Adding more description (#7841)

2026-05-05 12:26:34 +02:00 · 2019-11-11 10:01:31 -08:00 · 2019-11-11 10:01:31 -08:00 · 7dbcd98da6
commit 7dbcd98da6
parent c439a15f80
2 changed files with 43 additions and 23 deletions
--- a/website/source/api/secret/transit/index.html.md
+++ b/website/source/api/secret/transit/index.html.md
@ -381,11 +381,25 @@ will be returned.
  all nonces are unique for a given context.  Failing to do so will severely
  impact the ciphertext's security.

+**NOTE:** All plaintext data **must be base64-encoded**. The reason for this
+requirement is that Vault does not require that the plaintext is "text". It
+could be a binary file such as a PDF or image. The easiest safe transport
+mechanism for this data as part of a JSON payload is to base64-encode it.
+
 ### Sample Payload

+Fist, encode the plaintext with base64:
+
+```sh
+$ base64 <<< "the quick brown fox"
+dGhlIHF1aWNrIGJyb3duIGZveAo=
+```
+
+Use the base64-encoded plaintext in the payload:
+
 ```json
 {
-  "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
+  "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo="
 }
 ```

@ -410,7 +424,7 @@ $ curl \
 ```json
 {
  "data": {
-    "ciphertext": "vault:v1:abcdefgh"
+    "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
  }
 }
 ```
@ -749,14 +763,14 @@ be used.
    - `sha2-384`
    - `sha2-512`

- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of 
+- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
  `input` or `batch_input` must be supplied.

 - `batch_input` `(array<object>: nil)` – Specifies a list of items for processing.
-  When this parameter is set, if the parameter 'input' is also set, it will be 
-  ignored.  Responses are returned in the 'batch_results' array component of the 
-  'data' element of the response. If the input data value of an item is invalid, the 
-  corresponding item in the 'batch_results' will have the key 'error' with a value 
+  When this parameter is set, if the parameter 'input' is also set, it will be
+  ignored.  Responses are returned in the 'batch_results' array component of the
+  'data' element of the response. If the input data value of an item is invalid, the
+  corresponding item in the 'batch_results' will have the key 'error' with a value
  describing the error. The format for batch_input is:

    ```json
@ -874,14 +888,14 @@ supports signing.
    - `sha2-384`
    - `sha2-512`

- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of 
+- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
  `input` or `batch_input` must be supplied.

 - `batch_input` `(array<object>: nil)` – Specifies a list of items for processing.
-  When this parameter is set, any supplied 'input' or 'context' parameters will be 
-  ignored.  Responses are returned in the 'batch_results' array component of the 
-  'data' element of the response. If the input data value of an item is invalid, the 
-  corresponding item in the 'batch_results' will have the key 'error' with a value 
+  When this parameter is set, any supplied 'input' or 'context' parameters will be
+  ignored.  Responses are returned in the 'batch_results' array component of the
+  'data' element of the response. If the input data value of an item is invalid, the
+  corresponding item in the 'batch_results' will have the key 'error' with a value
  describing the error. The format for batch_input is:

    ```json
@ -955,7 +969,7 @@ $ curl \

 ### Sample Payload with batch_input

- Given an ed25519 key with derived keys set, the context parameter is expected for each batch_input item, and 
+ Given an ed25519 key with derived keys set, the context parameter is expected for each batch_input item, and
 the response will include the derived public key for each item.
 ```
 {
@ -1017,9 +1031,9 @@ data.
    - `sha2-384`
    - `sha2-512`

- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of 
+- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
  `input` or `batch_input` must be supplied.
-  
+
 - `signature` `(string: "")` – Specifies the signature output from the
  `/transit/sign` function. Either this must be supplied or `hmac` must be
  supplied.
@ -1029,13 +1043,13 @@ data.
  supplied.

 - `batch_input` `(array<object>: nil)` – Specifies a list of items for processing.
-  When this parameter is set, any supplied 'input', 'hmac' or 'signature' parameters 
+  When this parameter is set, any supplied 'input', 'hmac' or 'signature' parameters
  will be ignored.  'batch_input' items should contain an 'input' parameter and
  either an 'hmac' or 'signature' parameter. All items in the batch must consistently
  supply either 'hmac' or 'signature' parameters.  It is an error for some items to
-  supply 'hmac' while others supply 'signature'. Responses are returned in the 
-  'batch_results' array component of the 'data' element of the response. If the 
-  input data value of an item is invalid, the corresponding item in the 'batch_results' 
+  supply 'hmac' while others supply 'signature'. Responses are returned in the
+  'batch_results' array component of the 'data' element of the response. If the
+  input data value of an item is invalid, the corresponding item in the 'batch_results'
  will have the key 'error' with a value describing the error. The format for batch_input is:

    ```json
--- a/website/source/docs/secrets/transit/index.html.md
+++ b/website/source/docs/secrets/transit/index.html.md
@ -134,6 +134,11 @@ the proper permission, it can use this secrets engine.

 1. Encrypt some plaintext data using the `/encrypt` endpoint with a named key:

+    **NOTE:** All plaintext data **must be base64-encoded**. The reason for this
+    requirement is that Vault does not require that the plaintext is "text". It
+    could be a binary file such as a PDF or image. The easiest safe transport
+    mechanism for this data as part of a JSON payload is to base64-encode it.
+
    ```text
    $ vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")

@ -142,10 +147,11 @@ the proper permission, it can use this secrets engine.
    ciphertext    vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
    ```

-    All plaintext data **must be base64-encoded**. The reason for this
-    requirement is that Vault does not require that the plaintext is "text". It
-    could be a binary file such as a PDF or image. The easiest safe transport
-    mechanism for this data as part of a JSON payload is to base64-encode it.
+    The returned ciphertext starts with `vault:v1:`. The first prefix (`vault`)
+    identifies that it has been wrapped by Vault. The `v1` indicates the key
+    version 1 was used to encrypt the plaintext; therefore, when you rotate
+    keys, Vault knows which version to use for decryption. The rest is a base64
+    concatenation of the initialization vector (IV) and ciphertext.

    Note that Vault does not _store_ any of this data. The caller is responsible
    for storing the encrypted ciphertext. When the caller wants the plaintext,