From ccf359899bed66821f8973073439bfc707af84f8 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Thu, 26 Oct 2023 13:50:53 -0400 Subject: [PATCH] backport of commit 8c9929bed2e6691c49097816264eb966339062f0 (#23863) Co-authored-by: Steven Clark --- website/content/api-docs/secret/transit.mdx | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/website/content/api-docs/secret/transit.mdx b/website/content/api-docs/secret/transit.mdx index 2cf9b167e4..7b5d2775f1 100644 --- a/website/content/api-docs/secret/transit.mdx +++ b/website/content/api-docs/secret/transit.mdx @@ -1851,15 +1851,15 @@ $ curl \ }, ``` -## Managed keys +## Managed keys -~> **Note**: Managed keys are an Enterprise only feature. +Managed Keys can be used with the Transit Secrets Engine to perform cryptographic operations. Currently, +[Sign Data](#sign-data) and [Verify Signed Data](#verify-signed-data) are well-supported across all the managed key types. -Managed Keys can be used with the Transit Secrets Engine to perform cryptographic operations. Currently -[Sign Data](#sign-data) and [Verify Signed Data](#verify-signed-data) are well supported, and in certain -configurations, [Encrypt Data](#encrypt-data) and [Decrypt Data](#decrypt-data) are supported. +Only PKCS#11 managed keys support [Encrypt Data](#encrypt-data) and [Decrypt Data](#decrypt-data) operations at this time. We +are planning on adding support for AWS, GCP and Azure managed keys at a later time. -When a Transit key is created of type `managed_key`, Transit will lookup the key by name or ID, and will +When a Transit key is created of type `managed_key`, Transit will look up the key by name or ID, and will attempt to generate the key when key generation is allowed (as specified when the [Create/Update Managed Key](/vault/api-docs/system/managed-keys#create-update-managed-key) endpoint is called). Key generation is currently supported for cloud KMSes and for certain PKCS#11 mechanisms on HSMs. This is a best effort operation, so certain KMS/HSM/key configurations will require the key to exist @@ -1872,4 +1872,3 @@ Signing and verifying data with a Managed Key through Transit may require pre-ha can be informed that data is pre-hashed with the `prehashed` parameter of the [Sign Data](#sign-data) and [Verify Signed Data](#verify-signed-data) endpoints. -[sys-plugin-reload-backend]: /vault/api-docs/system/plugins-reload-backend#reload-plugins