Swarmauri Vault Transit Key Provider
Project description
Swarmauri Vault Transit Key Provider
HashiCorp Vault Transit engine integration for the Swarmauri key provider interface. Manage hardware-protected keys through Vault, expose public JWK(S) material, rotate versions, and consume Vault RNG and HKDF services without leaving Swarmauri.
Features
- Create and rotate symmetric (
aes256-gcm96) and asymmetric (rsa-3072,ecdsa-p256,ed25519) keys via Vault Transit. - Export public keys in JWK/JWKS form using the built-in
get_public_jwk/jwkshelpers. - Perform signing, verification, encryption, decryption, wrapping, and unwrapping through Vault's REST API.
- Generate cryptographically secure random bytes either from Vault's RNG or local entropy (configurable with
prefer_vault_rng). - Run HKDF derivations with SHA-256 to support envelope encryption or key diversification workflows.
Prerequisites
- Python 3.10 or newer.
- Running HashiCorp Vault instance with the Transit secrets engine enabled and a mount path you can access (default
transit). - Vault token with capabilities such as
transit/keys/*forread,create,update,delete, andtransit/random/*if you plan to use Vault RNG. - The
hvacclient library (installed automatically with this package) unless you inject a custom Vault client.
Installation
# pip
pip install swarmauri_keyprovider_vaulttransit
# poetry
poetry add swarmauri_keyprovider_vaulttransit
# uv (pyproject-based projects)
uv add swarmauri_keyprovider_vaulttransit
Quickstart: Create and Rotate a Signing Key
import asyncio
from swarmauri_core.key_providers.types import KeyAlg, KeySpec, ExportPolicy
from swarmauri_keyprovider_vaulttransit import VaultTransitKeyProvider
async def main() -> None:
provider = VaultTransitKeyProvider(
url="http://localhost:8200",
token="swarmauri-dev-token",
mount="transit",
verify=False,
)
spec = KeySpec(
alg=KeyAlg.ED25519,
export_policy=ExportPolicy.never_export_secret,
label="agents-signing",
)
key_ref = await provider.create_key(spec)
print("Created key", key_ref.kid, "version", key_ref.version)
jwk = await provider.get_public_jwk(key_ref.kid, key_ref.version)
print("Public JWK", jwk)
rotated = await provider.rotate_key(key_ref.kid)
print("Rotated to version", rotated.version)
jwks_payload = await provider.jwks()
print("JWKS contains", [entry["kid"] for entry in jwks_payload["keys"]])
if __name__ == "__main__":
asyncio.run(main())
Encrypt, Wrap, and Derive Keys
import asyncio
from swarmauri_keyprovider_vaulttransit import VaultTransitKeyProvider
async def encrypt_and_wrap() -> None:
provider = VaultTransitKeyProvider(
url="http://localhost:8200",
token="swarmauri-dev-token",
prefer_vault_rng=True,
)
plaintext = b"vault keeps my secrets"
aad = b"tenant::demo"
ciphertext = await provider.encrypt("aes-encryption", plaintext, associated_data=aad)
decrypted = await provider.decrypt("aes-encryption", ciphertext, associated_data=aad)
assert decrypted == plaintext
dek = await provider.random_bytes(32)
wrapped = await provider.wrap("rsa-wrap-key", dek)
unwrapped = await provider.unwrap("rsa-wrap-key", wrapped)
assert unwrapped == dek
derived = await provider.hkdf(
ikm=dek,
salt=b"vault-salt",
info=b"swarmauri/derivation",
length=32,
)
print("Derived key length", len(derived))
# asyncio.run(encrypt_and_wrap())
Configuration Reference
url– Vault server address (e.g.,https://vault.example.com:8200).token– Vault token or wrapped token with permissions for the Transit mount.mount– Transit engine mount path; defaults totransit.namespace– Optional Vault Enterprise namespace header.verify– TLS verification flag or CA bundle path.prefer_vault_rng– WhenTrue,random_bytesuses Vault's RNG; otherwise falls back toos.urandom.client– Provide a pre-configuredhvac.Clientif you manage authentication externally.
Want to help?
If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_keyprovider_vaulttransit-0.9.3.dev4.tar.gz.
File metadata
- Download URL: swarmauri_keyprovider_vaulttransit-0.9.3.dev4.tar.gz
- Upload date:
- Size: 11.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e7ef0208cf01860cd47f84d66ea5842ef9e832169154351e27af1318996f67e9
|
|
| MD5 |
bf8c843dc83a8e8e364f37e0774a5049
|
|
| BLAKE2b-256 |
e35b4adb06b13e5895b1efa6b61738a9c46933ddb312ed3964c5902bbf0141f5
|
File details
Details for the file swarmauri_keyprovider_vaulttransit-0.9.3.dev4-py3-none-any.whl.
File metadata
- Download URL: swarmauri_keyprovider_vaulttransit-0.9.3.dev4-py3-none-any.whl
- Upload date:
- Size: 12.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a2bfcf1a0ddc12e78273a971a89175bc543de6320f05ed42f3f659df4ecad2af
|
|
| MD5 |
9e1046b7bb3505dd7f70c6768308f66b
|
|
| BLAKE2b-256 |
e5422143ca36432f8dc94fd92f515bc469bac7c40f968251b34c9b41cdf699ae
|
