You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Vaults transit secret engine supports ecdsa key types but does not allow these keys to be used for ecdh key exchange.
Describe the solution you'd like
Add a derive path for keys in the transit secrets engine allowing the caller to provide a public key and returning the shared secret.
Describe alternatives you've considered
The key can be made exportable and the ecdh operation performed outside of vault, this is not ideal as it is less secure.
Additional context
Example implementation that could be the basis for a PR: sjones4@dbe03f2
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Vaults transit secret engine supports
ecdsa
key types but does not allow these keys to be used forecdh
key exchange.AWS KMS for example allows this functionality:
https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html
Describe the solution you'd like
Add a
derive
path for keys in the transit secrets engine allowing the caller to provide a public key and returning the shared secret.Describe alternatives you've considered
The key can be made exportable and the ecdh operation performed outside of vault, this is not ideal as it is less secure.
Additional context
Example implementation that could be the basis for a PR:
sjones4@dbe03f2
The text was updated successfully, but these errors were encountered: