HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for pre-release version v2.x (rc). View latest version.

transit envelope encrypt

Enterprise

Appropriate Vault Enterprise  license required

The transit envelope encrypt command uses Vault Transit to create envelope encryption keys that the command uses to encrypt files and streams of arbitrary size without transiting the plaintext to Vault. Encryption and happens on the caller's side.

The caller must have write permissions to the transit mount's datakeys and derivedkeys endpoints to generate DEK/EDK pairs.

$ vault transit envelope encrypt [flags] <key_path> <file_path_1> [<file_path_2> .. <file_path_N>]

Command arguments

  • key_path (string : "") - Path to the transit key for DEK/EDK generation. Must be in the form <mount>/keys/<key_name> where <mount> is the path to the Transit mount without namespaces and <key_name> is the target key.

  • file_path (string : "") The path to a file to encrypt, or - to encrypt input from stdin. You cannot use a second file path when encrypting from stdin. By default, Vault writes the encrypted file to the provided location with --suffix appended.

Command options

None.

Command flags

  • --quiet (bool: false) - Display no output unless there is an error.

  • --output (string: "") - Write the encrypted information to the provided file path instead of the default location. You cannot use --output when decrypting multiple input files in a single command. You cannot use --output with --suffix.

  • --suffix (string: ".vee") - Suffix to append to the output file names. You cannot use --suffix with --output.

  • --aad (string: "") - Additional authenticated data as a base64 encoded binary blob. You can provide the data inline or as a file reference (@filename). Vault adds the extra data to the authentication present in the output. Decryption fails if you set add during encryption and the provided aad value does not match the original add value.

  • --metadata (string: "") - Additional metadata in JSON format that Vault should add, unencrypted, to the file. Clients can retrieve metadata without decrypting and without direct access to the Transit key management endpoints. You can provide the data inline or as a file reference (@filename).

Example

Encrypt a multi-terabyte file using envelope encrypt:

$ vault transit envelope encrypt transit/keys/test-key really-big-file.zip
Edit this page on GitHub