Rewrap does not work if data is encrypted using associated data

[d3bt3ch]

If we encrypt data with an associated_data then rewrap fails with response

{
    "errors": [
        "cipher: message authentication failed"
    ]
}

We tried to provide associated_data while rewrapping as well (though the parameter is not documented, thus probably not supported in rewrap operation) but without any luck.

[aslamovamir]

Hi @d3bt3ch thanks for opening the issue with us!
Hmm, looks like what you assume is right: rewrap operation in Vault's transit secret engine does not support associated_data as a parameter. The reason why this error might be happening is that given the rewrap operation is supposed to re-encrypt data using a newer version of the encryption key without modifying any authenticated data, if associated_data was used during encryption but is not supported during rewrap, the new encryption process fails because Vault cannot properly validate the auth tag.
The associated_data is used in AEAD (Authenticated Encryption with Associated Data) encryption operations, like encrypt and decrypt, but it is not required or used in rewrap. If your use case involves AEAD and you need to rewrap while maintaining authentication with associated_data, you would have to decrypt the data first and then re-encrypt it with the new key version, manually providing the associated_data. So, the suggestion would be to 1) Read and decrypt the data using the original associated_data 2) Encrypt the data again with associated_data using the latest key version 3) Store the newly encrypted data.
If you would like more information about the rewrap operation, this link might help more!

[d3bt3ch]

So, the suggestion would be to 1) Read and decrypt the data using the original associated_data 2) Encrypt the data again with associated_data using the latest key version 3) Store the newly encrypted data.

That is exactly what we ended up coding. Thank you for the clarification.