Skip to main content

Overview

Transport keys enable clients to encrypt secret payloads before transmission, ensuring secrets never appear in plaintext on the network or in intermediary processes. The transport key is an RSA public key published by the Key Manager API. Clients encrypt their secret payload with this key before POSTing to the API — the Key Manager service uses its corresponding private key to unwrap the payload on the server side.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.

How Transport Keys Work

Transport keys only protect secrets in transit. Stored secrets are encrypted using the secret store backend’s master key, not the transport key.

View the Transport Key

Get the current transport key
openstack secret transport key get
The output contains an RSA public key in PEM format. API clients use this to wrap (encrypt) their secret payload before submission.

Use a Transport Key in Secret Creation

Create secret with transport key wrapping
# Fetch transport key
TRANSPORT_KEY_REF=$(openstack secret transport key get -c "Transport Key href" -f value)

# Encrypt payload with the transport key
WRAPPED_PAYLOAD=$(echo -n "S3cur3P@ss" | \
  openssl rsautl -encrypt -pubin -inkey <(openstack secret transport key get --payload) | \
  base64 -w 0)

# Submit encrypted payload
openstack secret store \
  --transport-key-ref "$TRANSPORT_KEY_REF" \
  --payload-content-encoding base64 \
  --payload "$WRAPPED_PAYLOAD" \
  --name secure-credential

Transport Key Rotation

Transport key rotation is managed through XDeploy service configuration. After generating a new RSA key pair:
1

Generate a new RSA key pair

Generate a new RSA key pair for the transport key in XDeploy Key Manager configuration.
2

Update Key Manager configuration

Update the Key Manager configuration to reference the new key pair.
3

Deploy the updated configuration

Deploy Key Manager configuration
xavs-ansible deploy -t barbican
4

Notify API clients

Notify API clients that use transport key wrapping to retrieve the new transport key from the API:
Fetch updated transport key
openstack secret transport key get
Existing secrets encrypted with the old transport key remain accessible — they are stored using the secret store backend encryption, not the transport key. Transport keys only protect secrets in transit during the creation request.

Next Steps

Backend Configuration

Configure the backend that stores encrypted secret payloads

Security

Full Key Manager security hardening guidelines

Secret Stores

Manage multiple secret store backends

Admin Troubleshooting

Diagnose transport key and backend connectivity issues