Transit key actions (#2254)

* add supports_* for transit key reads * update transit docs with new supports_* fields
2025-08-12 01:27:01 +02:00 · 2017-01-11 10:05:06 -06:00 · 2017-01-11 10:05:06 -06:00 · 231f00dff2
commit 231f00dff2
parent 5ecfe3c477
2 changed files with 21 additions and 9 deletions
--- a/builtin/logical/transit/path_keys.go
+++ b/builtin/logical/transit/path_keys.go
@ -154,6 +154,10 @@ func (b *backend) pathPolicyRead(
 			"deletion_allowed":       p.DeletionAllowed,
 			"min_decryption_version": p.MinDecryptionVersion,
 			"latest_version":         p.LatestVersion,
+			"supports_encryption":    p.Type.EncryptionSupported(),
+			"supports_decryption":    p.Type.DecryptionSupported(),
+			"supports_signing":       p.Type.SigningSupported(),
+			"supports_derivation":    p.Type.DerivationSupported(),
 		},
 	}

--- a/website/source/docs/secrets/transit/index.html.md
+++ b/website/source/docs/secrets/transit/index.html.md
@ -86,13 +86,17 @@ the settings of the "foo" key by reading it:
 ```
 $ vault read transit/keys/foo
 Key                     Value
-type                    aes256-gcm96
 deletion_allowed      	false
 derived               	false
-keys                    map[1:1.459861712e+09]
+keys                  	map[1:1484070923]
 latest_version        	1
 min_decryption_version	1
 name                  	foo
+supports_decryption   	true
+supports_derivation   	true
+supports_encryption   	true
+supports_signing      	false
+type                  	aes256-gcm96
 ````

 Now, if we wanted to encrypt a piece of plain text, we use the encrypt
@ -153,7 +157,7 @@ only encrypt or decrypt using the named keys they need access to.
          <li>`aes256-gcm96`: AES-256 wrapped with GCM using a 12-byte nonce size (symmetric)</li>
          <li>`ecdsa-p256`: ECDSA using the P-256 elliptic curve (asymmetric)</li>
        </ul>
-        Defaults to `aes256-gcm`.
+        Defaults to `aes256-gcm96`.
      </li>
      <li>
        <span class="param">derived</span>
@ -220,7 +224,11 @@ only encrypt or decrypt using the named keys they need access to.
          "1": 1442851412
        },
        "min_decryption_version": 0,
-        "name": "foo"
+        "name": "foo",
+        "supports_encryption": true,
+        "supports_decryption": true,
+        "supports_derivation": true,
+        "supports_signing": false
      }
    }
    ```