Now, users can specify a transit key name in the KES config file. KES will use this key to en/decrypt its key values before storing them on the K/V backend.
However, this does, in general, not improve security since Vault encrypts all data stored on the K/V engine with internally managed keys. Users may specify a transit key if the want/have to control which key is used to encrypt the K/V data.
This commit adds support for encrypting K/V entries with a specific transit engine key.
Transit Engine
The transit engine is Hashicorp Vault's en/decryption engine. Among others, it allows to send a plaintext to an encrypt API endpoint and receive a ciphertext and vice versa. Ref: https://developer.hashicorp.com/vault/api-docs/secret/transit
Now, users can specify a transit key name in the KES config file. KES will use this key to en/decrypt its key values before storing them on the K/V backend. However, this does, in general, not improve security since Vault encrypts all data stored on the K/V engine with internally managed keys. Users may specify a transit key if the want/have to control which key is used to encrypt the K/V data.