Skip to main content

Update ciphertext and metadata

patch
/api/pvlt/1.0/data/collections/{collection}/encrypt/objects

Returns ciphertext that includes property values from another ciphertext. Supports bulk operations.

This enables the creation of encrypted ciphertext without exposing encrypted property values to the user.

The returned ciphertext can have different encryption type, scope, properties, or property values to the source ciphertext. Any property values in the source ciphertext not updated in the request are preserved in the new ciphertext as long as they are included in props.

For example, if the source ciphertext contains first_name, last_name, and telephone_number and props specifies [first_name, last_name], then telephone_number isn't included in the new encrypted ciphertext.

The request must include the scope used to encrypt the source ciphertext.

If any request details are invalid, no ciphertexts are created.

The role performing this operation must have both of these:

  • The CapCryptoDecrypter and CapCryptoEncrypter capabilities.
  • At least one allowing policy and no denying policies for the decrypt and encrypt operations for each of the collection properties specified in the call.

See identity and access management for more information about how Vault uses capabilities to control access to operations and policies to control access to data.

Request

Path parameters

  • collection - string required*

    The name of a collection.

Query parameters

  • options - array of strings

    Options for the request.

    • archived - whether to update only archived encrypted objects. If not specified, update only active encrypted objects.
    Each string:
  • expiration_secs - string

    Encrypted object expiration time in seconds. If not set, the default expiration time is used. See the PVAULT_EXPIRATION_TOKENS variable.

  • adhoc_reason - string

    An ad-hoc reason for accessing the Vault data. Required when reason is set to Other.

  • reason - string required*

    Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false.

  • reload_cache - boolean

    Reloads the cache before the action.

Request body

Details of the update encrypted object request. The request includes the encrypted object to update and the property values to update the encrypted object with.

array of objects required*
Each object:
  • type - string

    The type of the encryption:

    • randomized - generates a different randomized unpredictable, non-repeating ciphertext each time.
    • deterministic - generates the ciphertext deterministically based on the collection name, input object, and scope. Defaults to randomized if not set.
  • encrypted_object - object required*

    An encrypted object.

    • ciphertext - string required*

      The encrypted object base64 cipher text.

    • scope - string

      The scope used to encrypt the object. By default, it uses the scope of the encrypted object.

  • fields - object required*

    A list of maps of object properties and their values.

    Example
    {
    "date_of_birth": "1993-02-22",
    "email": "patfar@example.com",
    "first_name": "Pat",
    "last_name": "Far",
    "phone_number": "+11011010101"
    }
  • props - array of strings

    The properties to include in the updated encrypted object.

    Each string:

    The name of a property.

  • scope - string

    A classification for the updated encrypted object that is added to the ciphertext as associated data (AAD). An object encrypted with a scope can be decrypted only with the same scope.

Example
[
{
"type": "randomized",
"encrypted_object": {
"ciphertext": "string",
"scope": "string"
},
"fields": {
"date_of_birth": "1993-02-22",
"email": "patfar@example.com",
"first_name": "Pat",
"last_name": "Far",
"phone_number": "+11011010101"
},
"props": [
"first_name"
],
"scope": "default"
}
]

Possible responses

The request is successful.

array of objects required*
Each object:
  • ciphertext - string required*

    The encrypted object is a base64 ciphertext of the request fields and built-in fields such as timestamps and expiration time. It does not include the ID field.

Example
[
{
"ciphertext": "string"
}
]

Try the API

Authorization

Path parameters

Query parameters

Request body

Navigate to the docs of your local Vault installation to try the API directly from there.

Code examples

Example