hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.11k stars 4.21k forks source link

Make the prefix in the ciphertext format returned by transit engine be configurable #8600

Open shwuandwing opened 4 years ago

shwuandwing commented 4 years ago

Is your feature request related to a problem? Please describe. The ciphertext format returned by the transit engine is of the format vault:v1:. We would like the "vault" prefix be customizable on per key basis.

like. mycompany:v1:

From a discussion in the mailing list. https://discuss.hashicorp.com/t/what-is-the-vault-ciphertext-format-in-case-i-want-to-parse-it/3574 , Jeff thought it was customizable but in reality it is not.

Describe the solution you'd like Add a property to each key (ciphertext_prefix), to make the prefix customizable. Note, given how the prefix works, it could be set once on key creation but not modified after that point.

Describe alternatives you've considered

Explain any additional use-cases Useful in environments utilizing multiple KMS / encryption services (Vault +AWS KMS +GCP KMS+....)

Additional context None

tyrannosaurus-becks commented 4 years ago

Hi @shwuandwing, thanks for opening this issue.

Yes, I can confirm that the vault: prefix is not configurable. I can see that it's hard-coded at multiple points in this file.