Skip to main content

Encrypt

post
/api/pvlt/1.0/data/collections/{collection}/encrypt/objects

Creates ciphertext that includes the values of an object's properties. Supports bulk operations.

You can encrypt:

  1. Objects stored in Vault by providing their ID.
  2. Fields not stored in Vault by providing a map of their properties and property values. However, fields must conform to the collection schema specified in the request.
  3. Ciphertext. This enables you to create a ciphertext including a subset of another ciphertext's properties or with a different encryption type or scope. To update the property values, use the update encrypted operation.

💡 For brevity, this guide uses the term object to refer to the content being encrypted.

If any request details are invalid, none of the objects are encrypted.

You can generate ciphertext for the encrypted object with a random initialization vector (randomized) or based on the collection name, input object, and scope (deterministic).

Using props, you can request that the ciphertext include a subset of the collection schema's properties. However, if a property isn't present in the object or the property value is null, it is not included in the encrypted ciphertext. Also, if you want to include built-in properties, you must include them in props.

The role performing this operation must have both of these:

  • The CapCryptoEncrypter capability.
  • At least one allowing policy and no denying policies for the encrypt operation for each of the collection properties specified in the call.

See identity and access management for more information about how Vault uses capabilities to control access to operations and policies to control access to data.

Request

Path parameters

  • collection - string required*

    The name of a collection.

Query parameters

  • expiration_secs - string

    Encrypted object expiration time in seconds. If not set, the default expiration time is used. See the PVAULT_EXPIRATION_TOKENS variable. If set to an empty value, the encrypted will be marked to not expire.

  • adhoc_reason - string

    An ad-hoc reason for accessing the Vault data. Required when reason is set to Other.

  • reason - string required*

    Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false.

  • reload_cache - boolean

    Reloads the cache before the action.

Request body

Details of the encryption request.

array of objects required*
Each object:
  • type - string

    The type of the encryption:

    • randomized - generates a different randomized unpredictable, non-repeating ciphertext each time.
    • deterministic - generates the ciphertext deterministically based on the collection name, input object, and scope. Defaults to randomized if not set.
  • object - object required*

    The input object, defined as one and only one of the following properties.

    • id: the ID of an object.
    • fields: property values of an object.
    • encrypted: an encrypted object.
    • request_index: the index of the object in the request array.

    In stateless mode, id is not supported and either fields or encrypted must be supplied.

    • id - string

      The ID of an object.

    • fields - object

      A list of maps of object properties and their values.

      Example
      {
        "date_of_birth": "1993-02-22",
        "email": "patfar@example.com",
        "first_name": "Pat",
        "last_name": "Far",
        "phone_number": "+11011010101"
      }
    • encrypted - object

      An encrypted object.

      • ciphertext - string required*

        The encrypted object base64 cipher text.

      • scope - string

        The scope used to encrypt the object. By default, it uses the scope of the encrypted object.

    • request_index - integer

      The index of the object in the request array.

    Example
    {
      "fields": {
        "first_name": "John",
        "email": "patfar@example.com"
      }
    }
  • props - array of strings

    A list of the properties to include in the encrypted object. If not provided, all properties are included, including the built-in properties, but omitting the object ID.

    Each string:

    The name of a property.

  • scope - string

    A classification for the encrypted object that is added to the ciphertext as associated data (AAD). An object encrypted with a scope can be decrypted only with the same scope.

  • tags - array of strings

    Tags to attach to the metadata of the encrypted object. The maximum number of allowed tags is defined by the PVAULT_DB_MAX_TOKEN_TAGS environment variable (default 10). Tags are not supported for the deterministic encryption type.

    Each string:
Example
[
  {
    "object": {
      "fields": {
        "email": "john@work.com",
        "phone_number": "555-555-5555"
      }
    },
    "props": [
      "phone_number",
      "email"
    ]
  }
]

Possible responses

The request is successful.

array of objects required*
Each object:
  • ciphertext - string required*

    The encrypted object is a base64 ciphertext of the request fields and built-in fields such as timestamps and expiration time. It does not include the ID field.

Example
[
  {
    "ciphertext": "string"
  }
]

Try the API

Authorization

Path parameters

Query parameters

Request body

Navigate to the docs of your local Vault installation to try the API directly from there.

Code examples

Example