Skip to main content

Vault

Secure development lifecycle by preventing private key material from ever being leaked into code and preventing the accidental hard-coding and exposure of secrets.

Developer Resources

How to choose a Vault

Quickstart

Pangea’s Vault service allows you to add the ability to safely utilize and store keys, tokens, and other secrets for use with your application, while preventing the need to directly access private key info or hardcode sensitive data.

These steps are an overview of how to configure Vault for your application. For a complete set of step-by-step instructions, refer to our configuration guide.

  1. Navigate to the Pangea User Console .
  2. Sign up to Pangea. As part of the sign up process, an Organization and initial token will be created.
  3. Configure the token for use with the Vault service. For more information, go to Get Started with Vault.
  4. Set any desired settings in the Vault Settings page.

Add Vault to your app

The steps below will walk you through the basics of integrating Vault with a Python app, including a completed code sample for getting started with generating a symmetric key, encrypting a message, then decrypting it. For a more in-depth explanation of the sample app, you can visit our Python SDK.

Set your environment variables

Before starting to code, it is necessary to export your token and domain variables to your project if you have not already added them to your .env file.

  1. Open up a bash terminal window.
  2. Type the following commands, replacing 'yourServiceDomain' and 'yourAccessToken' with your Domain and Default Token copied from the Vault page in the Pangea User Console.
export PANGEA_DOMAIN="yourServiceDomain"
export PANGEA_VAULT_TOKEN="yourAccessToken"

Writing the Vault code

In order to be ready to code, you must first install the Pangea SDK. Run one of the following commands in your project root directory based on your preferred choice of either Pip or Poetry.

Install SDK via Pip:

pip3 install pangea-sdk

or

Install SDK via Poetry:

poetry add pangea-sdk
  1. Next, import the Pangea libraries into your code.
import os
from secrets import token_hex

import pangea.exceptions as pe
from pangea.config import PangeaConfig
from pangea.services.vault.models.common import KeyPurpose
from pangea.services.vault.models.symmetric import SymmetricAlgorithm
from pangea.services.vault.vault import Vault
from pangea.utils import str2str_b64
  1. The following loads the client configuration while adding the token and domain from your environment variables so you can authenticate with Pangea. You can read more about how Pangea uses tokens on our Tokens page.
def main() -> None:
    token = os.getenv("PANGEA_VAULT_TOKEN")
    domain = os.getenv("PANGEA_DOMAIN")
    assert domain
    config = PangeaConfig(domain=domain)
    vault = Vault(token, config=config)
  1. Define a name and the key to be used for the encryption.
try:
    # Set a unique name.
    name = f"Python encrypt example {token_hex(8)}"

    # Create a symmetric key with the default parameters.
    create_response = vault.symmetric_generate(
    purpose=KeyPurpose.ENCRYPTION, algorithm=SymmetricAlgorithm.AES128_CFB, name=name
    )
    assert create_response.result
    key_id = create_response.result.id
  1. Encrypt your message, replacing ‘messagetoencrypt’ with your own desired value.
    text = "messagetoencrypt"
    msg = str2str_b64(text)
    print(f"Encrypt text: {text}")
    encrypt_response = vault.encrypt(key_id, msg)
    assert encrypt_response.result
    cipher_text = encrypt_response.result.cipher_text
    print(f"Cipher text: {cipher_text}")
  1. Finally, decrypt the message and generate a response, including error handling.
    print("Decrypting...")
    decrypt_response = vault.decrypt(key_id, cipher_text)
    assert decrypt_response.result
    plain_text = decrypt_response.result.plain_text

    if plain_text == msg:
        print("Text encrypted and decrypted successfully")
    else:
        print("Encrypted/decrypted message is not equal to original message")

    except pe.PangeaAPIException as e:
        print(f"Vault Request Error: {e.response.summary}")
    for err in e.errors:
        print(f"\t{err.detail} \n")

Completed code

The code sample below is a usable, copy & paste resource for this application that will work on its own. For best results, be sure to edit placeholder data in the request with your desired values, such as messagetoencrypt.

import os
from secrets import token_hex

import pangea.exceptions as pe
from pangea.config import PangeaConfig
from pangea.services.vault.models.common import KeyPurpose
from pangea.services.vault.models.symmetric import SymmetricAlgorithm
from pangea.services.vault.vault import Vault
from pangea.utils import str2str_b64


def main() -> None:
    token = os.getenv("PANGEA_VAULT_TOKEN")
    domain = os.getenv("PANGEA_DOMAIN")
    assert domain
    config = PangeaConfig(domain=domain)
    vault = Vault(token, config=config)

    try:
        # Set a unique name.
        name = f"Python encrypt example {token_hex(8)}"

        # Create a symmetric key with the default parameters.
        create_response = vault.symmetric_generate(
            purpose=KeyPurpose.ENCRYPTION, algorithm=SymmetricAlgorithm.AES128_CFB, name=name
        )
        assert create_response.result
        key_id = create_response.result.id

        # Encrypt a message.
        text = "messagetoencrypt"
        msg = str2str_b64(text)
        print(f"Encrypt text: {text}")
        encrypt_response = vault.encrypt(key_id, msg)
        assert encrypt_response.result
        cipher_text = encrypt_response.result.cipher_text
        print(f"Cipher text: {cipher_text}")

        # Decrypt the message to verify it is the same as the original message.
        print("Decrypting...")
        decrypt_response = vault.decrypt(key_id, cipher_text)
        assert decrypt_response.result
        plain_text = decrypt_response.result.plain_text

        if plain_text == msg:
            print("Text encrypted and decrypted successfully")
        else:
            print("Encrypted/decrypted message is not equal to original message")

    except pe.PangeaAPIException as e:
        print(f"Vault Request Error: {e.response.summary}")
        for err in e.errors:
            print(f"\t{err.detail} \n")


if __name__ == "__main__":
    main()

Improving your app

The purpose of this guide is to provide the minimum steps required to start coding with our Vault service, however there are additional features that can be added to this process, such as configuring rotation policies for keys and secrets to manage their life cycles. Read more about the capabilities on our Vault Overview page.

Pangea has based Vault on years of experience building compliant enterprise applications. This service helps to ensure that builders have the necessary tools to meet the security needs of their application’s users.

Next steps

  • Check out our Admin Guide if you have a specific task you would like to complete
  • If you are feeling confident, you can browse our APIs or explore our Github repo, which has libraries for supported languages, SDKs, sample apps, etc.
  • For any questions, contact support or continue exploring our Vault documentation

Was this article helpful?

Contact us