From 6b627517b367a9a0b6f78ba93271bdcc30bcd92e Mon Sep 17 00:00:00 2001
From: Vignesh Rao <svignesh1793@gmail.com>
Date: Thu, 19 Sep 2024 00:05:51 -0500
Subject: [PATCH] Add a new feature to enable transit protection

---
 .gitignore                  |   2 +-
 README.md                   |  18 +++--
 doc_gen/index.rst           |   5 ++
 docs/README.html            |  24 +++++--
 docs/README.md              |  18 +++--
 docs/_sources/README.md.txt |  18 +++--
 docs/_sources/index.rst.txt |   5 ++
 docs/genindex.html          |  51 ++++++++++-----
 docs/index.html             | 127 +++++++++++++++++++++++++++++++++---
 docs/objects.inv            | Bin 902 -> 959 bytes
 docs/py-modindex.html       |   5 ++
 docs/searchindex.js         |   2 +-
 vaultapi/main.py            |   5 +-
 vaultapi/models.py          |  16 +++--
 vaultapi/routes.py          |  14 ++--
 vaultapi/transit.py         |  80 +++++++++++++++++++++++
 vaultapi/util.py            |  27 ++++++++
 17 files changed, 360 insertions(+), 57 deletions(-)
 create mode 100644 vaultapi/transit.py

diff --git a/.gitignore b/.gitignore
index 72d5c48..b5119a4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,7 +6,7 @@ venv/
 __pycache__/
 
 build/
-PyNinja.egg-info/
+VaultAPI.egg-info/
 
 doc_gen/_*
 
diff --git a/README.md b/README.md
index 5052163..ae3559e 100644
--- a/README.md
+++ b/README.md
@@ -57,13 +57,23 @@ vaultapi start
 > _By default, `VaultAPI` will look for a `.env` file in the current working directory._
 </details>
 
-- **HOST** - Hostname for the API server.
-- **PORT** - Port number for the API server.
-- **WORKERS** - Number of workers for the uvicorn server.
+**Mandatory**
 - **APIKEY** - API Key for authentication.
 - **SECRET** - Secret access key to encode/decode the secrets in Datastore.
-- **DATABASE** - FilePath to store the secrets' database.
+
+**Optional (with defaults)**
+- **TRANSIT_KEY_LENGTH** - AES key length for transit encryption. Defaults to `32`
+- **DATABASE** - FilePath to store the secrets' database. Defaults to `secrets.db`
+- **HOST** - Hostname for the API server. Defaults to `0.0.0.0` [OR] `localhost`
+- **PORT** - Port number for the API server. Defaults to `9010`
+- **WORKERS** - Number of workers for the uvicorn server. Defaults to `1`
 - **RATE_LIMIT** - List of dictionaries with `max_requests` and `seconds` to apply as rate limit.
+Defaults to 5req/2s [AND] 10req/30s
+
+**Optional (without defaults)**
+- **LOG_CONFIG** - FilePath or dictionary of key-value pairs for log config.
+- **ALLOWED_ORIGINS** - Origins that are allowed to retrieve secrets.
+- **ALLOWED_IP_RANGE** - IP range that is allowed to retrieve secrets. _(eg: `10.112.8.10-210`)_
 
 <details>
 <summary>Auto generate a <code>SECRET</code> value</summary>
diff --git a/doc_gen/index.rst b/doc_gen/index.rst
index bf91e65..36ad598 100644
--- a/doc_gen/index.rst
+++ b/doc_gen/index.rst
@@ -76,6 +76,11 @@ Squire
 
 .. automodule:: vaultapi.squire
 
+Transmitter
+===========
+
+.. automodule:: vaultapi.transit
+
 Util
 ====
 
diff --git a/docs/README.html b/docs/README.html
index 19b4b00..b8da763 100644
--- a/docs/README.html
+++ b/docs/README.html
@@ -92,14 +92,26 @@ <h2>Environment Variables<a class="headerlink" href="#environment-variables" tit
 <summary><strong>Sourcing environment variables from an env file</strong></summary><blockquote>
 <div><p><em>By default, <code class="docutils literal notranslate"><span class="pre">VaultAPI</span></code> will look for a <code class="docutils literal notranslate"><span class="pre">.env</span></code> file in the current working directory.</em></p>
 </div></blockquote>
-</details><ul class="simple">
-<li><p><strong>HOST</strong> - Hostname for the API server.</p></li>
-<li><p><strong>PORT</strong> - Port number for the API server.</p></li>
-<li><p><strong>WORKERS</strong> - Number of workers for the uvicorn server.</p></li>
+</details><p><strong>Mandatory</strong></p>
+<ul class="simple">
 <li><p><strong>APIKEY</strong> - API Key for authentication.</p></li>
 <li><p><strong>SECRET</strong> - Secret access key to encode/decode the secrets in Datastore.</p></li>
-<li><p><strong>DATABASE</strong> - FilePath to store the secrets’ database.</p></li>
-<li><p><strong>RATE_LIMIT</strong> - List of dictionaries with <code class="docutils literal notranslate"><span class="pre">max_requests</span></code> and <code class="docutils literal notranslate"><span class="pre">seconds</span></code> to apply as rate limit.</p></li>
+</ul>
+<p><strong>Optional (with defaults)</strong></p>
+<ul class="simple">
+<li><p><strong>TRANSIT_KEY_LENGTH</strong> - AES key length for transit encryption. Defaults to <code class="docutils literal notranslate"><span class="pre">32</span></code></p></li>
+<li><p><strong>DATABASE</strong> - FilePath to store the secrets’ database. Defaults to <code class="docutils literal notranslate"><span class="pre">secrets.db</span></code></p></li>
+<li><p><strong>HOST</strong> - Hostname for the API server. Defaults to <code class="docutils literal notranslate"><span class="pre">0.0.0.0</span></code> [OR] <code class="docutils literal notranslate"><span class="pre">localhost</span></code></p></li>
+<li><p><strong>PORT</strong> - Port number for the API server. Defaults to <code class="docutils literal notranslate"><span class="pre">9010</span></code></p></li>
+<li><p><strong>WORKERS</strong> - Number of workers for the uvicorn server. Defaults to <code class="docutils literal notranslate"><span class="pre">1</span></code></p></li>
+<li><p><strong>RATE_LIMIT</strong> - List of dictionaries with <code class="docutils literal notranslate"><span class="pre">max_requests</span></code> and <code class="docutils literal notranslate"><span class="pre">seconds</span></code> to apply as rate limit.
+Defaults to 5req/2s [AND] 10req/30s</p></li>
+</ul>
+<p><strong>Optional (without defaults)</strong></p>
+<ul class="simple">
+<li><p><strong>LOG_CONFIG</strong> - FilePath or dictionary of key-value pairs for log config.</p></li>
+<li><p><strong>ALLOWED_ORIGINS</strong> - Origins that are allowed to retrieve secrets.</p></li>
+<li><p><strong>ALLOWED_IP_RANGE</strong> - IP range that is allowed to retrieve secrets. <em>(eg: <code class="docutils literal notranslate"><span class="pre">10.112.8.10-210</span></code>)</em></p></li>
 </ul>
 <details>
 <summary>Auto generate a <code>SECRET</code> value</summary><p>This value will be used to encrypt/decrypt the secrets stored in the database.</p>
diff --git a/docs/README.md b/docs/README.md
index 5052163..ae3559e 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -57,13 +57,23 @@ vaultapi start
 > _By default, `VaultAPI` will look for a `.env` file in the current working directory._
 </details>
 
-- **HOST** - Hostname for the API server.
-- **PORT** - Port number for the API server.
-- **WORKERS** - Number of workers for the uvicorn server.
+**Mandatory**
 - **APIKEY** - API Key for authentication.
 - **SECRET** - Secret access key to encode/decode the secrets in Datastore.
-- **DATABASE** - FilePath to store the secrets' database.
+
+**Optional (with defaults)**
+- **TRANSIT_KEY_LENGTH** - AES key length for transit encryption. Defaults to `32`
+- **DATABASE** - FilePath to store the secrets' database. Defaults to `secrets.db`
+- **HOST** - Hostname for the API server. Defaults to `0.0.0.0` [OR] `localhost`
+- **PORT** - Port number for the API server. Defaults to `9010`
+- **WORKERS** - Number of workers for the uvicorn server. Defaults to `1`
 - **RATE_LIMIT** - List of dictionaries with `max_requests` and `seconds` to apply as rate limit.
+Defaults to 5req/2s [AND] 10req/30s
+
+**Optional (without defaults)**
+- **LOG_CONFIG** - FilePath or dictionary of key-value pairs for log config.
+- **ALLOWED_ORIGINS** - Origins that are allowed to retrieve secrets.
+- **ALLOWED_IP_RANGE** - IP range that is allowed to retrieve secrets. _(eg: `10.112.8.10-210`)_
 
 <details>
 <summary>Auto generate a <code>SECRET</code> value</summary>
diff --git a/docs/_sources/README.md.txt b/docs/_sources/README.md.txt
index 5052163..ae3559e 100644
--- a/docs/_sources/README.md.txt
+++ b/docs/_sources/README.md.txt
@@ -57,13 +57,23 @@ vaultapi start
 > _By default, `VaultAPI` will look for a `.env` file in the current working directory._
 </details>
 
-- **HOST** - Hostname for the API server.
-- **PORT** - Port number for the API server.
-- **WORKERS** - Number of workers for the uvicorn server.
+**Mandatory**
 - **APIKEY** - API Key for authentication.
 - **SECRET** - Secret access key to encode/decode the secrets in Datastore.
-- **DATABASE** - FilePath to store the secrets' database.
+
+**Optional (with defaults)**
+- **TRANSIT_KEY_LENGTH** - AES key length for transit encryption. Defaults to `32`
+- **DATABASE** - FilePath to store the secrets' database. Defaults to `secrets.db`
+- **HOST** - Hostname for the API server. Defaults to `0.0.0.0` [OR] `localhost`
+- **PORT** - Port number for the API server. Defaults to `9010`
+- **WORKERS** - Number of workers for the uvicorn server. Defaults to `1`
 - **RATE_LIMIT** - List of dictionaries with `max_requests` and `seconds` to apply as rate limit.
+Defaults to 5req/2s [AND] 10req/30s
+
+**Optional (without defaults)**
+- **LOG_CONFIG** - FilePath or dictionary of key-value pairs for log config.
+- **ALLOWED_ORIGINS** - Origins that are allowed to retrieve secrets.
+- **ALLOWED_IP_RANGE** - IP range that is allowed to retrieve secrets. _(eg: `10.112.8.10-210`)_
 
 <details>
 <summary>Auto generate a <code>SECRET</code> value</summary>
diff --git a/docs/_sources/index.rst.txt b/docs/_sources/index.rst.txt
index bf91e65..36ad598 100644
--- a/docs/_sources/index.rst.txt
+++ b/docs/_sources/index.rst.txt
@@ -76,6 +76,11 @@ Squire
 
 .. automodule:: vaultapi.squire
 
+Transmitter
+===========
+
+.. automodule:: vaultapi.transit
+
 Util
 ====
 
diff --git a/docs/genindex.html b/docs/genindex.html
index 2607a22..ae9628b 100644
--- a/docs/genindex.html
+++ b/docs/genindex.html
@@ -73,6 +73,8 @@ <h2 id="_">_</h2>
 <h2 id="A">A</h2>
 <table style="width: 100%" class="indextable genindextable"><tr>
   <td style="width: 33%; vertical-align: top;"><ul>
+      <li><a href="index.html#vaultapi.models.Session.aes_key">aes_key (vaultapi.models.Session attribute)</a>
+</li>
       <li><a href="index.html#vaultapi.models.EnvConfig.allowed_ip_range">allowed_ip_range (vaultapi.models.EnvConfig attribute)</a>
 </li>
       <li><a href="index.html#vaultapi.models.EnvConfig.allowed_origins">allowed_origins (vaultapi.models.EnvConfig attribute)</a>
@@ -123,10 +125,12 @@ <h2 id="D">D</h2>
         <li><a href="index.html#vaultapi.models.EnvConfig.database">(vaultapi.models.EnvConfig attribute)</a>
 </li>
       </ul></li>
-      <li><a href="index.html#vaultapi.routes.delete_secret">delete_secret() (in module vaultapi.routes)</a>
+      <li><a href="index.html#vaultapi.transit.decrypt">decrypt() (in module vaultapi.transit)</a>
 </li>
   </ul></td>
   <td style="width: 33%; vertical-align: top;"><ul>
+      <li><a href="index.html#vaultapi.routes.delete_secret">delete_secret() (in module vaultapi.routes)</a>
+</li>
       <li><a href="index.html#vaultapi.payload.DeleteSecret">DeleteSecret (class in vaultapi.payload)</a>
 </li>
       <li><a href="index.html#vaultapi.routes.docs">docs() (in module vaultapi.routes)</a>
@@ -142,6 +146,8 @@ <h2 id="E">E</h2>
 <table style="width: 100%" class="indextable genindextable"><tr>
   <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.main.enable_cors">enable_cors() (in module vaultapi.main)</a>
+</li>
+      <li><a href="index.html#vaultapi.transit.encrypt">encrypt() (in module vaultapi.transit)</a>
 </li>
       <li><a href="index.html#vaultapi.models.env">env (in module vaultapi.models)</a>
 </li>
@@ -270,6 +276,8 @@ <h2 id="M">M</h2>
         <li><a href="index.html#module-vaultapi.routes">vaultapi.routes</a>
 </li>
         <li><a href="index.html#module-vaultapi.squire">vaultapi.squire</a>
+</li>
+        <li><a href="index.html#module-vaultapi.transit">vaultapi.transit</a>
 </li>
         <li><a href="index.html#module-vaultapi.util">vaultapi.util</a>
 </li>
@@ -279,16 +287,6 @@ <h2 id="M">M</h2>
 
 <h2 id="P">P</h2>
 <table style="width: 100%" class="indextable genindextable"><tr>
-  <td style="width: 33%; vertical-align: top;"><ul>
-      <li><a href="index.html#vaultapi.models.EnvConfig.parse_allowed_ip_range">parse_allowed_ip_range() (vaultapi.models.EnvConfig class method)</a>
-</li>
-      <li><a href="index.html#vaultapi.models.EnvConfig.parse_allowed_origins">parse_allowed_origins() (vaultapi.models.EnvConfig class method)</a>
-</li>
-      <li><a href="index.html#vaultapi.models.EnvConfig.parse_api_secret">parse_api_secret() (vaultapi.models.EnvConfig class method)</a>
-</li>
-      <li><a href="index.html#vaultapi.models.EnvConfig.parse_apikey">parse_apikey() (vaultapi.models.EnvConfig class method)</a>
-</li>
-  </ul></td>
   <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.models.EnvConfig.port">port (vaultapi.models.EnvConfig attribute)</a>
 </li>
@@ -298,6 +296,8 @@ <h2 id="P">P</h2>
         <li><a href="index.html#vaultapi.routes.put_secret">(in module vaultapi.routes)</a>
 </li>
       </ul></li>
+  </ul></td>
+  <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.routes.put_secrets">put_secrets() (in module vaultapi.routes)</a>
 </li>
       <li><a href="index.html#vaultapi.payload.PutSecret">PutSecret (class in vaultapi.payload)</a>
@@ -334,13 +334,15 @@ <h2 id="S">S</h2>
 </li>
       <li><a href="index.html#vaultapi.models.EnvConfig.secret">secret (vaultapi.models.EnvConfig attribute)</a>
 </li>
-  </ul></td>
-  <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.models.Session">Session (class in vaultapi.models)</a>
 </li>
+  </ul></td>
+  <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.models.Session.Config">Session.Config (class in vaultapi.models)</a>
 </li>
       <li><a href="index.html#vaultapi.main.start">start() (in module vaultapi.main)</a>
+</li>
+      <li><a href="index.html#vaultapi.transit.string_to_aes_key">string_to_aes_key() (in module vaultapi.transit)</a>
 </li>
   </ul></td>
 </tr></table>
@@ -350,8 +352,6 @@ <h2 id="T">T</h2>
   <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.database.table_exists">table_exists() (in module vaultapi.database)</a>
 </li>
-  </ul></td>
-  <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.payload.DeleteSecret.table_name">table_name (vaultapi.payload.DeleteSecret attribute)</a>
 
       <ul>
@@ -359,12 +359,26 @@ <h2 id="T">T</h2>
 </li>
       </ul></li>
   </ul></td>
+  <td style="width: 33%; vertical-align: top;"><ul>
+      <li><a href="index.html#vaultapi.util.transit_decrypt">transit_decrypt() (in module vaultapi.util)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.transit_key_length">transit_key_length (vaultapi.models.EnvConfig attribute)</a>
+</li>
+  </ul></td>
 </tr></table>
 
 <h2 id="V">V</h2>
 <table style="width: 100%" class="indextable genindextable"><tr>
   <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.auth.validate">validate() (in module vaultapi.auth)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.validate_allowed_ip_range">validate_allowed_ip_range() (vaultapi.models.EnvConfig class method)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.validate_allowed_origins">validate_allowed_origins() (vaultapi.models.EnvConfig class method)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.validate_api_secret">validate_api_secret() (vaultapi.models.EnvConfig class method)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.validate_apikey">validate_apikey() (vaultapi.models.EnvConfig class method)</a>
 </li>
       <li><a href="index.html#vaultapi.payload.PutSecret.value">value (vaultapi.payload.PutSecret attribute)</a>
 </li>
@@ -424,6 +438,13 @@ <h2 id="V">V</h2>
 
       <ul>
         <li><a href="index.html#module-vaultapi.squire">module</a>
+</li>
+      </ul></li>
+      <li>
+    vaultapi.transit
+
+      <ul>
+        <li><a href="index.html#module-vaultapi.transit">module</a>
 </li>
       </ul></li>
       <li>
diff --git a/docs/index.html b/docs/index.html
index b6a62de..dc0ca9b 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -273,6 +273,11 @@ <h1>Models<a class="headerlink" href="#models" title="Permalink to this heading"
 <span class="sig-name descname"><span class="pre">fernet</span></span><em class="property"><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="pre">cryptography.fernet.Fernet</span><span class="w"> </span><span class="p"><span class="pre">|</span></span><span class="w"> </span><span class="pre">None</span></em><a class="headerlink" href="#vaultapi.models.Session.fernet" title="Permalink to this definition">¶</a></dt>
 <dd></dd></dl>
 
+<dl class="py attribute">
+<dt class="sig sig-object py" id="vaultapi.models.Session.aes_key">
+<span class="sig-name descname"><span class="pre">aes_key</span></span><em class="property"><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="pre">Optional</span><span class="p"><span class="pre">[</span></span><span class="pre">ByteString</span><span class="p"><span class="pre">]</span></span></em><a class="headerlink" href="#vaultapi.models.Session.aes_key" title="Permalink to this definition">¶</a></dt>
+<dd></dd></dl>
+
 <dl class="py attribute">
 <dt class="sig sig-object py" id="vaultapi.models.Session.info">
 <span class="sig-name descname"><span class="pre">info</span></span><em class="property"><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="pre">Dict</span><span class="p"><span class="pre">[</span></span><span class="pre">str</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">str</span><span class="p"><span class="pre">]</span></span></em><a class="headerlink" href="#vaultapi.models.Session.info" title="Permalink to this definition">¶</a></dt>
@@ -319,6 +324,11 @@ <h1>Models<a class="headerlink" href="#models" title="Permalink to this heading"
 <span class="sig-name descname"><span class="pre">secret</span></span><em class="property"><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="pre">str</span></em><a class="headerlink" href="#vaultapi.models.EnvConfig.secret" title="Permalink to this definition">¶</a></dt>
 <dd></dd></dl>
 
+<dl class="py attribute">
+<dt class="sig sig-object py" id="vaultapi.models.EnvConfig.transit_key_length">
+<span class="sig-name descname"><span class="pre">transit_key_length</span></span><em class="property"><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="pre">int</span></em><a class="headerlink" href="#vaultapi.models.EnvConfig.transit_key_length" title="Permalink to this definition">¶</a></dt>
+<dd></dd></dl>
+
 <dl class="py attribute">
 <dt class="sig sig-object py" id="vaultapi.models.EnvConfig.database">
 <span class="sig-name descname"><span class="pre">database</span></span><em class="property"><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="pre">Union</span><span class="p"><span class="pre">[</span></span><span class="pre">Path</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">Path</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">str</span><span class="p"><span class="pre">]</span></span></em><a class="headerlink" href="#vaultapi.models.EnvConfig.database" title="Permalink to this definition">¶</a></dt>
@@ -360,27 +370,27 @@ <h1>Models<a class="headerlink" href="#models" title="Permalink to this heading"
 <dd></dd></dl>
 
 <dl class="py method">
-<dt class="sig sig-object py" id="vaultapi.models.EnvConfig.parse_allowed_origins">
-<em class="property"><span class="pre">classmethod</span><span class="w"> </span></em><span class="sig-name descname"><span class="pre">parse_allowed_origins</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">value</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">Union</span><span class="p"><span class="pre">[</span></span><span class="pre">Url</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">List</span><span class="p"><span class="pre">[</span></span><span class="pre">Url</span><span class="p"><span class="pre">]</span></span><span class="p"><span class="pre">]</span></span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">List</span><span class="p"><span class="pre">[</span></span><span class="pre">Url</span><span class="p"><span class="pre">]</span></span></span></span><a class="headerlink" href="#vaultapi.models.EnvConfig.parse_allowed_origins" title="Permalink to this definition">¶</a></dt>
+<dt class="sig sig-object py" id="vaultapi.models.EnvConfig.validate_allowed_origins">
+<em class="property"><span class="pre">classmethod</span><span class="w"> </span></em><span class="sig-name descname"><span class="pre">validate_allowed_origins</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">value</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">Union</span><span class="p"><span class="pre">[</span></span><span class="pre">Url</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">List</span><span class="p"><span class="pre">[</span></span><span class="pre">Url</span><span class="p"><span class="pre">]</span></span><span class="p"><span class="pre">]</span></span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">List</span><span class="p"><span class="pre">[</span></span><span class="pre">Url</span><span class="p"><span class="pre">]</span></span></span></span><a class="headerlink" href="#vaultapi.models.EnvConfig.validate_allowed_origins" title="Permalink to this definition">¶</a></dt>
 <dd><p>Validate allowed origins to enable CORS policy.</p>
 </dd></dl>
 
 <dl class="py method">
-<dt class="sig sig-object py" id="vaultapi.models.EnvConfig.parse_allowed_ip_range">
-<em class="property"><span class="pre">classmethod</span><span class="w"> </span></em><span class="sig-name descname"><span class="pre">parse_allowed_ip_range</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">value</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">List</span><span class="p"><span class="pre">[</span></span><span class="pre">str</span><span class="p"><span class="pre">]</span></span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">List</span><span class="p"><span class="pre">[</span></span><span class="pre">str</span><span class="p"><span class="pre">]</span></span></span></span><a class="headerlink" href="#vaultapi.models.EnvConfig.parse_allowed_ip_range" title="Permalink to this definition">¶</a></dt>
+<dt class="sig sig-object py" id="vaultapi.models.EnvConfig.validate_allowed_ip_range">
+<em class="property"><span class="pre">classmethod</span><span class="w"> </span></em><span class="sig-name descname"><span class="pre">validate_allowed_ip_range</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">value</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">List</span><span class="p"><span class="pre">[</span></span><span class="pre">str</span><span class="p"><span class="pre">]</span></span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">List</span><span class="p"><span class="pre">[</span></span><span class="pre">str</span><span class="p"><span class="pre">]</span></span></span></span><a class="headerlink" href="#vaultapi.models.EnvConfig.validate_allowed_ip_range" title="Permalink to this definition">¶</a></dt>
 <dd><p>Validate allowed IP range to whitelist.</p>
 </dd></dl>
 
 <dl class="py method">
-<dt class="sig sig-object py" id="vaultapi.models.EnvConfig.parse_apikey">
-<em class="property"><span class="pre">classmethod</span><span class="w"> </span></em><span class="sig-name descname"><span class="pre">parse_apikey</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">value</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">str</span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">str</span><span class="w"> </span><span class="p"><span class="pre">|</span></span><span class="w"> </span><span class="pre">None</span></span></span><a class="headerlink" href="#vaultapi.models.EnvConfig.parse_apikey" title="Permalink to this definition">¶</a></dt>
-<dd><p>Parse API key to validate complexity.</p>
+<dt class="sig sig-object py" id="vaultapi.models.EnvConfig.validate_apikey">
+<em class="property"><span class="pre">classmethod</span><span class="w"> </span></em><span class="sig-name descname"><span class="pre">validate_apikey</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">value</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">str</span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">str</span><span class="w"> </span><span class="p"><span class="pre">|</span></span><span class="w"> </span><span class="pre">None</span></span></span><a class="headerlink" href="#vaultapi.models.EnvConfig.validate_apikey" title="Permalink to this definition">¶</a></dt>
+<dd><p>Validate API key for complexity.</p>
 </dd></dl>
 
 <dl class="py method">
-<dt class="sig sig-object py" id="vaultapi.models.EnvConfig.parse_api_secret">
-<em class="property"><span class="pre">classmethod</span><span class="w"> </span></em><span class="sig-name descname"><span class="pre">parse_api_secret</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">value</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">str</span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">str</span></span></span><a class="headerlink" href="#vaultapi.models.EnvConfig.parse_api_secret" title="Permalink to this definition">¶</a></dt>
-<dd><p>Parse API secret to Fernet compatible.</p>
+<dt class="sig sig-object py" id="vaultapi.models.EnvConfig.validate_api_secret">
+<em class="property"><span class="pre">classmethod</span><span class="w"> </span></em><span class="sig-name descname"><span class="pre">validate_api_secret</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">value</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">str</span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">str</span></span></span><a class="headerlink" href="#vaultapi.models.EnvConfig.validate_api_secret" title="Permalink to this definition">¶</a></dt>
+<dd><p>Validate API secret to Fernet compatible.</p>
 </dd></dl>
 
 <dl class="py method">
@@ -798,6 +808,81 @@ <h1>Payload<a class="headerlink" href="#payload" title="Permalink to this headin
 </dl>
 </dd></dl>
 
+</section>
+<section id="module-vaultapi.transit">
+<span id="transmitter"></span><h1>Transmitter<a class="headerlink" href="#module-vaultapi.transit" title="Permalink to this heading">¶</a></h1>
+<p>Module that performs transit encryption/decryption.</p>
+<p>This allows the server to securely transmit the retrieved secret to be decrypted at the client side using the API key.</p>
+<dl class="py function">
+<dt class="sig sig-object py" id="vaultapi.transit.string_to_aes_key">
+<span class="sig-prename descclassname"><span class="pre">vaultapi.transit.</span></span><span class="sig-name descname"><span class="pre">string_to_aes_key</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">input_string</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">str</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">key_length</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">int</span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">ByteString</span></span></span><a class="headerlink" href="#vaultapi.transit.string_to_aes_key" title="Permalink to this definition">¶</a></dt>
+<dd><p>Hashes the string.</p>
+<dl class="field-list simple">
+<dt class="field-odd">Parameters<span class="colon">:</span></dt>
+<dd class="field-odd"><ul class="simple">
+<li><p><strong>input_string</strong> – String for which an AES hash has to be generated.</p></li>
+<li><p><strong>key_length</strong> – AES key size used during encryption.</p></li>
+</ul>
+</dd>
+</dl>
+<div class="admonition seealso">
+<p class="admonition-title">See also</p>
+<dl class="simple">
+<dt>AES supports three key lengths:</dt><dd><ul class="simple">
+<li><p>128 bits (16 bytes)</p></li>
+<li><p>192 bits (24 bytes)</p></li>
+<li><p>256 bits (32 bytes)</p></li>
+</ul>
+</dd>
+</dl>
+</div>
+<dl class="field-list simple">
+<dt class="field-odd">Returns<span class="colon">:</span></dt>
+<dd class="field-odd"><p>Return the first 16 bytes for the AES key</p>
+</dd>
+<dt class="field-even">Return type<span class="colon">:</span></dt>
+<dd class="field-even"><p>str</p>
+</dd>
+</dl>
+</dd></dl>
+
+<dl class="py function">
+<dt class="sig sig-object py" id="vaultapi.transit.encrypt">
+<span class="sig-prename descclassname"><span class="pre">vaultapi.transit.</span></span><span class="sig-name descname"><span class="pre">encrypt</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">payload</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">Dict</span><span class="p"><span class="pre">[</span></span><span class="pre">str</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">Any</span><span class="p"><span class="pre">]</span></span></span></em>, <em class="sig-param"><span class="n"><span class="pre">url_safe</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">bool</span></span><span class="w"> </span><span class="o"><span class="pre">=</span></span><span class="w"> </span><span class="default_value"><span class="pre">True</span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">Union</span><span class="p"><span class="pre">[</span></span><span class="pre">ByteString</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">str</span><span class="p"><span class="pre">]</span></span></span></span><a class="headerlink" href="#vaultapi.transit.encrypt" title="Permalink to this definition">¶</a></dt>
+<dd><p>Encrypt a message using GCM mode with 12 fresh bytes.</p>
+<dl class="field-list simple">
+<dt class="field-odd">Parameters<span class="colon">:</span></dt>
+<dd class="field-odd"><ul class="simple">
+<li><p><strong>payload</strong> – Payload to be encrypted.</p></li>
+<li><p><strong>url_safe</strong> – Boolean flag to perform base64 encoding to perform JSON serialization.</p></li>
+</ul>
+</dd>
+<dt class="field-even">Returns<span class="colon">:</span></dt>
+<dd class="field-even"><p>Returns the ciphertext as a string or bytes based on the <code class="docutils literal notranslate"><span class="pre">url_safe</span></code> flag.</p>
+</dd>
+<dt class="field-odd">Return type<span class="colon">:</span></dt>
+<dd class="field-odd"><p>ByteString | str</p>
+</dd>
+</dl>
+</dd></dl>
+
+<dl class="py function">
+<dt class="sig sig-object py" id="vaultapi.transit.decrypt">
+<span class="sig-prename descclassname"><span class="pre">vaultapi.transit.</span></span><span class="sig-name descname"><span class="pre">decrypt</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">ciphertext</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">Union</span><span class="p"><span class="pre">[</span></span><span class="pre">ByteString</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">str</span><span class="p"><span class="pre">]</span></span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">Dict</span><span class="p"><span class="pre">[</span></span><span class="pre">str</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">Any</span><span class="p"><span class="pre">]</span></span></span></span><a class="headerlink" href="#vaultapi.transit.decrypt" title="Permalink to this definition">¶</a></dt>
+<dd><p>Decrypt the ciphertext.</p>
+<dl class="field-list simple">
+<dt class="field-odd">Raises<span class="colon">:</span></dt>
+<dd class="field-odd"><p><strong>Raises InvalidTag if using wrong key</strong><strong> or </strong><strong>corrupted ciphertext.</strong> – </p>
+</dd>
+<dt class="field-even">Returns<span class="colon">:</span></dt>
+<dd class="field-even"><p>Returns the JSON serialized decrypted payload.</p>
+</dd>
+<dt class="field-odd">Return type<span class="colon">:</span></dt>
+<dd class="field-odd"><p>Dict[str, Any]</p>
+</dd>
+</dl>
+</dd></dl>
+
 </section>
 <section id="module-vaultapi.util">
 <span id="util"></span><h1>Util<a class="headerlink" href="#module-vaultapi.util" title="Permalink to this heading">¶</a></h1>
@@ -816,6 +901,27 @@ <h1>Payload<a class="headerlink" href="#payload" title="Permalink to this headin
 </dl>
 </dd></dl>
 
+<dl class="py function">
+<dt class="sig sig-object py" id="vaultapi.util.transit_decrypt">
+<span class="sig-prename descclassname"><span class="pre">vaultapi.util.</span></span><span class="sig-name descname"><span class="pre">transit_decrypt</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">apikey</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">str</span></span></em>, <em class="sig-param"><span class="n"><span class="pre">ciphertext</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">Union</span><span class="p"><span class="pre">[</span></span><span class="pre">str</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">ByteString</span><span class="p"><span class="pre">]</span></span></span></em>, <em class="sig-param"><span class="n"><span class="pre">key_length</span></span><span class="p"><span class="pre">:</span></span><span class="w"> </span><span class="n"><span class="pre">int</span></span><span class="w"> </span><span class="o"><span class="pre">=</span></span><span class="w"> </span><span class="default_value"><span class="pre">32</span></span></em><span class="sig-paren">)</span> <span class="sig-return"><span class="sig-return-icon">&#x2192;</span> <span class="sig-return-typehint"><span class="pre">Dict</span><span class="p"><span class="pre">[</span></span><span class="pre">str</span><span class="p"><span class="pre">,</span></span><span class="w"> </span><span class="pre">Any</span><span class="p"><span class="pre">]</span></span></span></span><a class="headerlink" href="#vaultapi.util.transit_decrypt" title="Permalink to this definition">¶</a></dt>
+<dd><p>Decrypts the ciphertext into an appropriate payload.</p>
+<dl class="field-list simple">
+<dt class="field-odd">Parameters<span class="colon">:</span></dt>
+<dd class="field-odd"><ul class="simple">
+<li><p><strong>apikey</strong> – API key that was used to encrypt the payload.</p></li>
+<li><p><strong>ciphertext</strong> – Encrypted ciphertext.</p></li>
+<li><p><strong>key_length</strong> – AES key size used during encryption.</p></li>
+</ul>
+</dd>
+<dt class="field-even">Returns<span class="colon">:</span></dt>
+<dd class="field-even"><p>Returns the decrypted payload.</p>
+</dd>
+<dt class="field-odd">Return type<span class="colon">:</span></dt>
+<dd class="field-odd"><p>Dict[str, Any]</p>
+</dd>
+</dl>
+</dd></dl>
+
 </section>
 <section id="indices-and-tables">
 <h1>Indices and tables<a class="headerlink" href="#indices-and-tables" title="Permalink to this heading">¶</a></h1>
@@ -846,6 +952,7 @@ <h3><a href="#">Table of Contents</a></h3>
 <li><a class="reference internal" href="#module-vaultapi.rate_limit">RateLimit</a></li>
 <li><a class="reference internal" href="#module-vaultapi.routes">API Routes</a></li>
 <li><a class="reference internal" href="#module-vaultapi.squire">Squire</a></li>
+<li><a class="reference internal" href="#module-vaultapi.transit">Transmitter</a></li>
 <li><a class="reference internal" href="#module-vaultapi.util">Util</a></li>
 <li><a class="reference internal" href="#indices-and-tables">Indices and tables</a></li>
 </ul>
diff --git a/docs/objects.inv b/docs/objects.inv
index 6e550315f302dae0ec0ac7ff75fb0c8bddecc557..7ed4dc81b0710bcf0afdc70e200cb39aef2f37d3 100644
GIT binary patch
delta 840
zcmV-O1GoH!2fqi9gnyygW)~y|8lXXq1ZbB8EsZ526v>d3W9@p4Uau$VP?Rh=F=~>|
z&XMN(XGqP1%#OC)QpIxG+B#F+btB7`L-sXeqJ({3+lGJk&z4`Z<zhFt&sXaox8EGK
zZAD?36xr3Bdk^d=XC<`|$e=0RPy;c6jZ9u>Ku-k!;<5hnQh!U8Mpj^n0rYKC$RwAl
zO?9cEkvm9)`&bF=nXx92g?$0a*_fCwI#Kz}`u-7&!k_&v9p3!MXG58Y@#gGv5dGo`
zsY936W5!Y)x{v4^c+@_4BEOpzMZu{tXPx9LvAdOG%c>M6zZlJ_-Y~1F?uhLa7(zLh
zuTVNkYOQ9Q7Jpkpye#Zd^iq+Ul|YzqMZ^RFt%q-(q&X~%Fhw*K6<jPNHLIAoARxt_
zp-aZ+4LC_)t7St#?8uh+#@2wXWf>z;OJkG$b6H^(kNKM<p`=dtuiXgZtYPUAQ+H0n
zu|$MnmS7qX4x;j7K1phv-sDu8$A8#&a<gQ=L`|{TM1Q+XXsDfdkyojoA-a(~qTBCd
zvII8U1A`-IPc*!=Fbw1r$1dBXC}a62Fvg9$@URCWez+WiA2eD<QHl!j{qjIx)U-#H
zEoc#4?<35_Rwkla#YSAnMsYj<+Kv=86qxW)XP?yRg5xBVP_*NcmiZlUu<&%~3g>d|
z6qiRN#(zoPAD9JgAXaAG+W6QHP)gtv`~gwBmf8m6$0IZJa6C~{GxPa)Zof{GSV=5w
zfXsN}?r?aX6qapSa5ZR&8xnOB@I=ZDcOc6?FXJwLBPt6MN4QPF)<~vx#<3|;PF#Y+
zgbl5Ma(}W4XQJ=z@3_ddA)y)U(!To}IMlUyX@8lH`Uj3DT$guu2I5*ta48L}W5_Tj
z0;u7L924Y#U?CN{Q#Q^Kt}TT!_yI&ktR%BzN&w$l#$(pz?6J(PySAaTm}=<J@x~Ff
zH;=2EyN6X~Y<Z2HC0kx){z-3<{dB@N>-$9oq6d3JPB*}v>G;$e-@BiS$!yS@S^NTy
zXF(RotUM_H{r$&eXxTQ{wW*8o(*if;gfrDG#}{7h!SAPcJ9~QuTX#56#4&Av>Y_dd
S{WH%z`S)vD!QvmfTg_MIQK38l

delta 783
zcmV+q1MvL62Zjfbgny#hW)~y|8lXXq1ZbB8EsZ216v>d3V(og3Uau!9DN2@{7&S>}
zXG`<_GknYpsgAVF5J?efO`Xa9x)DXoAp4q8UcesJreUA`v-Ov3z3P_sXtVus`^`~h
z%X32o&#so-d!QqX7Q{dxV@=79Xov}HVo<KYdcyV}i}i;JC4XcZS%JYCtZ$P-Cb^Vt
zs!Iip=pYduV#Tnh+UP(Q_BlvrqhnTdrqIpy{t>jaKZjX5y!nsMhEN{k&DkU1!{BnE
zLWeeB+7J~wkJdM^sCn=Nx?3bg&WP4$ouCcxZUrxCmBOHlQAE^^8bwr(O)o)X!kBo4
z!buWi6y3G9B!9%q!rqErDpJz|Fy$_ZD951GxaLWk<G?VLSP@>q#X>^Sit-BrlJpt+
zWPDkGlLSg78VtO{CG~}^0aJ@2MxqwlB>QKgvRORs-y{i1lm>iiW#h+kthHF&WGP7(
z<@*AaahD`02$jA(%5`W)8=5XLk3I>173vwHGyc)W{eOK5JFqGq7~3oMSiwsRW9Lk9
z?8Ys45z9Y;)~+vwhdmPUUEmn}pdK)ZUREC`l@b(>-a8Xac_|W6C1WGbMI)I#YndMB
zHRN{7MjbO!3%RY_p@bwo6Qn?Qz`(%MAuG@AmQx&x=vgOue>UZ$fmoSsYvN-+Kq-OG
z@CQWgZhu&9Fn(NqL(iczHJ2m5AJ5I#Y0_pA4QpQu9=q$3J-Ts2OB$RFO4tdBI&^y?
z<uW;v#jr2q?pPBlavevwNwK97&*O|^Q=*)?1cwO|S_5JJTSYh%eMNr9MUKr9ib9vR
z?r-2w*ZQTUD(YK_CtQ_x$8+pTNpLEStYh%lCVv8`)=(A`p|iJnVB8hLh>-2_xVgD|
z*ksxi*EWB$^;PDd3>Mi>Cw#NLUsb>da4=+K2h5pHPrdQI`?;FUM!ki_FJQJaLuSN5
z`S0&PI<uB-V`~#}F@9Rvk)3cR`}Op~t3CKh@opDy&tTi$mQ8+4YalAGk3s*;Gf)2g
NmIzd^`Ug{&FlaC;cD(=q

diff --git a/docs/py-modindex.html b/docs/py-modindex.html
index c1b0202..a17b588 100644
--- a/docs/py-modindex.html
+++ b/docs/py-modindex.html
@@ -98,6 +98,11 @@ <h1>Python Module Index</h1>
        <td>&#160;&#160;&#160;
        <a href="index.html#module-vaultapi.squire"><code class="xref">vaultapi.squire</code></a></td><td>
        <em></em></td></tr>
+     <tr class="cg-1">
+       <td></td>
+       <td>&#160;&#160;&#160;
+       <a href="index.html#module-vaultapi.transit"><code class="xref">vaultapi.transit</code></a></td><td>
+       <em></em></td></tr>
      <tr class="cg-1">
        <td></td>
        <td>&#160;&#160;&#160;
diff --git a/docs/searchindex.js b/docs/searchindex.js
index 7597596..77f1855 100644
--- a/docs/searchindex.js
+++ b/docs/searchindex.js
@@ -1 +1 @@
-Search.setIndex({"docnames": ["README", "index"], "filenames": ["README.md", "index.rst"], "titles": ["VaultAPI", "Welcome to VaultAPI\u2019s documentation!"], "terms": {"lightweight": 0, "api": 0, "store": [0, 1], "retriev": [0, 1], "secret": [0, 1], "from": [0, 1], "an": [0, 1], "encrypt": 0, "databas": 0, "platform": 0, "support": [0, 1], "deploy": 0, "recommend": 0, "instal": 0, "python": 0, "3": 0, "10": [0, 1], "11": 0, "us": [0, 1], "dedic": 0, "virtual": 0, "m": 0, "pip": 0, "initi": 0, "id": 0, "import": 0, "__name__": 0, "__main__": 0, "start": [0, 1], "cli": 0, "help": 0, "usag": 0, "instruct": 0, "sourc": 0, "env": [0, 1], "file": [0, 1], "By": 0, "default": [0, 1], "look": 0, "current": 0, "work": 0, "directori": 0, "host": [0, 1], "hostnam": [0, 1], "server": [0, 1], "port": [0, 1], "number": [0, 1], "worker": [0, 1], "uvicorn": [0, 1], "apikei": [0, 1], "kei": [0, 1], "authent": 0, "access": [0, 1], "encod": 0, "decod": 0, "datastor": 0, "filepath": [0, 1], "rate": [0, 1], "_": 0, "limit": [0, 1], "list": [0, 1], "dictionari": [0, 1], "max_request": [0, 1], "second": [0, 1], "appli": [0, 1], "auto": 0, "gener": [0, 1], "valu": [0, 1], "thi": [0, 1], "decrypt": 0, "keygen": 0, "cryptographi": [0, 1], "fernet": [0, 1], "print": 0, "generate_kei": 0, "docstr": 0, "format": [0, 1], "googl": 0, "style": 0, "convent": 0, "pep": 0, "8": 0, "isort": 0, "requir": [0, 1], "gitvers": 0, "revers": 0, "f": 0, "release_not": 0, "rst": 0, "t": 0, "pre": 0, "commit": 0, "ensur": 0, "run": 0, "pytest": 0, "valid": [0, 1], "hyperlink": 0, "all": [0, 1], "markdown": 0, "includ": 0, "wiki": 0, "page": [0, 1], "sphinx": 0, "5": 0, "1": [0, 1], "recommonmark": 0, "http": 0, "org": 0, "project": 0, "hub": 0, "com": 0, "r": 0, "thevickypedia": 0, "github": 0, "io": 0, "vignesh": 0, "rao": 0, "under": 0, "mit": 0, "kick": 1, "off": 1, "environ": 1, "variabl": 1, "code": 1, "standard": 1, "releas": 1, "note": 1, "lint": 1, "pypi": 1, "packag": 1, "docker": 1, "imag": 1, "runbook": 1, "licens": 1, "copyright": 1, "enable_cor": 1, "none": 1, "enabl": 1, "cor": 1, "polici": 1, "kwarg": 1, "starter": 1, "function": 1, "which": 1, "trigger": 1, "keyword": 1, "argument": 1, "env_fil": 1, "load": 1, "auth": 1, "handl": 1, "error": 1, "rate_limit": 1, "log_config": 1, "log": 1, "configur": 1, "dict": 1, "yaml": 1, "yml": 1, "json": 1, "ini": 1, "epoch": 1, "async": 1, "request": 1, "httpauthorizationcredenti": 1, "httpbearer": 1, "paramet": 1, "take": 1, "author": 1, "header": 1, "token": 1, "basic": 1, "rais": 1, "apirespons": 1, "401": 1, "If": 1, "i": 1, "invalid": 1, "403": 1, "address": 1, "forbidden": 1, "table_exist": 1, "table_nam": 1, "str": 1, "bool": 1, "check": 1, "exist": 1, "name": 1, "create_t": 1, "column": 1, "union": 1, "tupl": 1, "creat": 1, "ha": 1, "get_secret": 1, "where": 1, "return": 1, "type": 1, "get_tabl": 1, "pair": 1, "particular": 1, "ar": 1, "put_secret": 1, "add": 1, "remove_secret": 1, "remov": 1, "drop_tabl": 1, "drop": 1, "status_cod": 1, "int": 1, "detail": 1, "ani": 1, "option": 1, "custom": 1, "httpexcept": 1, "fastapi": 1, "wrap": 1, "respons": 1, "class": 1, "basemodel": 1, "object": 1, "set": 1, "session": 1, "inform": 1, "info": 1, "rp": 1, "allowed_origin": 1, "config": 1, "allow": 1, "arbitrari": 1, "arbitrary_types_allow": 1, "true": 1, "envconfig": 1, "baseset": 1, "path": 1, "url": 1, "allowed_ip_rang": 1, "classmethod": 1, "parse_allowed_origin": 1, "origin": 1, "parse_allowed_ip_rang": 1, "ip": 1, "rang": 1, "whitelist": 1, "parse_apikei": 1, "pars": 1, "complex": 1, "parse_api_secret": 1, "compat": 1, "from_env_fil": 1, "instanc": 1, "extra": 1, "ignor": 1, "hide_input_in_error": 1, "complexity_check": 1, "verifi": 1, "strength": 1, "A": 1, "consid": 1, "strong": 1, "least": 1, "32": 1, "charact": 1, "digit": 1, "symbol": 1, "uppercas": 1, "letter": 1, "lowercas": 1, "assertionerror": 1, "when": 1, "abov": 1, "condit": 1, "fail": 1, "match": 1, "timeout": 1, "connect": 1, "instanti": 1, "cursor": 1, "alia": 1, "deletesecret": 1, "delet": 1, "call": 1, "putsecret": 1, "put": 1, "_get_identifi": 1, "uniqu": 1, "identifi": 1, "incom": 1, "init": 1, "exce": 1, "given": 1, "The": 1, "429": 1, "too": 1, "mani": 1, "retrieve_secret": 1, "multipl": 1, "whole": 1, "have": 1, "depend": 1, "arg": 1, "refer": 1, "httpstatu": 1, "statu": 1, "time": 1, "comma": 1, "separ": 1, "data": 1, "bodi": 1, "delete_secret": 1, "new": 1, "health": 1, "healthcheck": 1, "endpoint": 1, "doc": 1, "redirectrespons": 1, "redirect": 1, "user": 1, "get_all_rout": 1, "apirout": 1, "get": 1, "ad": 1, "envfile_load": 1, "filenam": 1, "o": 1, "pathlik": 1, "base": 1, "filetyp": 1, "var": 1, "load_env": 1, "merg": 1, "give": 1, "prioriti": 1, "partial": 1, "through": 1, "dotenv_to_t": 1, "dotenv_fil": 1, "drop_exist": 1, "fals": 1, "dot": 1, "boolean": 1, "flag": 1, "index": 1, "modul": 1, "search": 1}, "objects": {"vaultapi": [[1, 0, 0, "-", "auth"], [1, 0, 0, "-", "database"], [1, 0, 0, "-", "exceptions"], [1, 0, 0, "-", "main"], [1, 0, 0, "-", "models"], [1, 0, 0, "-", "rate_limit"], [1, 0, 0, "-", "routes"], [1, 0, 0, "-", "squire"], [1, 0, 0, "-", "util"]], "vaultapi.auth": [[1, 1, 1, "", "EPOCH"], [1, 1, 1, "", "validate"]], "vaultapi.database": [[1, 1, 1, "", "create_table"], [1, 1, 1, "", "drop_table"], [1, 1, 1, "", "get_secret"], [1, 1, 1, "", "get_table"], [1, 1, 1, "", "put_secret"], [1, 1, 1, "", "remove_secret"], [1, 1, 1, "", "table_exists"]], "vaultapi.exceptions": [[1, 2, 1, "", "APIResponse"]], "vaultapi.main": [[1, 1, 1, "", "enable_cors"], [1, 1, 1, "", "start"]], "vaultapi.models": [[1, 3, 1, "", "Database"], [1, 3, 1, "", "EnvConfig"], [1, 3, 1, "", "RateLimit"], [1, 3, 1, "", "Session"], [1, 1, 1, "", "complexity_checker"], [1, 4, 1, "", "database"], [1, 4, 1, "", "env"]], "vaultapi.models.EnvConfig": [[1, 3, 1, "", "Config"], [1, 4, 1, "", "allowed_ip_range"], [1, 4, 1, "", "allowed_origins"], [1, 4, 1, "", "apikey"], [1, 4, 1, "", "database"], [1, 5, 1, "", "from_env_file"], [1, 4, 1, "", "host"], [1, 4, 1, "", "log_config"], [1, 5, 1, "", "parse_allowed_ip_range"], [1, 5, 1, "", "parse_allowed_origins"], [1, 5, 1, "", "parse_api_secret"], [1, 5, 1, "", "parse_apikey"], [1, 4, 1, "", "port"], [1, 4, 1, "", "rate_limit"], [1, 4, 1, "", "secret"], [1, 4, 1, "", "workers"]], "vaultapi.models.EnvConfig.Config": [[1, 4, 1, "", "arbitrary_types_allowed"], [1, 4, 1, "", "extra"], [1, 4, 1, "", "hide_input_in_errors"]], "vaultapi.models.RateLimit": [[1, 4, 1, "", "max_requests"], [1, 4, 1, "", "seconds"]], "vaultapi.models.Session": [[1, 3, 1, "", "Config"], [1, 4, 1, "", "allowed_origins"], [1, 4, 1, "", "fernet"], [1, 4, 1, "", "info"], [1, 4, 1, "", "rps"]], "vaultapi.models.Session.Config": [[1, 4, 1, "", "arbitrary_types_allowed"]], "vaultapi.payload": [[1, 3, 1, "", "DeleteSecret"], [1, 3, 1, "", "PutSecret"]], "vaultapi.payload.DeleteSecret": [[1, 4, 1, "", "key"], [1, 4, 1, "", "table_name"]], "vaultapi.payload.PutSecret": [[1, 4, 1, "", "key"], [1, 4, 1, "", "table_name"], [1, 4, 1, "", "value"]], "vaultapi.rate_limit": [[1, 3, 1, "", "RateLimiter"], [1, 1, 1, "", "_get_identifier"]], "vaultapi.rate_limit.RateLimiter": [[1, 5, 1, "", "init"]], "vaultapi.routes": [[1, 1, 1, "", "create_table"], [1, 1, 1, "", "delete_secret"], [1, 1, 1, "", "docs"], [1, 1, 1, "", "get_all_routes"], [1, 1, 1, "", "get_secret"], [1, 1, 1, "", "get_secrets"], [1, 1, 1, "", "get_table"], [1, 1, 1, "", "health"], [1, 1, 1, "", "put_secret"], [1, 1, 1, "", "put_secrets"], [1, 1, 1, "", "retrieve_secret"], [1, 1, 1, "", "retrieve_secrets"]], "vaultapi.squire": [[1, 1, 1, "", "envfile_loader"], [1, 1, 1, "", "load_env"]], "vaultapi.util": [[1, 1, 1, "", "dotenv_to_table"]]}, "objtypes": {"0": "py:module", "1": "py:function", "2": "py:exception", "3": "py:class", "4": "py:attribute", "5": "py:method"}, "objnames": {"0": ["py", "module", "Python module"], "1": ["py", "function", "Python function"], "2": ["py", "exception", "Python exception"], "3": ["py", "class", "Python class"], "4": ["py", "attribute", "Python attribute"], "5": ["py", "method", "Python method"]}, "titleterms": {"vaultapi": [0, 1], "kick": 0, "off": 0, "environ": 0, "variabl": 0, "code": 0, "standard": 0, "releas": 0, "note": 0, "lint": 0, "pypi": 0, "packag": 0, "docker": 0, "imag": 0, "runbook": 0, "licens": 0, "copyright": 0, "welcom": 1, "": 1, "document": 1, "content": 1, "main": 1, "authent": 1, "databas": 1, "except": 1, "model": 1, "payload": 1, "ratelimit": 1, "api": 1, "rout": 1, "squir": 1, "util": 1, "indic": 1, "tabl": 1}, "envversion": {"sphinx.domains.c": 2, "sphinx.domains.changeset": 1, "sphinx.domains.citation": 1, "sphinx.domains.cpp": 6, "sphinx.domains.index": 1, "sphinx.domains.javascript": 2, "sphinx.domains.math": 2, "sphinx.domains.python": 3, "sphinx.domains.rst": 2, "sphinx.domains.std": 2, "sphinx": 56}})
\ No newline at end of file
+Search.setIndex({"docnames": ["README", "index"], "filenames": ["README.md", "index.rst"], "titles": ["VaultAPI", "Welcome to VaultAPI\u2019s documentation!"], "terms": {"lightweight": 0, "api": 0, "store": [0, 1], "retriev": [0, 1], "secret": [0, 1], "from": [0, 1], "an": [0, 1], "encrypt": [0, 1], "databas": 0, "platform": 0, "support": [0, 1], "deploy": 0, "recommend": 0, "instal": 0, "python": 0, "3": 0, "10": [0, 1], "11": 0, "us": [0, 1], "dedic": 0, "virtual": 0, "m": 0, "pip": 0, "initi": 0, "id": 0, "import": 0, "__name__": 0, "__main__": 0, "start": [0, 1], "cli": 0, "help": 0, "usag": 0, "instruct": 0, "sourc": 0, "env": [0, 1], "file": [0, 1], "By": 0, "default": [0, 1], "look": 0, "current": 0, "work": 0, "directori": 0, "mandatori": 0, "apikei": [0, 1], "kei": [0, 1], "authent": 0, "access": [0, 1], "encod": [0, 1], "decod": 0, "datastor": 0, "option": [0, 1], "transit": [0, 1], "_": 0, "length": [0, 1], "ae": [0, 1], "32": [0, 1], "filepath": [0, 1], "db": 0, "host": [0, 1], "hostnam": [0, 1], "server": [0, 1], "0": 0, "OR": 0, "localhost": 0, "port": [0, 1], "number": [0, 1], "9010": 0, "worker": [0, 1], "uvicorn": [0, 1], "1": [0, 1], "rate": [0, 1], "limit": [0, 1], "list": [0, 1], "dictionari": [0, 1], "max_request": [0, 1], "second": [0, 1], "appli": [0, 1], "5req": 0, "2": 0, "AND": 0, "10req": 0, "30": 0, "without": 0, "log": [0, 1], "config": [0, 1], "valu": [0, 1], "pair": [0, 1], "allow": [0, 1], "origin": [0, 1], "ar": [0, 1], "ip": [0, 1], "rang": [0, 1], "i": [0, 1], "eg": 0, "112": 0, "8": 0, "210": 0, "auto": 0, "gener": [0, 1], "thi": [0, 1], "decrypt": [0, 1], "keygen": 0, "cryptographi": [0, 1], "fernet": [0, 1], "print": 0, "generate_kei": 0, "docstr": 0, "format": [0, 1], "googl": 0, "style": 0, "convent": 0, "pep": 0, "isort": 0, "requir": [0, 1], "gitvers": 0, "revers": 0, "f": 0, "release_not": 0, "rst": 0, "t": 0, "pre": 0, "commit": 0, "ensur": 0, "run": 0, "pytest": 0, "valid": [0, 1], "hyperlink": 0, "all": [0, 1], "markdown": 0, "includ": 0, "wiki": 0, "page": [0, 1], "sphinx": 0, "5": 0, "recommonmark": 0, "http": 0, "org": 0, "project": 0, "hub": 0, "com": 0, "r": 0, "thevickypedia": 0, "github": 0, "io": 0, "vignesh": 0, "rao": 0, "under": 0, "mit": 0, "kick": 1, "off": 1, "environ": 1, "variabl": 1, "code": 1, "standard": 1, "releas": 1, "note": 1, "lint": 1, "pypi": 1, "packag": 1, "docker": 1, "imag": 1, "runbook": 1, "licens": 1, "copyright": 1, "enable_cor": 1, "none": 1, "enabl": 1, "cor": 1, "polici": 1, "kwarg": 1, "starter": 1, "function": 1, "which": 1, "trigger": 1, "keyword": 1, "argument": 1, "env_fil": 1, "load": 1, "auth": 1, "handl": 1, "error": 1, "rate_limit": 1, "log_config": 1, "configur": 1, "dict": 1, "yaml": 1, "yml": 1, "json": 1, "ini": 1, "epoch": 1, "async": 1, "request": 1, "httpauthorizationcredenti": 1, "httpbearer": 1, "paramet": 1, "take": 1, "author": 1, "header": 1, "token": 1, "basic": 1, "rais": 1, "apirespons": 1, "401": 1, "If": 1, "invalid": 1, "403": 1, "address": 1, "forbidden": 1, "table_exist": 1, "table_nam": 1, "str": 1, "bool": 1, "check": 1, "exist": 1, "name": 1, "create_t": 1, "column": 1, "union": 1, "tupl": 1, "creat": 1, "ha": 1, "get_secret": 1, "where": 1, "return": 1, "type": 1, "get_tabl": 1, "particular": 1, "put_secret": 1, "add": 1, "remove_secret": 1, "remov": 1, "drop_tabl": 1, "drop": 1, "status_cod": 1, "int": 1, "detail": 1, "ani": 1, "custom": 1, "httpexcept": 1, "fastapi": 1, "wrap": 1, "respons": 1, "class": 1, "basemodel": 1, "object": 1, "set": 1, "session": 1, "inform": 1, "aes_kei": 1, "bytestr": 1, "info": 1, "rp": 1, "allowed_origin": 1, "arbitrari": 1, "arbitrary_types_allow": 1, "true": 1, "envconfig": 1, "baseset": 1, "transit_key_length": 1, "path": 1, "url": 1, "allowed_ip_rang": 1, "classmethod": 1, "validate_allowed_origin": 1, "validate_allowed_ip_rang": 1, "whitelist": 1, "validate_apikei": 1, "complex": 1, "validate_api_secret": 1, "compat": 1, "from_env_fil": 1, "instanc": 1, "extra": 1, "ignor": 1, "hide_input_in_error": 1, "complexity_check": 1, "verifi": 1, "strength": 1, "A": 1, "consid": 1, "strong": 1, "least": 1, "charact": 1, "digit": 1, "symbol": 1, "uppercas": 1, "letter": 1, "lowercas": 1, "assertionerror": 1, "when": 1, "abov": 1, "condit": 1, "fail": 1, "match": 1, "timeout": 1, "connect": 1, "instanti": 1, "cursor": 1, "alia": 1, "deletesecret": 1, "delet": 1, "call": 1, "putsecret": 1, "put": 1, "_get_identifi": 1, "uniqu": 1, "identifi": 1, "incom": 1, "init": 1, "exce": 1, "given": 1, "The": 1, "429": 1, "too": 1, "mani": 1, "retrieve_secret": 1, "multipl": 1, "whole": 1, "have": 1, "depend": 1, "arg": 1, "refer": 1, "httpstatu": 1, "statu": 1, "time": 1, "comma": 1, "separ": 1, "data": 1, "bodi": 1, "delete_secret": 1, "new": 1, "health": 1, "healthcheck": 1, "endpoint": 1, "doc": 1, "redirectrespons": 1, "redirect": 1, "user": 1, "get_all_rout": 1, "apirout": 1, "get": 1, "ad": 1, "envfile_load": 1, "filenam": 1, "o": 1, "pathlik": 1, "base": 1, "filetyp": 1, "var": 1, "load_env": 1, "merg": 1, "give": 1, "prioriti": 1, "partial": 1, "through": 1, "modul": 1, "perform": 1, "secur": 1, "transmit": 1, "client": 1, "side": 1, "string_to_aes_kei": 1, "input_str": 1, "key_length": 1, "hash": 1, "string": 1, "size": 1, "dure": 1, "three": 1, "128": 1, "bit": 1, "16": 1, "byte": 1, "192": 1, "24": 1, "256": 1, "first": 1, "url_saf": 1, "messag": 1, "gcm": 1, "mode": 1, "12": 1, "fresh": 1, "boolean": 1, "flag": 1, "base64": 1, "serial": 1, "ciphertext": 1, "invalidtag": 1, "wrong": 1, "corrupt": 1, "dotenv_to_t": 1, "dotenv_fil": 1, "drop_exist": 1, "fals": 1, "dot": 1, "transit_decrypt": 1, "appropri": 1, "wa": 1, "index": 1, "search": 1}, "objects": {"vaultapi": [[1, 0, 0, "-", "auth"], [1, 0, 0, "-", "database"], [1, 0, 0, "-", "exceptions"], [1, 0, 0, "-", "main"], [1, 0, 0, "-", "models"], [1, 0, 0, "-", "rate_limit"], [1, 0, 0, "-", "routes"], [1, 0, 0, "-", "squire"], [1, 0, 0, "-", "transit"], [1, 0, 0, "-", "util"]], "vaultapi.auth": [[1, 1, 1, "", "EPOCH"], [1, 1, 1, "", "validate"]], "vaultapi.database": [[1, 1, 1, "", "create_table"], [1, 1, 1, "", "drop_table"], [1, 1, 1, "", "get_secret"], [1, 1, 1, "", "get_table"], [1, 1, 1, "", "put_secret"], [1, 1, 1, "", "remove_secret"], [1, 1, 1, "", "table_exists"]], "vaultapi.exceptions": [[1, 2, 1, "", "APIResponse"]], "vaultapi.main": [[1, 1, 1, "", "enable_cors"], [1, 1, 1, "", "start"]], "vaultapi.models": [[1, 3, 1, "", "Database"], [1, 3, 1, "", "EnvConfig"], [1, 3, 1, "", "RateLimit"], [1, 3, 1, "", "Session"], [1, 1, 1, "", "complexity_checker"], [1, 4, 1, "", "database"], [1, 4, 1, "", "env"]], "vaultapi.models.EnvConfig": [[1, 3, 1, "", "Config"], [1, 4, 1, "", "allowed_ip_range"], [1, 4, 1, "", "allowed_origins"], [1, 4, 1, "", "apikey"], [1, 4, 1, "", "database"], [1, 5, 1, "", "from_env_file"], [1, 4, 1, "", "host"], [1, 4, 1, "", "log_config"], [1, 4, 1, "", "port"], [1, 4, 1, "", "rate_limit"], [1, 4, 1, "", "secret"], [1, 4, 1, "", "transit_key_length"], [1, 5, 1, "", "validate_allowed_ip_range"], [1, 5, 1, "", "validate_allowed_origins"], [1, 5, 1, "", "validate_api_secret"], [1, 5, 1, "", "validate_apikey"], [1, 4, 1, "", "workers"]], "vaultapi.models.EnvConfig.Config": [[1, 4, 1, "", "arbitrary_types_allowed"], [1, 4, 1, "", "extra"], [1, 4, 1, "", "hide_input_in_errors"]], "vaultapi.models.RateLimit": [[1, 4, 1, "", "max_requests"], [1, 4, 1, "", "seconds"]], "vaultapi.models.Session": [[1, 3, 1, "", "Config"], [1, 4, 1, "", "aes_key"], [1, 4, 1, "", "allowed_origins"], [1, 4, 1, "", "fernet"], [1, 4, 1, "", "info"], [1, 4, 1, "", "rps"]], "vaultapi.models.Session.Config": [[1, 4, 1, "", "arbitrary_types_allowed"]], "vaultapi.payload": [[1, 3, 1, "", "DeleteSecret"], [1, 3, 1, "", "PutSecret"]], "vaultapi.payload.DeleteSecret": [[1, 4, 1, "", "key"], [1, 4, 1, "", "table_name"]], "vaultapi.payload.PutSecret": [[1, 4, 1, "", "key"], [1, 4, 1, "", "table_name"], [1, 4, 1, "", "value"]], "vaultapi.rate_limit": [[1, 3, 1, "", "RateLimiter"], [1, 1, 1, "", "_get_identifier"]], "vaultapi.rate_limit.RateLimiter": [[1, 5, 1, "", "init"]], "vaultapi.routes": [[1, 1, 1, "", "create_table"], [1, 1, 1, "", "delete_secret"], [1, 1, 1, "", "docs"], [1, 1, 1, "", "get_all_routes"], [1, 1, 1, "", "get_secret"], [1, 1, 1, "", "get_secrets"], [1, 1, 1, "", "get_table"], [1, 1, 1, "", "health"], [1, 1, 1, "", "put_secret"], [1, 1, 1, "", "put_secrets"], [1, 1, 1, "", "retrieve_secret"], [1, 1, 1, "", "retrieve_secrets"]], "vaultapi.squire": [[1, 1, 1, "", "envfile_loader"], [1, 1, 1, "", "load_env"]], "vaultapi.transit": [[1, 1, 1, "", "decrypt"], [1, 1, 1, "", "encrypt"], [1, 1, 1, "", "string_to_aes_key"]], "vaultapi.util": [[1, 1, 1, "", "dotenv_to_table"], [1, 1, 1, "", "transit_decrypt"]]}, "objtypes": {"0": "py:module", "1": "py:function", "2": "py:exception", "3": "py:class", "4": "py:attribute", "5": "py:method"}, "objnames": {"0": ["py", "module", "Python module"], "1": ["py", "function", "Python function"], "2": ["py", "exception", "Python exception"], "3": ["py", "class", "Python class"], "4": ["py", "attribute", "Python attribute"], "5": ["py", "method", "Python method"]}, "titleterms": {"vaultapi": [0, 1], "kick": 0, "off": 0, "environ": 0, "variabl": 0, "code": 0, "standard": 0, "releas": 0, "note": 0, "lint": 0, "pypi": 0, "packag": 0, "docker": 0, "imag": 0, "runbook": 0, "licens": 0, "copyright": 0, "welcom": 1, "": 1, "document": 1, "content": 1, "main": 1, "authent": 1, "databas": 1, "except": 1, "model": 1, "payload": 1, "ratelimit": 1, "api": 1, "rout": 1, "squir": 1, "transmitt": 1, "util": 1, "indic": 1, "tabl": 1}, "envversion": {"sphinx.domains.c": 2, "sphinx.domains.changeset": 1, "sphinx.domains.citation": 1, "sphinx.domains.cpp": 6, "sphinx.domains.index": 1, "sphinx.domains.javascript": 2, "sphinx.domains.math": 2, "sphinx.domains.python": 3, "sphinx.domains.rst": 2, "sphinx.domains.std": 2, "sphinx": 56}})
\ No newline at end of file
diff --git a/vaultapi/main.py b/vaultapi/main.py
index 542b5bd..c6cad7f 100644
--- a/vaultapi/main.py
+++ b/vaultapi/main.py
@@ -6,7 +6,7 @@
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
-from . import database, models, routes, squire, version
+from . import database, models, routes, squire, transit, version
 
 LOGGER = logging.getLogger("uvicorn.default")
 VaultAPI = FastAPI(
@@ -20,6 +20,9 @@ def __init__(**kwargs) -> None:
     """Instantiates the env, session and database connections."""
     models.env = squire.load_env(**kwargs)
     models.session.fernet = Fernet(models.env.secret)
+    models.session.aes_key = transit.string_to_aes_key(
+        input_string=models.env.apikey, key_length=models.env.transit_key_length
+    )
     models.database = models.Database(models.env.database)
     default_allowed = ("0.0.0.0", "127.0.0.1", "localhost")
     if models.env.host in default_allowed:
diff --git a/vaultapi/models.py b/vaultapi/models.py
index 87db7d0..07a1486 100644
--- a/vaultapi/models.py
+++ b/vaultapi/models.py
@@ -2,7 +2,7 @@
 import re
 import socket
 import sqlite3
-from typing import Any, Dict, List, Set
+from typing import Any, ByteString, Dict, List, Set
 
 from cryptography.fernet import Fernet
 from pydantic import (
@@ -97,6 +97,7 @@ class Session(BaseModel):
     """
 
     fernet: Fernet | None = None
+    aes_key: ByteString | None = None
     info: Dict[str, str] = {}
     rps: Dict[str, int] = {}
     allowed_origins: Set[str] = set()
@@ -116,6 +117,7 @@ class EnvConfig(BaseSettings):
 
     apikey: str
     secret: str
+    transit_key_length: PositiveInt = 32
     database: FilePath | NewPath | str = Field("secrets.db", pattern=".*.db$")
     host: str = socket.gethostbyname("localhost") or "0.0.0.0"
     port: PositiveInt = 9010
@@ -138,7 +140,7 @@ class EnvConfig(BaseSettings):
     ]
 
     @field_validator("allowed_origins", mode="after", check_fields=True)
-    def parse_allowed_origins(
+    def validate_allowed_origins(
         cls, value: HttpUrl | List[HttpUrl]  # noqa: PyMethodParameters
     ) -> List[HttpUrl]:
         """Validate allowed origins to enable CORS policy."""
@@ -147,7 +149,7 @@ def parse_allowed_origins(
         return [value]
 
     @field_validator("allowed_ip_range", mode="after", check_fields=True)
-    def parse_allowed_ip_range(
+    def validate_allowed_ip_range(
         cls, value: List[str]  # noqa: PyMethodParameters
     ) -> List[str]:
         """Validate allowed IP range to whitelist."""
@@ -165,8 +167,8 @@ def parse_allowed_ip_range(
         return value
 
     @field_validator("apikey", mode="after")
-    def parse_apikey(cls, value: str) -> str | None:  # noqa: PyMethodParameters
-        """Parse API key to validate complexity."""
+    def validate_apikey(cls, value: str) -> str | None:  # noqa: PyMethodParameters
+        """Validate API key for complexity."""
         try:
             complexity_checker(value)
         except AssertionError as error:
@@ -174,8 +176,8 @@ def parse_apikey(cls, value: str) -> str | None:  # noqa: PyMethodParameters
         return value
 
     @field_validator("secret", mode="after")
-    def parse_api_secret(cls, value: str) -> str:  # noqa: PyMethodParameters
-        """Parse API secret to Fernet compatible."""
+    def validate_api_secret(cls, value: str) -> str:  # noqa: PyMethodParameters
+        """Validate API secret to Fernet compatible."""
         try:
             Fernet(value)
         except ValueError as error:
diff --git a/vaultapi/routes.py b/vaultapi/routes.py
index df60a34..4f10ba6 100644
--- a/vaultapi/routes.py
+++ b/vaultapi/routes.py
@@ -8,7 +8,7 @@
 from fastapi.routing import APIRoute
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 
-from . import auth, database, exceptions, models, payload, rate_limit
+from . import auth, database, exceptions, models, payload, rate_limit, transit
 
 LOGGER = logging.getLogger("uvicorn.default")
 security = HTTPBearer()
@@ -85,7 +85,9 @@ async def get_secret(
     if value := await retrieve_secret(key, table_name):
         LOGGER.info("Secret value for '%s' was retrieved", key)
         decrypted = models.session.fernet.decrypt(value).decode(encoding="UTF-8")
-        raise exceptions.APIResponse(status_code=HTTPStatus.OK.real, detail=decrypted)
+        raise exceptions.APIResponse(
+            status_code=HTTPStatus.OK.real, detail=transit.encrypt({key: decrypted})
+        )
     LOGGER.info("Secret value for '%s' NOT found in the datastore", key)
     raise exceptions.APIResponse(
         status_code=HTTPStatus.NOT_FOUND.real, detail=HTTPStatus.NOT_FOUND.phrase
@@ -138,7 +140,9 @@ async def get_secrets(
             key: models.session.fernet.decrypt(value).decode(encoding="UTF-8")
             for key, value in values.items()
         }
-        raise exceptions.APIResponse(status_code=code, detail=decrypted)
+        raise exceptions.APIResponse(
+            status_code=code, detail=transit.encrypt(decrypted)
+        )
     if keys_ct == 1:
         LOGGER.info("Secret value for '%s' NOT found in the datastore", keys[0])
     else:
@@ -176,7 +180,9 @@ async def get_table(
         key: models.session.fernet.decrypt(value).decode(encoding="UTF-8")
         for key, value in table_content.items()
     }
-    raise exceptions.APIResponse(status_code=HTTPStatus.OK.real, detail=decrypted)
+    raise exceptions.APIResponse(
+        status_code=HTTPStatus.OK.real, detail=transit.encrypt(decrypted)
+    )
 
 
 async def put_secret(
diff --git a/vaultapi/transit.py b/vaultapi/transit.py
new file mode 100644
index 0000000..8514b29
--- /dev/null
+++ b/vaultapi/transit.py
@@ -0,0 +1,80 @@
+"""Module that performs transit encryption/decryption.
+
+This allows the server to securely transmit the retrieved secret to be decrypted at the client side using the API key.
+"""
+
+import base64
+import hashlib
+import json
+import secrets
+from typing import Any, ByteString, Dict
+
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+
+from . import models
+
+
+def string_to_aes_key(input_string: str, key_length: int) -> ByteString:
+    """Hashes the string.
+
+    Args:
+        input_string: String for which an AES hash has to be generated.
+        key_length: AES key size used during encryption.
+
+    See Also:
+        AES supports three key lengths:
+            - 128 bits (16 bytes)
+            - 192 bits (24 bytes)
+            - 256 bits (32 bytes)
+
+    Returns:
+        str:
+        Return the first 16 bytes for the AES key
+    """
+    hash_object = hashlib.sha256(input_string.encode())
+    return hash_object.digest()[:key_length]
+
+
+def encrypt(payload: Dict[str, Any], url_safe: bool = True) -> ByteString | str:
+    """Encrypt a message using GCM mode with 12 fresh bytes.
+
+    Args:
+        payload: Payload to be encrypted.
+        url_safe: Boolean flag to perform base64 encoding to perform JSON serialization.
+
+    Returns:
+        ByteString | str:
+        Returns the ciphertext as a string or bytes based on the ``url_safe`` flag.
+    """
+    nonce = secrets.token_bytes(12)
+    encoded = json.dumps(payload).encode()
+    # todo: instead of loading aes_key in memory,
+    #  generate it on-demand and append a UTC time value that remains constant for at least 60s (probably env var)
+    ciphertext = nonce + AESGCM(models.session.aes_key).encrypt(nonce, encoded, b"")
+    if url_safe:
+        return base64.b64encode(ciphertext).decode("utf-8")
+    return ciphertext
+
+
+def decrypt(ciphertext: ByteString | str) -> Dict[str, Any]:
+    """Decrypt the ciphertext.
+
+    Raises:
+        Raises ``InvalidTag`` if using wrong key or corrupted ciphertext.
+
+    Returns:
+        Dict[str, Any]:
+        Returns the JSON serialized decrypted payload.
+    """
+    if isinstance(ciphertext, str):
+        ciphertext = base64.b64decode(ciphertext)
+    decrypted = AESGCM(models.session.aes_key).decrypt(
+        ciphertext[:12], ciphertext[12:], b""
+    )
+    return json.loads(decrypted)
+
+
+if __name__ == "__main__":
+    encrypted = encrypt({"key": "value"})
+    b64_encoded = base64.b64encode(encrypted).decode("utf-8")
+    print(decrypt(b64_encoded))
diff --git a/vaultapi/util.py b/vaultapi/util.py
index 1f039e6..d2fc76b 100644
--- a/vaultapi/util.py
+++ b/vaultapi/util.py
@@ -1,7 +1,12 @@
+import base64
+import hashlib
 import importlib
+import json
 import logging
 import sqlite3
+from typing import Any, ByteString, Dict
 
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from dotenv import dotenv_values
 
 from . import database, main, models
@@ -52,3 +57,25 @@ def dotenv_to_table(
         encrypted = models.session.fernet.encrypt(value.encode(encoding="UTF-8"))
         database.put_secret(key, encrypted, table_name)
     LOGGER.info("%d secrets have been stored to the database.", len(env_vars))
+
+
+def transit_decrypt(
+    apikey: str, ciphertext: str | ByteString, key_length: int = 32
+) -> Dict[str, Any]:
+    """Decrypts the ciphertext into an appropriate payload.
+
+    Args:
+        apikey: API key that was used to encrypt the payload.
+        ciphertext: Encrypted ciphertext.
+        key_length: AES key size used during encryption.
+
+    Returns:
+        Dict[str, Any]:
+        Returns the decrypted payload.
+    """
+    hash_object = hashlib.sha256(apikey.encode())
+    aes_key = hash_object.digest()[:key_length]
+    if isinstance(ciphertext, str):
+        ciphertext = base64.b64decode(ciphertext)
+    decrypted = AESGCM(aes_key).decrypt(ciphertext[:12], ciphertext[12:], b"")
+    return json.loads(decrypted)