Skip to content

feat(kms-app): add vault-transit backend (direct + envelope modes)#19

Open
coderdan wants to merge 1 commit into
mainfrom
feat/vault-transit-backend
Open

feat(kms-app): add vault-transit backend (direct + envelope modes)#19
coderdan wants to merge 1 commit into
mainfrom
feat/vault-transit-backend

Conversation

@coderdan

@coderdan coderdan commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Adds a HashiCorp Vault Transit backend to the comparison harness, selected via ENCRYPTION_BACKEND=vault-transit. Supports the Vault comparison (CIP-3290) and fills the performance section of docs#34.

Modes

  • direct (default) — plaintext → Vault → ciphertext in one batched round-trip (Vault, unlike AWS KMS, has a batch API). VAULT_TRANSIT_DERIVED=true uses a per-record context for per-record keys. Catch: plaintext transits Vault.
  • envelope — Vault datakey + local AES-256-GCM, so plaintext stays client-side. VAULT_DATA_KEY_MAX_USES controls reuse. datakey has no batch (per-record keys = one round-trip per record on write), but reads unwrap all distinct keys in one batched decrypt — so scattered reads do not collapse to one call per record the way AWS KMS envelope does.

Verification

Smoke-tested end-to-end against Vault 1.20 dev across all four configs — round-trips correct, kmsCalls instrumentation verified:

Config enc kmsCalls dec kmsCalls
direct, shared key 1 1
direct, per-record (derived) 1 1
envelope, per-value 6 1
envelope, reuse(300) 1 1

Note

This branches off main (PR #18, the harness, is already merged). The in-region benchmark run that produces published numbers is tracked separately under CIP-3290.

Part of CIP-3290 (issue stays open until the doc, backend, and in-region run all land)

https://claude.ai/code/session_018ag38k33yzmVZhLkVx7CPQ

HashiCorp Vault Transit backend for the comparison harness, selected via
ENCRYPTION_BACKEND=vault-transit. Two modes:

- direct (default): plaintext -> Vault -> ciphertext in one batched round-trip
  (Vault, unlike AWS KMS, has a batch API). VAULT_TRANSIT_DERIVED=true uses a
  per-record context for per-record keys.
- envelope: Vault datakey + local AES-256-GCM, so plaintext stays client-side.
  VAULT_DATA_KEY_MAX_USES controls reuse. datakey has no batch (per-record keys
  = one round-trip per record on write), but reads unwrap all distinct keys in
  ONE batched decrypt -- so scattered reads don't collapse to one call per record
  the way AWS KMS envelope does.

Smoke-tested end-to-end against Vault 1.20 dev across all four configs
(round-trips correct; kmsCalls instrumentation verified).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant