It is assumed the GPG backend is mounted at the /gpg path in Vault.
Since it is possible to mount secret backends at any location, please update your API calls accordingly.
- Create Key
- Read Key
- List Keys
- Delete Key
- Export Key
- Update Key Configuration
- Decrypt Data
- Sign Data
- Verify Signed Data
- Show Session Key
This endpoint creates a new named GPG key. If a GPG key already exists with this name, this endpoint will not overwrite it; it must be deleted first.
| Method | Path | Produces |
|---|---|---|
POST |
/gpg/keys/:name |
204 (empty body) |
-
name(string: <required>)– Specifies the name of the key to create. This is specified as part of the URL. -
generate(bool: true)– Specifies if a key should be generated by Vault or if a key is being passed from another service. -
real_name(string:"")– Specifies the real name of the identity associated with the GPG key to create. Must not contain any of "()<>\x00". Only used if generate is true. -
email(string:"")– Specifies the email of the identity associated with the GPG key to create. Must not contain any of "()<>\x00". Only used if generate is true. -
comment(string:"")– Specifies the comment of the identity associated with the GPG key to create. Must not contain any of "()<>\x00". Only used if generate is true. -
key(string: <required - if generate is false>)– Specifies the ASCII-armored GPG private key to use. Only used if generate is false. -
key_bits(int: 2048)– Specifies the number of bits of the generated GPG key to use. Only used if generate is true. -
exportable(bool: false)– Specifies if the raw key is exportable. -
transparency_log_address(string: "")– Specifies the Rekor transparency log address used to publish the signatures.
{
"real_name": "John Doe",
"email": "[email protected]",
"key_bits": 4096
}$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.example.com/v1/gpg/keys/my-key
{
"key": "-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nlQOYBFmZe5wBCACx8caRJ+M8mKCrS7FdJ5kTdjApbvsx3ccPwvAQhtT2pIYkU\/ec\n...\naUNPVQgd7AF+MIuana8p6KeAXGS3fpiF4vIM0VoeWfEiO9rzdG0ilm16E61r9A==\n=+776\n-----END PGP PRIVATE KEY BLOCK-----\n"
}$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.example.com/v1/gpg/keys/my-imported-key
This endpoint returns information about a named GPG key.
| Method | Path | Produces |
|---|---|---|
GET |
/gpg/keys/:name |
200 application/json |
name(string: <required>)– Specifies the name of the key to read. This is specified as part of the URL.
$ curl \
--header "X-Vault-Token: ..." \
https://vault.example.com/v1/gpg/keys/my-key
{
"data": {
"exportable": false,
"fingerprint": "b0b7e7ca0e4ba1a631d15196ef3331150a45bc4d",
"public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nxsBNBFmZ6QQBCAC5QSHMKe6M9S2G9REo3sJuDPX2lm4ZMULXCvwcVekPYyUFWYI8\n...\nnTruSryJ4xYCydiJ1xkTedrkVxhh7hJKHA==\n=4fdy\n-----END PGP PUBLIC KEY BLOCK-----"
}
}This endpoint returns a list of keys. Only the key names are returned.
| Method | Path | Produces |
|---|---|---|
LIST |
/gpg/keys |
200 application/json |
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://vault.example.com/v1/gpg/keys
{
"data": {
"keys": ["foo", "bar"]
}
}This endpoint deletes a named GPG key.
| Method | Path | Produces |
|---|---|---|
DELETE |
/gpg/keys/:name |
204 (empty body) |
name(string: <required>)– Specifies the name of the key to delete. This is specified as part of the URL.
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.example.com/v1/gpg/keys/my-key
This endpoint returns the named GPG key ASCII-armored. The key must be exportable to support this operation.
| Method | Path | Produces |
|---|---|---|
GET |
/gpg/export/:name |
200 application/json |
name(string: <required>)– Specifies the name of the key to export. This is specified as part of the URL.
$ curl \
--header "X-Vault-Token: ..." \
https://vault.example.com/v1/gpg/export/my-key
{
"data": {
"name": "my-key",
"key": "-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nxcLYBFmZ7JwBCACxsatS8MKxvKpMspkl7ck4vvgZvijBu0sx7Z0+0QDAj8ej5gfK\n...\nYsnjj4QHSRbwJVs/WSIiAj39EyD+bQZDDDFqg62pUA==\n=j7B6\n-----END PGP PRIVATE KEY BLOCK-----"
}
}This endpoint allows tuning configuration values for a given key. (These values are returned during a read operation on the named key.)
| Method | Path | Produces |
|---|---|---|
POST |
/gpg/keys/:name/config |
204 (empty body) |
-
name(string: <required>)– Specifies the name of the key configure. -
transparency_log_address(string: "")– Specifies the Rekor transparency log address used to publish the signatures.
{
"transparency_log_address": "https://rekor.example.com"
}$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.example.com/v1/gpg/keys/my-key/config
This endpoint returns the signature of the given data using the named GPG key and the specified hash algorithm.
If the named GPG key has a defined Rekor transparency log address, the public key and signature will be published to it.
| Method | Path | Produces |
|---|---|---|
POST |
/gpg/sign/:name(/:algorithm) |
200 application/json |
-
name(string: <required>)– Specifies the name of the key to use for signing. This is specified as part of the URL. -
algorithm(string: "sha2-256")– Specifies the hash algorithm to use. This can also be specified as part of the URL. Valid algorithms are:sha2-224sha2-256sha2-384sha2-512
-
format(string: "base64")– Specifies the encoding format for the returned signature. Valid encoding format are:base64ascii-armor
-
input(string: <required>)– Specifies the base64 encoded input data.
{
"input": "QWxwYWNhCg=="
}$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.example.com/v1/gpg/sign/my-key/sha2-512
With a Rekor transparency log address:
{
"data": {
"signature": "wsBcBAABCgAQBQJZme+7CRBr/Ej4JtFtLAAA8QcIACLtMWlH5860njpQsJZDIzH3T4mz2397lsd9/hsFDAQXEimuLKWmNdJsTEWXKGx1fvW+r6LEPs8HOLdzOMz2tq6M0WvgzHeWOFdEYmCapUlS68m0GnSFHIAFkq2fMVFHdTTmiLNuZwd+meEPL48hUO8QoGZLhS9IO+xOIisJWP+YIfiZBhmqhz0nVX3CnIzDZWAeJCE9TFGPHjFVNHXKN/IA+pdY4ntU1VOxmKCDqtu6qOrFR3ZghJBrDpDqiMHYmnJZ2AGPDVPKoAorvrLkR7eXNX71yRcutqohqS+xt6nGak2OF7UKwgj5bjk1y44lROFi8aVW4LEX7Jmt+2qwWBg=",
"log_entry": {
"address": "https://rekor.example.com/api/v1/log/entries/d7b75df081cb91b28939cd54b51e767f18164096c86e8d6b0dc335cfeb92b638",
"uuid": "d7b75df081cb91b28939cd54b51e767f18164096c86e8d6b0dc335cfeb92b638"
}
}
}Without a Rekor transparency log address:
{
"data": {
"signature": "wsBcBAABCgAQBQJZme+7CRBr/Ej4JtFtLAAA8QcIACLtMWlH5860njpQsJZDIzH3T4mz2397lsd9/hsFDAQXEimuLKWmNdJsTEWXKGx1fvW+r6LEPs8HOLdzOMz2tq6M0WvgzHeWOFdEYmCapUlS68m0GnSFHIAFkq2fMVFHdTTmiLNuZwd+meEPL48hUO8QoGZLhS9IO+xOIisJWP+YIfiZBhmqhz0nVX3CnIzDZWAeJCE9TFGPHjFVNHXKN/IA+pdY4ntU1VOxmKCDqtu6qOrFR3ZghJBrDpDqiMHYmnJZ2AGPDVPKoAorvrLkR7eXNX71yRcutqohqS+xt6nGak2OF7UKwgj5bjk1y44lROFi8aVW4LEX7Jmt+2qwWBg=",
"log_entry": null
}
}This endpoint returns whether the provided signature is valid for the given data.
| Method | Path | Produces |
|---|---|---|
POST |
/gpg/verify/:name |
200 application/json |
-
name(string: <required>)– Specifies the name of the key to use for signing. This is specified as part of the URL. -
format(string: "base64")– Specifies the encoding format the signature uses. Valid encoding format are:base64ascii-armor
-
input(string: <required>)– Specifies the base64 encoded input data. -
signature(string: "")– Specifies the signature output from the/gpg/signfunction.
{
"input": "QWxwYWNhCg==",
"signature": "wsBcBAABCgAQBQJZme+7CRBr/Ej4JtFtLAAA8QcIACLtMWlH5860njpQsJZDIzH3T4mz2397lsd9/hsFDAQXEimuLKWmNdJsTEWXKGx1fvW+r6LEPs8HOLdzOMz2tq6M0WvgzHeWOFdEYmCapUlS68m0GnSFHIAFkq2fMVFHdTTmiLNuZwd+meEPL48hUO8QoGZLhS9IO+xOIisJWP+YIfiZBhmqhz0nVX3CnIzDZWAeJCE9TFGPHjFVNHXKN/IA+pdY4ntU1VOxmKCDqtu6qOrFR3ZghJBrDpDqiMHYmnJZ2AGPDVPKoAorvrLkR7eXNX71yRcutqohqS+xt6nGak2OF7UKwgj5bjk1y44lROFi8aVW4LEX7Jmt+2qwWBg="
}$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.example.com/v1/gpg/verify/my-key
{
"data": {
"valid": true
}
}This endpoint decrypts the provided ciphertext using the named GPG key.
| Method | Path | Produces |
|---|---|---|
POST |
/gpg/decrypt/:name |
200 application/json |
-
name(string: <required>)– Specifies the name of the key to decrypt against. This is specified as part of the URL. -
format(string: "base64")– Specifies the encoding format the ciphertext uses. Valid encoding format are:base64ascii-armor
-
ciphertext(string: <required>)– Specifies the ciphertext to decrypt. -
signer_key(string: "")– Specifies the GPG key ASCII-armored of the signer. If present, the ciphertext must be signed and the signature valid otherwise the decryption fail.
{
"format": "ascii-armor",
"ciphertext": "-----BEGIN PGP MESSAGE-----\n\nhQEMA923ECy\/uCBhAQf8DLagsnoLuM4AyKiTyvZ7uSQTkmOkwXwn1WWsxoKJkzdI\n...\ne8iwFg==\n=+yfj\n-----END PGP MESSAGE-----"
}$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.example.com/v1/gpg/decrypt/my-key
{
"data": {
"plaintext": "QWxwYWNhcwo="
}
}This endpoint decrypts and returns the session key of the provided ciphertext using the named GPG key.
| Method | Path | Produces |
|---|---|---|
POST |
/gpg/show-session-key/:name |
200 application/json |
-
name(string: <required>)– Specifies the name of the key to decrypt against. This is specified as part of the URL. -
format(string: "base64")– Specifies the encoding format the ciphertext uses. Valid encoding format are:base64ascii-armor
-
ciphertext(string: <required>)– Specifies the ciphertext to decrypt. -
signer_key(string: "")– Specifies the GPG key ASCII-armored of the signer. If present, the ciphertext must be signed and the signature valid otherwise the decryption fail.
{
"format": "ascii-armor",
"ciphertext": "-----BEGIN PGP MESSAGE-----\n\nhQEMA923ECy\/uCBhAQf8DLagsnoLuM4AyKiTyvZ7uSQTkmOkwXwn1WWsxoKJkzdI\n...\ne8iwFg==\n=+yfj\n-----END PGP MESSAGE-----"
}$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.example.com/v1/gpg/show-session-key/my-key
{
"data": {
"session_key": "9:720D9B92D50D4F7C404C8C412BEB73B47E0A2FA2E822C13201A79D5A2694F9F5"
}
}