLWstcCHqUOYqCR5dTsyEBv5ipZOXtz/ES
    DS+Apmxn5Fwp/lttL5sFjUqjTLc2FTsID9I4Xlx9M0dvX3GY8f+3kSCOO+4eH+Py
    57MtkwECgYEA0Jrz0vI3q6ByTMFfO8BlbNcHwrNTcYdrwtIDjsDd0yVMMeKt2WrM
    C4X5ipOH4nJxB2SQWR0epOqc3IWTOLKudnzVSdamr37fp4M+6ydeNNDP50LJQ6m6
    nVYFvBjYbqP2OZgoTrLdzLXypf7P1WtSOiupl65xLlhMsHQyTqyRBCECgYEAzAqh
    4ncb0PFCxUf/EIEKt4xCVx+EGSQu9LIJfGQ888ucwk1+zTsxObGwPBIXR/ffsuWH
    gfrwbRky+Sg/1wiUcFDICJ8R52Rwm4GBLy03fDFSrvSxw0hAMitfIsuo3KlZ/2VD
    w+/8+iCtp5wPOZTPnZlKF87+CDtb018SKnYGcvkCgYBrBCMzw8klhfE9STKm/6PI
    u2Oi0cZsBpIU5xKmKHFkQc0eBnEziaNWAgwruFXMqPMtXLzkypiO+EEyrGADhT8V
    UCNHdxQaEheA40bi8lZU+A7AUDXaPXecAaZ9ga1+zSSjFVkQTpiUzX7HA7rxfNY5
    O28MfpRXtzrYhzPLwqG+oQKBgDnEANTWl79trlOf8GxBvED+qoFz4LglcE3CYcEf
    t8nlqTmxKub7jRIiZhx7mq+7U0+Yf+ainpKkgbPcW0aLnUq29ArMzgrOerrrzSEI
    Eh9M73WsvO7mc5ZAhSyar/HY2CvgBXFhbiN6QO+k1QKeSLD7huh6p5y5AWQ0FDaF
    N4oxAoGANmxxsS0qyNh4VUgAyBbfIYZLjMy70nLhpGxP3mUwX3lcJuPSAfJfA9ao
    Z8TurisoqL3pbZoGEIyV+FdTXQPMNt/oJ06ySpYI5DDm71RmkssqUGK/shMBlnGc
    fk90NgzxUcokoWYfhWmNUoFVNfbJJZl8TU1zWQedzod1/0oCBeg=
    -----END RSA PRIVATE KEY-----
EOF

Export a transit key

It is only possible to export transit-keys that have the exportable property set to true. Once it has been set to true it cannot be changed.

Set export property to true.

supctl merge strongbox transit-keys external-data <<EOF
exportable: true
EOF

Export active key.

supctl do strongbox transit-keys external-data export --version latest
keys:
  2: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEogIBAAKCAQEApkQkQ5xzb3CrqhxtZM/hU+NwzCv6Jgqa0R77usiV61Qlwe9F
    cx9n8nYmtB+QXz4RYVyvzXU7ceKttQO2IivAGlYtRwLIzTif4+a9KFsR2r4x//95
    mCczQNgdZoSv0Cp8Bm1o50/qwzbU9QSFXOg8eTkInrLJ68lx8ImddnOD29xQiAA2
    cJPYHeoC1ZkFUVw3NDa0j+jpdXr/Ld6upZ1rOYUp5GavcBQ3k7U8me0zKgzzPf96
    a2fAJBs3HLD6WKcIZ9RRl6Sk074dcSDhDIJ65EI1q5s5eJLZM8DS0oiZDgibcHGR
    TxUSsP5dVwTZjJxgsqTwWmkXJxIOItoVu6m2GQIDAQABAoIBAGxAH1A501pyBAJM
    YdjqE62XfkAgPcx4yRVwU7rnj9xYvACJNTFf+EB/NnG9vzSTZ6N5QijFs/9Q84HQ
    OcwDqh47j10VbgFXZZpvByb4LCa8ADfJcLRkiVUln/a4WvNwRbG1mEBJ4vJYh8xC
    tkWoGn9eZ8NTam3uiRVvs6qESQxiVw4KA5niB/jAGysM7KJ2NEX8Vj7UyV8se9wP
    1qD77dQsiDagNkrFJ+RPvetixwV2maoLWstcCHqUOYqCR5dTsyEBv5ipZOXtz/ES
    DS+Apmxn5Fwp/lttL5sFjUqjTLc2FTsID9I4Xlx9M0dvX3GY8f+3kSCOO+4eH+Py
    57MtkwECgYEA0Jrz0vI3q6ByTMFfO8BlbNcHwrNTcYdrwtIDjsDd0yVMMeKt2WrM
    C4X5ipOH4nJxB2SQWR0epOqc3IWTOLKudnzVSdamr37fp4M+6ydeNNDP50LJQ6m6
    nVYFvBjYbqP2OZgoTrLdzLXypf7P1WtSOiupl65xLlhMsHQyTqyRBCECgYEAzAqh
    4ncb0PFCxUf/EIEKt4xCVx+EGSQu9LIJfGQ888ucwk1+zTsxObGwPBIXR/ffsuWH
    gfrwbRky+Sg/1wiUcFDICJ8R52Rwm4GBLy03fDFSrvSxw0hAMitfIsuo3KlZ/2VD
    w+/8+iCtp5wPOZTPnZlKF87+CDtb018SKnYGcvkCgYBrBCMzw8klhfE9STKm/6PI
    u2Oi0cZsBpIU5xKmKHFkQc0eBnEziaNWAgwruFXMqPMtXLzkypiO+EEyrGADhT8V
    UCNHdxQaEheA40bi8lZU+A7AUDXaPXecAaZ9ga1+zSSjFVkQTpiUzX7HA7rxfNY5
    O28MfpRXtzrYhzPLwqG+oQKBgDnEANTWl79trlOf8GxBvED+qoFz4LglcE3CYcEf
    t8nlqTmxKub7jRIiZhx7mq+7U0+Yf+ainpKkgbPcW0aLnUq29ArMzgrOerrrzSEI
    Eh9M73WsvO7mc5ZAhSyar/HY2CvgBXFhbiN6QO+k1QKeSLD7huh6p5y5AWQ0FDaF
    N4oxAoGANmxxsS0qyNh4VUgAyBbfIYZLjMy70nLhpGxP3mUwX3lcJuPSAfJfA9ao
    Z8TurisoqL3pbZoGEIyV+FdTXQPMNt/oJ06ySpYI5DDm71RmkssqUGK/shMBlnGc
    fk90NgzxUcokoWYfhWmNUoFVNfbJJZl8TU1zWQedzod1/0oCBeg=
    -----END RSA PRIVATE KEY-----

Encrypt and decrypt using a transit key

The encrypt endpoint can be used to encrypt some plain text with a named encryption key. The text must first be base64 encoded before passed to the endpoint. We use some shell trickery to do this inline. $(echo "some sensitive data" | base64) will expand to the base64 encoded representation of the text "some sensitive data".

supctl do strongbox transit-keys external-data encrypt --plaintext $(echo "some sensitive data" | base64)
ciphertext: sbox:v2:bGODMhfoERkvK7b80b2Q6fYF0hbobgWRqhGc7qw1s+3IRboIjUAw3Wa7nqCFSBDQg90MS8FV2ozqbSZxR2bb2PoWnVr+3D32j/ZH0cGb0iuW8N/9U3dsGzm8IS9M2V3HMDieA7kE0S3RHZQVqE/b0+rBuHQS1fcpxKGHjFjCcUSvexYxUq+UAiNEki92/lV1Fj3UJXNUUEjc+j21E0TCJTZuybo8bC66w54vrNcPVeitp91oFTiq/cGQZ+8oN7MLABPeY2oepYM0rRTfCVN6+o5HtlNi7Nr6MkEiH0OFEdxf+D79R74WqPtALRC6+LLJzq19iZLOb9PG9loACaQqlw==

Using curl

TOKEN=$(curl -sk \
     -X POST https://api.internal:4646/v1/approle-login \
     -H "Content-Type: application/json" \
     -d @- <<EOF | jq -r '.token'
{ "role-id": "324bc0bf-40c3-4aa5-bb58-360b830405ac",
  "secret-id": "$APPROLE_SECRET_ID"
}
EOF
)

curl -sk -X POST "https://api.internal:4646/v1/state/strongbox/transit-keys/external-data/encrypt" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"plaintext\": \"$(echo -n 'some sensitive data' | base64)\"}"

Now, at the receiving end, the ciphertext can be de-crypted using the decrypt endpoint.

supctl do strongbox transit-keys external-data decrypt
ciphertext: sbox:v2:bGODMhfoERkvK7b80b2Q6fYF0hbobgWRqhGc7qw1s+3IRboIjUAw3Wa7nqCFSBDQg90MS8FV2ozqbSZxR2bb2PoWnVr+3D32j/ZH0cGb0iuW8N/9U3dsGzm8IS9M2V3HMDieA7kE0S3RHZQVqE/b0+rBuHQS1fcpxKGHjFjCcUSvexYxUq+UAiNEki92/lV1Fj3UJXNUUEjc+j21E0TCJTZuybo8bC66w54vrNcPVeitp91oFTiq/cGQZ+8oN7MLABPeY2oepYM0rRTfCVN6+o5HtlNi7Nr6MkEiH0OFEdxf+D79R74WqPtALRC6+LLJzq19iZLOb9PG9loACaQqlw==
plaintext: c29tZSBzZW5zaXRpdmUgZGF0YQo=

and put together with base64

supctl -j do strongbox transit-keys external-data decrypt --ciphertext sbox:v2:bGODMhfoERkvK7b80b2Q6fYF0hbobgWRqhGc7qw1s+3IRboIjUAw3Wa7nqCFSBDQg90MS8FV2ozqbSZxR2bb2PoWnVr+3D32j/ZH0cGb0iuW8N/9U3dsGzm8IS9M2V3HMDieA7kE0S3RHZQVqE/b0+rBuHQS1fcpxKGHjFjCcUSvexYxUq+UAiNEki92/lV1Fj3UJXNUUEjc+j21E0TCJTZuybo8bC66w54vrNcPVeitp91oFTiq/cGQZ+8oN7MLABPeY2oepYM0rRTfCVN6+o5HtlNi7Nr6MkEiH0OFEdxf+D79R74WqPtALRC6+LLJzq19iZLOb9PG9loACaQqlw== | jq -r .plaintext | base64 -d
some sensitive data

Using curl

# First authenticate to get a TOKEN
TOKEN=$(curl -sk \
     -X POST https://api.internal:4646/v1/approle-login \
     -H "Content-Type: application/json" \
     -d @- <<EOF | jq -r '.token'
{ "role-id": "324bc0bf-40c3-4aa5-bb58-360b830405ac",
  "secret-id": "$APPROLE_SECRET_ID"
}
EOF
)

curl -sk -X POST "https://api.internal:4646/v1/state/strongbox/transit-keys/external-data/decrypt" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "ciphertext": "sbox:v2:bGODMhfoERkvK7b80b2Q6fYF0hbobgWRqhGc7qw1s+3IRboIjUAw3Wa7nqCFSBDQg90MS8FV2ozqbSZxR2bb2PoWnVr+3D32j/ZH0cGb0iuW8N/9U3dsGzm8IS9M2V3HMDieA7kE0S3RHZQVqE/b0+rBuHQS1fcpxKGHjFjCcUSvexYxUq+UAiNEki92/lV1Fj3UJXNUUEjc+j21E0TCJTZuybo8bC66w54vrNcPVeitp91oFTiq/cGQZ+8oN7MLABPeY2oepYM0rRTfCVN6+o5HtlNi7Nr6MkEiH0OFEdxf+D79R74WqPtALRC6+LLJzq19iZLOb9PG9loACaQqlw=="
  }'

Sign and verify using a transit key

Certain keys can be used for signing and verification. Keys with cipher type ed25519, rsa, and ecdsa can be used to sign and to verify a signature.

First setup a transit key of the right type

supctl create strongbox transit-keys <<EOF
name: signer
cipher: rsa-2048
distribute:
  to: all
EOF

To sign a document it first needs to be base64 encoded and then passed to the sign endpoint. We use some shell trickery to do the base64 encoding inline.

supctl do strongbox transit-keys signer sign --text $(echo "some sensitive data" | base64)
signature: sbox:v2:IUdqS07YcqUk4kpLA57CCERZjwTh6UJrI+RHDIWc3Bo13OVhVC4HwMUIFZNgsm8LBmL5d7AmIbRY2oCnBoLSfzpZrMWZ+jM9tSlNBqX4zZdbqYK0NO4L0VqTAV9bagK9UEYRBEsgbITPy4XmCLbR3OJoCf7/7yOCOm0wNVHtq8JURYpgIZ0DWPjWhOksmq45AD5Rpp6ryu92vRNTy4hToGCjP47fvUxdUU6wjOLAPvaXLNCH5GSsLgOvISJVoC9dY1J6zQtXmfQswjrdgyhw1+5UADSWjm2OiJfkupa5fHhdLNzJz8kA7EgJD++d0hUL+XN03yVjBOmT6jOW+FaKMw==

Using curl

# First login to get a token
TOKEN=$(curl -sk \
     -X POST https://api.internal:4646/v1/approle-login \
     -H "Content-Type: application/json" \
     -d @- <<EOF | jq -r '.token'
{ "role-id": "324bc0bf-40c3-4aa5-bb58-360b830405ac",
  "secret-id": "$APPROLE_SECRET_ID"
}
EOF
)

curl -sk -X POST "https://api.internal:4646/v1/state/strongbox/transit-keys/signer/sign" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{ \"text\": \"'$(echo -n \"some sensitive data\" | base64)'\" }"

The signature can be verified using the verify endpoint.

A signature generated by Strongbox can also be verified using OpenSSL, first base64 decode the signature with the sbox:v1: part removed and save in a file data.sign.

Extract the public key by and store it in the file key.pub.pem.

supctl -j show strongbox transit-keys signer | jq -r '.keys."1"' > key.pub.pem

Store the data in the file data and save signature in the file data.sig.

echo -n "some sensitive data" > data
supctl -j do strongbox transit-keys signer sign --text $(base64 data) | jq -r .signature > data.sig

Now the signature can be verified both by Strongbox

supctl do strongbox transit-keys signer verify --text $(base64 data) --signature $(cat data.sig)
valid: true

using curl

# First login to get a token
TOKEN=$(curl -sk \
     -X POST https://api.internal:4646/v1/approle-login \
     -H "Content-Type: application/json" \
     -d @- <<EOF | jq -r '.token'
{ "role-id": "324bc0bf-40c3-4aa5-bb58-360b830405ac",
  "secret-id": "$APPROLE_SECRET_ID"
}
EOF
)

curl -sk -X POST "https://api.internal:4646/v1/state/strongbox/transit-keys/signer/verify" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{ \
    \"text\": \"$(base64 data)\", \
    \"signature\": \"$(cat data.sig)\" \
  }"

and using OpenSSL

cat data.sig | sed 's/sbox:v1://g' | base64 -d > data.sig.bin
openssl dgst -verify key.pub.pem -keyform PEM -sha256 -signature data.sig.bin -binary data
Verified OK

A signature generated by, for example, OpenSSL can be verified by Strongbox. A transit key with the public key must first be setup.

openssl genrsa -out key.pem 4096
openssl rsa -in key.pem -pubout > key.pub.pem

Create a verification transit key with the above public key as initial key. We do some shell trickery to include the file and convert newlines to \n.

supctl create strongbox transit-keys <<EOF
name: verifier
cipher: rsa-4096
public-key: "$(cat key.pub.pem | sed 's/$/\\n/g' | tr -d '\n')"
EOF

Create a signature using OpenSSL

openssl dgst -sign key.pem -keyform PEM -sha256 -out data.sign -binary data

The signature needs to be base64 encoded and the prefix sbox:v1: must be added at the start for Strongbox to understand which key version to use when verifying the signature.

echo -n "sbox:v1:" > data.sign.b64
base64 -w 0 data.sign >> data.sign.b64

Now verify the signature using Strongbox.

supctl do strongbox transit-keys verifier verify "$(base64 data)" "$(cat data.sign.b64)"
valid: true

Calculate a HMAC using a transit key

Setup a transit key for hashing.

supctl create strongbox transit-keys <<EOF
name: hasher
cipher: aes256-gcm96
EOF

Calculate the HMAC using the above key.

supctl do strongbox transit-keys hasher hmac --no-base64-encoded
plaintext: the quick brown fox
hmac: sbox:hashed:v1:pqkKF+uHKf95YH6DZpibnbyNYIhP6olRXBX7kW0hrf=c

Using curl

curl -sk -X POST "https://api.internal:4646/v1/state/strongbox/transit-keys/hasher/hmac" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "plaintext": "the quick brown fox",
    "base64-encoded": false
  }'

Rotate a transit key

First create a transit key to use for encrypting internal communication data

supctl create strongbox transit-keys <<EOF
name: internal
distribute:
  to: all
EOF

Initially it has one active key

supctl show strongbox transit-keys internal
name: internal
allow-plaintext-backup: false
cipher: aes256-gcm96
convergent-encryption: true
deletion-allowed: true
derived: false
exportable: false
default-encryption-version: 0
min-decryption-version: 0
min-encryption-version: 0
latest-version: 1
creation-time: 2021-08-27T12:54:54.466481Z
distribute:
  to: all
distribution-status:
  to: all
supports-encryption: true
supports-decryption: true
supports-derivation: true
supports-signing: false
keys:
  1: "1630068894466481"

After some use it may be time to rotate the key.

supctl do strongbox transit-keys internal rotate

Inspecting the new state we see that we now have a second key.

supctl -d .supctl-theater-operation show strongbox transit-keys internal
name: internal
allow-plaintext-backup: false
cipher: aes256-gcm96
convergent-encryption: true
deletion-allowed: true
derived: false
exportable: false
default-encryption-version: 0
min-decryption-version: 0
min-encryption-version: 0
latest-version: 2
creation-time: 2021-08-27T12:54:54.466481Z
distribute:
  to: all
distribution-status:
  to: all
supports-encryption: true
supports-decryption: true
supports-derivation: true
supports-signing: false
keys:
  2: "1630068946811854"
  1: "1630068894466481"

By default all new uses of the key will use the new key version for encryption, and we can enforce this by setting the min-encryption-version.

supctl merge strongbox transit-keys internal <<EOF
min-encryption-version: 2
EOF

Eventually all uses, and all data encrypted with the old key, has bled out of the system and we can set the min-decryption-version as well.

Rewrap data

It is also possible to re-wrap data without de-crypting it. The data will be re-encrypted with the new key version.

First we encrypt some data with the customer-data transit key that we configured above.

supctl do strongbox transit-keys customer-data encrypt --no-base64-encoded
plaintext: customer profile
ciphertext: sbox:v1:Bd04hEIaR0Oo26KTLpKaku+j/IgL01lpYtX09mWq5QXuManmdQIOn0wBYLA=

Over time the v1 key will be replace by a new version. We rotate the customer-data key.

supctl do strongbox transit-keys customer-data rotate

Now all data that was encrypted using the v1 key should be re-encrypted with the new version. This can be done with the rewrap endpoint. This endpoint can be fairly unprivileged since it does not expose the encrypted data.

supctl do strongbox transit-keys customer-data rewrap
ciphertext: sbox:v1:Bd04hEIaR0Oo26KTLpKaku+j/IgL01lpYtX09mWq5QXuManmdQIOn0wBYLA=
ciphertext: sbox:v2:OWnnIHE8wMnBV74smrx74/oyOqbWGU4BVx3L0ziG9tqYLG7oQj+pib+PuJQ=

The secret has now been encrypted with the new key. We can now decrypt the new ciphertext.

supctl do strongbox transit-keys customer-data decrypt --no-base64-encoded
ciphertext: sbox:v2:OWnnIHE8wMnBV74smrx74/oyOqbWGU4BVx3L0ziG9tqYLG7oQj+pib+PuJQ= 
plaintext: customer profile

Trim a transit key

Over time when a key has been rotated multiple times it is time to remove the oldest keys. There is a trim endpoint for this purpose.

Suppose all our customer data has been re-wrapped with the new key. We can start by setting the min-encryption-version and min-decryption-version to the new key.

supctl merge strongbox transit-keys customer-data <<EOF
min-encryption-version: 2
min-decryption-version: 2
EOF

Then we can trim the key to version 2.

supctl do strongbox transit-keys customer-data trim 2

Backup and restore a transit key

In order to backup a key it must have the allow-plaintext-backup property set to true. Once set to true it cannot be changed back to false (to prevent un-noticed export of the key).

supctl merge strongbox transit-keys customer-data <<EOF
allow-plaintext-backup: true
EOF

Now it can be backed up.

supctl do strongbox transit-keys customer-data backup
key: g3QAAAAOZAAWYWxsb3ctcGxhaW50ZXh0LWJhY2t1cGQABHRydWVkAAZjaXBoZXJkAAhyc2EtMjA0OGQAFWNvbnZlcmdlbnQtZW5jcnlwdGlvbmQABWZhbHNlZAANY3JlYXRpb24tdGltZW4HAOS351vrygVkABpkZWZhdWx0LWVuY3J5cHRpb24tdmVyc2lvbmEAZAAQZGVsZXRpb24tYWxsb3dlZGQABWZhbHNlZAAHZGVyaXZlZGQABWZhbHNlZAAKZGlzdHJpYnV0ZWQAA2FsbGQACmV4cG9ydGFibGVkAAR0cnVlZAAEa2V5c3QAAAACYQF0AAAAAmQADWNyZWF0aW9uLXRpbWVuBwDjt+db68oFZAAFdmFsdWVoC2QADVJTQVByaXZhdGVLZXlkAAl0d28tcHJpbWVvAAABAADpGWIfyd6/hqMmrgeWaOujYH1GxNoi+bbjQJ5axZ55iGrbXPFF53+TrWE45y4BlgUXGGpgc541mFVTdexgrfU/uKFGxbbJmAPfPQjZVc9rm1nqTIz5dTumZ/wguRmWNi+g87xGWq3aWTKxJkaAwt5J8mGVjVyoN5nJFDnRzB+jM8OXF746/W1hY3QCebOnnH71kqTrsCl2aDhv5mvn2CeqR3QNXfj7I6+msAIW5W4OtEaoFTx1ZFZyf0bwk2LtuhxfuWuzELxwGwNga3Wt0hnLf36T6q1zng8CVkAiJ/d4+MJX+OQIMHPz+aqkSuIFqcTJuvq1ajCrgxKiHjSpGgq9YgABAAFvAAABAADNuDhAmcJlifdim+aVK/X86y8KjVMb3Ec+r9ZCDQft3uYu/wlC1Y3WAdXBeysyxa3jMBuyl2pmIxZ8pETWQhaNhAztkk4fr4HjlE2GZjrk5hrw/FMtmE+r8aWubKRSX1eHwi1p/jk+kPlo2sAEPeKq1fgcDzhz7bQkk+XaBMo8Zxt7wbdZaugwvWWMeolRdh6wYcoWgQ39F2D8ttvtxB1QYEeRUP2yxHIYag5szKJTY8zzvBfrRkuqqvmavP4jI9ODgTQvlHdj+AM3mPftS9xIGvMYSoyVYES+NIOSmhw8eh3tfJQCVitzp4Inc7sbEzkAfcJJMkOVjuV15Ps/exQiboAA5/XrClV7gVr7hxQJF1ssuYZ2n2+mUmgKDc0AGzZziziVwdUWTFYTqA0N7+cfF/+HBhYrVgOmjkNqUU+zL2XZYaoKyKfcc38+GV3FDzuxkb4NXYxC6siG27lKtkjT3JHLNM1IybIwW20/EsbAz8TBnrsOwssYCVaXvSzxAY2BuPFugACv1/DsdXtJWKb2ic3/0Jmszpw+Tlq5iShrkDmvypSZZfFneuFL4g0VmUQpMJSDZTW91MkEf0hcw6331//GECOPm8RmkWNgnUwvxhjtVLrXRz2zx4eQDq4sEU6NQEiECggGGhUuTPFjdwXYrmn57zqp/zN1UQ5/kMluV/9P9+g0yG6AAM2yrjwy74yp+mTgCbkd8fkJGt4ZnWLguTcBTA3Is4nuiH0x9EGQpBiDZn0YX1saUKatsZcGJb90PowEl0BKn8/x0DhX7E6VMRfuIuKhfoHhW0fn06bbH4mVRRj7cPGDG8TIYLbm1lTg3aSOW8baMAZNE5PHkX4HU0bca8EEn1doboAAQ9kfNX/uYpdnAtYVl9vt1URCP0pb/hxQCna4bqgANvnZQXeqPWVc9mXOjBDRorpGlmuo+xcEbkIhcNsjUUc+QY5Jc0cRWB8eYAUsclCF5f/0aQgW58L2qq/cCn8OGFRJOZd5f7HBakkoOfY1xZ/SwZegmchHBbGvFK5Mbwo6HRZugACgeUUYh+3sO3RTQVb/VJ5fnnbTKzU9A6j3vG+QOamVShN4wwXBl8OSIc6LWVQ7zN/UO3qCXKLKwI0jZwGfhg/S7gdXytgRwrgvuFevItyopT9leh4RQEjuEjUwk6v2P5+G9dUNJ0XyDQnzGmVTqSe4foWfH0fj4bWUBpx5O0xzXWQADGFzbjFfTk9WQUxVRWECdAAAAAJkAA1jcmVhdGlvbi10aW1lbgcAXP7oW+vKBWQABXZhbHVlaAtkAA1SU0FQcml2YXRlS2V5ZAAJdHdvLXByaW1lbwAAAQAAGbapuxXaIg4SJxdpWvCksmCcjNkEV13+sBIVT5FxcJsIDpmI0tLAM9mSeDmbqzVC5HqCDOEgcR2+06Skl1HUZwinWPqwHDcbJMBna3r/PfMMKjPtmTy1kzcUcK9m5CmFOWudpa7eLf96denoj7Q2NDdcUQWZ1QLqHdiTcDYAiFDc24Nzdp2J8HHJ68myngg5eTzoXIUE9dQ2w+pP52htBnwq0K+EZh3YQDMnmHn//zG+2hFbKL3m4584zcgCRy1WGsArIrYDta3icTt1za9cYRE+X5AftCZ28mcfc0XvwSVU65XIuvse0ZoKJvorzHDjU+HPZG0cqqtwb3OcQyREpmIAAQABbwAAAQAAAZMts+fy4x8e7juOIJG3//GYcV9vRzN9XF440g8IOxU2t0yjSo0Fmy9tW/4pXORnbKaALw0S8c/t5WSpmL8BIbNTl0eCijmUeghcy1oLqpl2Bcdi671P5CfFSjagNogs1O37oNYP3HssX8nUPlb8RTR2ouwMKxvA+AfimQMKDldiDEmEqrNvFYnubWpTw2defxqoRbZCzIdY8uJJQJi1sUVw81q49p8lVYlktHDJNwC8Jiz4JgdvmmVXAW4VXY87HqoDzDnQgfNQ/7PFKEJ5o2eTNL+9cTZ/QPhfMTWJALxY3I/nulNwFcl4zD0gQH6XrRPq2GFMAgRyWtM5UB9AbG6AACEEkaxOMnSwTFguca6XqSs6UmvVz/6l8rXM3bJOKJg59qNu2Bi8BVaduqlDyULnz9A0XifrPoOn336vptZJ1Xx2rrI4k4XcnOqkHh1ZkGQHcXLih5OK+YULzGrZreIxTCXT3cCOA9LCa4dxU7PCB9dsZcA7X8FMcqCrN/LS85rQboAA+XIGdioSX9NbOwj+zhdKmZ3PlDkPnKetIPr878NDZf9ZqdyoyyJfKzJASMOx9K5SMXw3LS+BgZtwZOcRnwjIUHCUCNc/KPkyGW3w+oGH5bLf90cXEjywsTkxO81+TcKcy/M8ZHwJsvQuJBmEH1dCjLcKgRD/R8VC8dAbd+KhCsxugAChvqHCyzOH2Dq3V5R+DG87OdZ88boDx37NlJhOEFkVoyTNfq2BfaYBnHc92jVQwA74VFby4kbjgBcSGhR3RyNQFT+FA2CsMkH4jpjK5LxcLfOozFW4KwwCVqOJM3EGHs1BZHEophLnFJIGbMbRomO7yKP/pjJJPfGFJcnDMyMEa26AADGKN4U2FDRkAbmcp3rohvuwSJ4C1aTvQHojbmFxBeAr2Njxr5oshUCWc+buvKx170wfEgghzeu6es4KzswK9LZKnYtGW9yzgaSSnqLmf5hPU7uvmnscZiISjfvmKrE5qeXJtx/BYcJNcCW44HOBqv5AvEFs8J9Trm2/l9bUAMQ5boAA6AUCSv91h86dB1lzTU18mSXJ9jVVgVKNaYUfZqEkylHxDDZ0T36ccZYBE7K/YlAqy5JmVO/mMOQIlkqyTifo3zbMA11TV/iVjBAGmm3pvagoK67uxGeo1gNf8gHS4yZceV8wZd5PbKThctK7zIxLhiHfFsgASFV42MgqLbFxbDZkAAxhc24xX05PVkFMVUVkAA5sYXRlc3QtdmVyc2lvbmECZAAWbWluLWRlY3J5cHRpb24tdmVyc2lvbmEAZAAWbWluLWVuY3J5cHRpb24tdmVyc2lvbmEAZAAEbmFtZW0AAAANZXh0ZXJuYWwtZGF0YQ==

and restored under the same or a different name

supctl create strongbox transit-keys <<EOF
name: customer-data-2
EOF
supctl do strongbox transit-keys customer-data-2 restore --input - <<EOF
key: g3QAAAAOZAAWYWxsb3ctcGxhaW50ZXh0LWJhY2t1cGQABHRydWVkAAZjaXBoZXJkAAhyc2EtMjA0OGQAFWNvbnZlcmdlbnQtZW5jcnlwdGlvbmQABWZhbHNlZAANY3JlYXRpb24tdGltZW4HAOS351vrygVkABpkZWZhdWx0LWVuY3J5cHRpb24tdmVyc2lvbmEAZAAQZGVsZXRpb24tYWxsb3dlZGQABWZhbHNlZAAHZGVyaXZlZGQABWZhbHNlZAAKZGlzdHJpYnV0ZWQAA2FsbGQACmV4cG9ydGFibGVkAAR0cnVlZAAEa2V5c3QAAAACYQF0AAAAAmQADWNyZWF0aW9uLXRpbWVuBwDjt+db68oFZAAFdmFsdWVoC2QADVJTQVByaXZhdGVLZXlkAAl0d28tcHJpbWVvAAABAADpGWIfyd6/hqMmrgeWaOujYH1GxNoi+bbjQJ5axZ55iGrbXPFF53+TrWE45y4BlgUXGGpgc541mFVTdexgrfU/uKFGxbbJmAPfPQjZVc9rm1nqTIz5dTumZ/wguRmWNi+g87xGWq3aWTKxJkaAwt5J8mGVjVyoN5nJFDnRzB+jM8OXF746/W1hY3QCebOnnH71kqTrsCl2aDhv5mvn2CeqR3QNXfj7I6+msAIW5W4OtEaoFTx1ZFZyf0bwk2LtuhxfuWuzELxwGwNga3Wt0hnLf36T6q1zng8CVkAiJ/d4+MJX+OQIMHPz+aqkSuIFqcTJuvq1ajCrgxKiHjSpGgq9YgABAAFvAAABAADNuDhAmcJlifdim+aVK/X86y8KjVMb3Ec+r9ZCDQft3uYu/wlC1Y3WAdXBeysyxa3jMBuyl2pmIxZ8pETWQhaNhAztkk4fr4HjlE2GZjrk5hrw/FMtmE+r8aWubKRSX1eHwi1p/jk+kPlo2sAEPeKq1fgcDzhz7bQkk+XaBMo8Zxt7wbdZaugwvWWMeolRdh6wYcoWgQ39F2D8ttvtxB1QYEeRUP2yxHIYag5szKJTY8zzvBfrRkuqqvmavP4jI9ODgTQvlHdj+AM3mPftS9xIGvMYSoyVYES+NIOSmhw8eh3tfJQCVitzp4Inc7sbEzkAfcJJMkOVjuV15Ps/exQiboAA5/XrClV7gVr7hxQJF1ssuYZ2n2+mUmgKDc0AGzZziziVwdUWTFYTqA0N7+cfF/+HBhYrVgOmjkNqUU+zL2XZYaoKyKfcc38+GV3FDzuxkb4NXYxC6siG27lKtkjT3JHLNM1IybIwW20/EsbAz8TBnrsOwssYCVaXvSzxAY2BuPFugACv1/DsdXtJWKb2ic3/0Jmszpw+Tlq5iShrkDmvypSZZfFneuFL4g0VmUQpMJSDZTW91MkEf0hcw6331//GECOPm8RmkWNgnUwvxhjtVLrXRz2zx4eQDq4sEU6NQEiECggGGhUuTPFjdwXYrmn57zqp/zN1UQ5/kMluV/9P9+g0yG6AAM2yrjwy74yp+mTgCbkd8fkJGt4ZnWLguTcBTA3Is4nuiH0x9EGQpBiDZn0YX1saUKatsZcGJb90PowEl0BKn8/x0DhX7E6VMRfuIuKhfoHhW0fn06bbH4mVRRj7cPGDG8TIYLbm1lTg3aSOW8baMAZNE5PHkX4HU0bca8EEn1doboAAQ9kfNX/uYpdnAtYVl9vt1URCP0pb/hxQCna4bqgANvnZQXeqPWVc9mXOjBDRorpGlmuo+xcEbkIhcNsjUUc+QY5Jc0cRWB8eYAUsclCF5f/0aQgW58L2qq/cCn8OGFRJOZd5f7HBakkoOfY1xZ/SwZegmchHBbGvFK5Mbwo6HRZugACgeUUYh+3sO3RTQVb/VJ5fnnbTKzU9A6j3vG+QOamVShN4wwXBl8OSIc6LWVQ7zN/UO3qCXKLKwI0jZwGfhg/S7gdXytgRwrgvuFevItyopT9leh4RQEjuEjUwk6v2P5+G9dUNJ0XyDQnzGmVTqSe4foWfH0fj4bWUBpx5O0xzXWQADGFzbjFfTk9WQUxVRWECdAAAAAJkAA1jcmVhdGlvbi10aW1lbgcAXP7oW+vKBWQABXZhbHVlaAtkAA1SU0FQcml2YXRlS2V5ZAAJdHdvLXByaW1lbwAAAQAAGbapuxXaIg4SJxdpWvCksmCcjNkEV13+sBIVT5FxcJsIDpmI0tLAM9mSeDmbqzVC5HqCDOEgcR2+06Skl1HUZwinWPqwHDcbJMBna3r/PfMMKjPtmTy1kzcUcK9m5CmFOWudpa7eLf96denoj7Q2NDdcUQWZ1QLqHdiTcDYAiFDc24Nzdp2J8HHJ68myngg5eTzoXIUE9dQ2w+pP52htBnwq0K+EZh3YQDMnmHn//zG+2hFbKL3m4584zcgCRy1WGsArIrYDta3icTt1za9cYRE+X5AftCZ28mcfc0XvwSVU65XIuvse0ZoKJvorzHDjU+HPZG0cqqtwb3OcQyREpmIAAQABbwAAAQAAAZMts+fy4x8e7juOIJG3//GYcV9vRzN9XF440g8IOxU2t0yjSo0Fmy9tW/4pXORnbKaALw0S8c/t5WSpmL8BIbNTl0eCijmUeghcy1oLqpl2Bcdi671P5CfFSjagNogs1O37oNYP3HssX8nUPlb8RTR2ouwMKxvA+AfimQMKDldiDEmEqrNvFYnubWpTw2defxqoRbZCzIdY8uJJQJi1sUVw81q49p8lVYlktHDJNwC8Jiz4JgdvmmVXAW4VXY87HqoDzDnQgfNQ/7PFKEJ5o2eTNL+9cTZ/QPhfMTWJALxY3I/nulNwFcl4zD0gQH6XrRPq2GFMAgRyWtM5UB9AbG6AACEEkaxOMnSwTFguca6XqSs6UmvVz/6l8rXM3bJOKJg59qNu2Bi8BVaduqlDyULnz9A0XifrPoOn336vptZJ1Xx2rrI4k4XcnOqkHh1ZkGQHcXLih5OK+YULzGrZreIxTCXT3cCOA9LCa4dxU7PCB9dsZcA7X8FMcqCrN/LS85rQboAA+XIGdioSX9NbOwj+zhdKmZ3PlDkPnKetIPr878NDZf9ZqdyoyyJfKzJASMOx9K5SMXw3LS+BgZtwZOcRnwjIUHCUCNc/KPkyGW3w+oGH5bLf90cXEjywsTkxO81+TcKcy/M8ZHwJsvQuJBmEH1dCjLcKgRD/R8VC8dAbd+KhCsxugAChvqHCyzOH2Dq3V5R+DG87OdZ88boDx37NlJhOEFkVoyTNfq2BfaYBnHc92jVQwA74VFby4kbjgBcSGhR3RyNQFT+FA2CsMkH4jpjK5LxcLfOozFW4KwwCVqOJM3EGHs1BZHEophLnFJIGbMbRomO7yKP/pjJJPfGFJcnDMyMEa26AADGKN4U2FDRkAbmcp3rohvuwSJ4C1aTvQHojbmFxBeAr2Njxr5oshUCWc+buvKx170wfEgghzeu6es4KzswK9LZKnYtGW9yzgaSSnqLmf5hPU7uvmnscZiISjfvmKrE5qeXJtx/BYcJNcCW44HOBqv5AvEFs8J9Trm2/l9bUAMQ5boAA6AUCSv91h86dB1lzTU18mSXJ9jVVgVKNaYUfZqEkylHxDDZ0T36ccZYBE7K/YlAqy5JmVO/mMOQIlkqyTifo3zbMA11TV/iVjBAGmm3pvagoK67uxGeo1gNf8gHS4yZceV8wZd5PbKThctK7zIxLhiHfFsgASFV42MgqLbFxbDZkAAxhc24xX05PVkFMVUVkAA5sYXRlc3QtdmVyc2lvbmECZAAWbWluLWRlY3J5cHRpb24tdmVyc2lvbmEAZAAWbWluLWVuY3J5cHRpb24tdmVyc2lvbmEAZAAEbmFtZW0AAAANZXh0ZXJuYWwtZGF0YQ==

Delete a transit key

Once a transit key is no longer in use, and no relevant data encrypted with the key remains, it can be deleted.

Before a key can be deleted we need to make sure it has the deletion-allowed property set to true. This property is by default set to false since accidental deletion would result in all encrypted data becoming unusable.

supctl merge strongbox transit-keys customer-data-2 <<EOF
deletion-allowed: true
EOF

Now it can be deleted.

supctl delete strongbox transit-keys customer-data-2

Generate a data key

A transit key can also be used for generating a data key of length 128, 256, and 512. This is essentially a set for random bytes. The result is encrypted with the transit key it is generated from, but can in addition be had in plain-text.

supctl do strongbox transit-keys customer-data generate-data-key --bits 256 --type plaintext
ciphertext: sbox:v2:4RjtQMC7zpKNSvqOHWTd4N+wFGbtVa2xOjtQ3LQ3zT+XhH6+4lmImv2/95E2RlytrF3yj2jufyJMO9d9
plaintext: yYcOagtExaY8lkVtZY2YiaZ3V92FUuevWGCS5AQL+90=

Calculate HMAC

A transit key can also be used to calculate a HMAC with the transit key as base. The same input data will generate the same output.

supctl do strongbox transit-keys customer-data hmac --no-base64-encoded
plaintext: a quick brown fox
hmac: sbox:hashed:v2:VxwOis9LSK+J7s8GZLFhmFL3TRG5y10zHGTbFKHYOlo=

Generate random bytes

Similarly a random set of byes can be generated in base64 or hex format.

supctl do strongbox crypto-functions random-bytes --format hex 16
bytes: bc40913ab0bdc6140ab7112c8ecb0ecb