Vault | Python SDK | Keys Endpoints

Keys Endpoints

Decrypt

Vault.decrypt(item_id, cipher_text, version, additional_data)

Decrypt a message using a key.

required parameters

item_id

str

The item ID.

cipher_text

str

A message encrypted by Vault (in base64).

optional parameters

version

int | None

The item version.

additional_data

str | None

User provided authentication data.

Response Object

A PangeaResponse where the decrypted message in base64 is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.decrypt(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    cipher_text="lJkk0gCLux+Q+rPNqLPEYw==",
    version=1,
)

Decrypt structured

Vault.decrypt_structured(id, structured_data, filter, version, additional_data)

Decrypt parts of a JSON object.

required parameters

structured_data

TDict

Structured data for applying bulk operations.

optional parameters

id

The ID of the key to use.

filter

A filter expression.

version

int | None

The item version. Defaults to the current version.

additional_data

str | None

User provided authentication data.

Response Object

A PangeaResponse where the decrypted object is returned in the response.result field. Available response fields can be found in our API documentation.

data = {"field1": [1, 2, "kxcbC9E9IlgVaSCChPWUMgUC3ko=", "6FfI/LCzatLRLNAc8SuBK/TDnGxp"], "field2": "data2"}
response = vault.decrypt_structured(
    id="pvi_[...]",
    structured_data=data,
    filter="$.field1[2:4]"
)

Encrypt

Vault.encrypt(item_id, plain_text, version, additional_data)

Encrypt a message using a key.

required parameters

item_id

str

The item ID.

plain_text

str

A message to be encrypted (in base64).

optional parameters

version

int | None

The item version.

additional_data

str | None

User provided authentication data.

Response Object

A PangeaResponse where the encrypted message in base64 is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.encrypt(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    plain_text="lJkk0gCLux+Q+rPNqLPEYw==",
    version=1,
)

Encrypt structured

Vault.encrypt_structured(key_id, structured_data, filter_expr, version, additional_data)

Encrypt parts of a JSON object.

required parameters

key_id

str

The ID of the key to use.

structured_data

TDict

Structured data for applying bulk operations.

filter_expr

str

A filter expression.

optional parameters

version

int | None

The item version. Defaults to the current version.

additional_data

str | None

User provided authentication data.

Response Object

A PangeaResponse where the encrypted object is returned in the response.result field. Available response fields can be found in our API documentation.

data = {"field1": [1, 2, "true", "false"], "field2": "data2"}
response = vault.encrypt_structured(
    id="pvi_[...]",
    structured_data=data,
    filter="$.field1[2:4]"
)

Generate key

Vault.generate_key(key_type, purpose, algorithm, name, folder, metadata, tags, rotation_frequency, rotation_state, disabled_at, exportable)

Generate a key.

required parameters

key_type

Literal[ItemType.ASYMMETRIC_KEY, ItemType.SYMMETRIC_KEY]

Key type.

purpose

SymmetricKeyPurpose | AsymmetricKeyPurpose

The purpose of this key.

algorithm

AsymmetricKeyAlgorithm | SymmetricKeyAlgorithm

The algorithm of the key.

optional parameters

name

str | None

The name of this item.

folder

str | None

The folder where this item is stored.

metadata

Metadata | None

User-provided metadata.

tags

Tags | None

A list of user-defined tags.

rotation_frequency

str | None

Period of time between item rotations.

rotation_state

RequestRotationState | None

State to which the previous version should transition upon rotation.

disabled_at

datetime.datetime | None

Timestamp indicating when the item will be disabled.

exportable

bool

Whether the key is exportable or not.

response = vault.generate_key(
    key_type=ItemType.SYMMETRIC_KEY,
    purpose=SymmetricKeyPurpose.FPE,
    algorithm=SymmetricKeyFpeAlgorithm.AES_FF3_1_256_BETA,
)

Rotate key

Vault.rotate_key(key_id, key_type, rotation_state, public_key, private_key, key)

Manually rotate an asymmetric or symmetric key.

required parameters

key_id

str

The ID of the key.

key_type

Literal[ItemType.ASYMMETRIC_KEY, ItemType.SYMMETRIC_KEY]

Key type.

optional parameters

rotation_state

RequestManualRotationState

State to which the previous version should transition upon rotation.

public_key

str | None

The public key (in PEM format).

private_key

str | None

The private key (in PEM format).

key

str | None

The key material.

response = vault.rotate_key("pvi_...", key_type=ItemType.SYMMETRIC_KEY)

Sign

Vault.sign(id, message, version)

Sign a message using a key

required parameters

message

str

The message to be signed, in base64.

optional parameters

id

The item ID.

version

int | None

The item version.

Response Object

A PangeaResponse where the signature of the message in base64 is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.sign(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    message="lJkk0gCLux+Q+rPNqLPEYw==",
    version=1,
)

Store key

Vault.store_key(key_type, purpose, algorithm, public_key, private_key, key, name, folder, metadata, tags, rotation_frequency, rotation_state, disabled_at, exportable)

Import a key.

required parameters

key_type

Literal[ItemType.ASYMMETRIC_KEY, ItemType.SYMMETRIC_KEY]

Key type.

purpose

SymmetricKeyPurpose | AsymmetricKeyPurpose

The purpose of this key.

algorithm

AsymmetricKeySigningAlgorithm | AsymmetricKeyEncryptionAlgorithm | AsymmetricKeyJwtAlgorithm | AsymmetricKeyPkiAlgorithm | SymmetricKeyEncryptionAlgorithm | SymmetricKeyJwtAlgorithm | SymmetricKeyFpeAlgorithm

The algorithm of the key.

optional parameters

public_key

str | None

The public key (in PEM format).

private_key

str | None

The private key (in PEM format).

key

str | None

The key material.

name

str | None

The name of this item.

folder

str | None

The folder where this item is stored.

metadata

Metadata | None

User-provided metadata.

tags

Tags | None

A list of user-defined tags.

rotation_frequency

str | None

Period of time between item rotations.

rotation_state

RequestRotationState | None

State to which the previous version should transition upon rotation.

disabled_at

datetime.datetime | None

Timestamp indicating when the item will be disabled.

exportable

bool

Whether the key is exportable or not.

response = vault.store_key(
    key_type=ItemType.SYMMETRIC_KEY,
    purpose=SymmetricKeyPurpose.FPE,
    algorithm=SymmetricKeyFpeAlgorithm.AES_FF3_1_256_BETA,
)

Verify

Vault.verify(id, message, signature, version)

Verify a signature using a key.

required parameters

message

str

A message to be verified (in base64).

signature

str

The message signature (in base64).

optional parameters

id

The item ID.

version

int | None

The item version.

Response Object

A PangeaResponse where the signature is valid is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.verify(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    message="lJkk0gCLux+Q+rPNqLPEYw==",
    signature="FfWuT2Mq/+cxa7wIugfhzi7ktZxVf926idJNgBDCysF/knY9B7M6wxqHMMPDEBs86D8OsEGuED21y3J7IGOpCQ==",
    version=1,
)