Key overview
Symmetric and asymmetric keys can both be stored in the Vault service. When a key is stored, the Vault service secures the private key material by performing cryptographic operations on the key. This prevents the key from being exposed outside of Vault.
Vault Keys support the following capabilities:
- Symmetric and asymmetric keys
- Pangea-generated keys
- Importing customer keys
- Manual rotation
- Automated rotation policies
- Versioning
- Cryptographic Operations
- Encrypt/Decrypt
- General encryption of text or binary data
- Format Preserving Encryption (FPE)
- Structured data encryption
- Sign/Verify
- Sign/Verify of JWTs
- Encrypt/Decrypt
When a key is rotated, the replaced key is set to a destroyed state. Rotated keys have the same capabilities as the tokens that they replace. Since keys are referenced using their IDs, developers do not need to update code whenever keys are rotated.
Was this article helpful?