VaultTransitOperations.decrypt method returns a strange string, which expects the plaintext of the data key.

[kyupid]

Describe the bug I'm using Spring Cloud Vault to test decryption through Transit engine.

If I simply encrypt a string like "hello world" in the Transit engine and send the cipher text to VaultTransitOperations.decrypt, I can see hello world normally.

However, if I create a data key and put the received cipher text into VaultTransitOperations.decrypt and execute it, it responds with a strange string.

I don't know what else to do, so I'm reporting it here.

Sample

Test the cipher text received by encrypting hello world through transit engine.

Test the cipher text received by generating a data key through the transit engine. The expected value is the plain text of the data key.

[nbaars]

@kyupid I'm assuming you are referring to https://developer.hashicorp.com/vault/api-docs/secret/transit#generate-data-key?

In that case, you receive plaintext and cipher text as a response from Vault. You can encrypt the data with that plain text key. You can store the cipher text version of the key with the data. Once you want to decrypt it, you ask Vault to decrypt the cipher text of the key to receive the plaintext version of the key. With this key, you can decrypt the data again.

The use case is when you want to encrypt a large amount of data, say 2Gb, you don't want to send it all to Vault to receive the cipher text. In that case, using a data key would work where you only ask Vault for a key to be used to encrypt the data yourself (in code).