- sm4_gcm96 is supported now, SM4-GCM with a 128-bit SM4 key and a 96-bit nonce; supports encryption, decryption, key derivation, and convergent encryption.
- ecdsa-sm2 is also supported, this key type can be used for encryption/decryption, sign/verify.
- Build the plugin, open command window and go to vault-gmsm-plugin/scripts folder, run build.bat
- Copy vault-gmsm-plugin.exe to your vault plugin folder
- Start the vault
vault server -dev -dev-root-token-id=root -dev-plugin-dir=./plugins - Set environment variables:
- set VAULT_ADDR=http://127.0.0.1:8200
- set VAULT_TOKEN=root
- Register the plugin
vault plugin register -sha256=0cc95756eda21c9f5d5a2aa272804a68eaa343ef5a6ad5463b3ed423f52eadcf secret vault-gmsm-plugin.exe,这里的hash值来自plugin.sha256sum - Enable the plugin
vault secrets enable -path=gmsm vault-gmsm-plugin.exe - Create one test key
vault write -f gmsm/keys/mykey - Use the key to encrypt
vault write gmsm/encrypt/mykey plaintext=bXkgc2VjcmV0IGRhdGE= - Use the key to decrypt
vault write gmsm/decrypt/mykey ciphertext=vault:v1:UY653qxNcU5PZQT1QxRHHW7osP7B/jGMQgZZT2xvAnBb8yPoQuwwPrHH - Rotate,
vault write -f gmsm/keys/mykey/rotate - Rewrap,
vault write -f gmsm/rewrap/mykey ciphertext=vault:v1:UY653qxNcU5PZQT1QxRHHW7osP7B/jGMQgZZT2xvAnBb8yPoQuwwPrHH
-
Create key:
vault write -f gmsm/keys/sm2-key type=ecdsa-sm2
Success! Data written to: gmsm/keys/sm2-key -
Encryption:
-
Decryption:
-
Read key:
-
Sign:
-
Verify: