Add a "WithoutEnvelope" option to wrappers for raw Encrypt/Decrypt support#301
Open
Add a "WithoutEnvelope" option to wrappers for raw Encrypt/Decrypt support#301
Conversation
stevendpclark
previously approved these changes
Mar 9, 2026
sgmiller
changed the title
3 tasks
stevendpclark
approved these changes
Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
By default many of the wrappers use Envelope encryption during
encrypt/decrypt. This is helpful for the common case like seal wrapping
where we want to support arbitrary sized plaintexts without worrying about
the underlying cipher's limits. However, these days, wrappers are used as a
general interface for external cryptography. Some features, like PKI
signing, require more low level operations. An example is SCEP, which uses
the CA private key for encryption and decryption as well. Another
is Transit managed keys, which support cryptographic primitive operations
that may need to interact with other systems. In these cases we need the
simple encrypt/decrypt without an envelope.
This PR adds a new global wrapper option, WithoutEnvelope(), which if
present requests that the wrapper use direct encryption/decryption.
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.