Remove non-hash arg support for transform, add clarification of behavior

hashicorp · Jul 6, 2020 · 98bc2d4 · 98bc2d4
1 parent 945dbdc
commit 98bc2d4
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/lib/vault/encrypted_model.rb b/lib/vault/encrypted_model.rb
@@ -42,7 +42,7 @@ module ClassMethods
       #   a proc to encode the value with
       # @option options [Proc] :decode
       #   a proc to decode the value with
-      # @option options [Hash, String] :transform_secret
+      # @option options [Hash] :transform_secret
       #   a hash providing details about a transformation to use,
       #   or a name of an existing transformation
       def vault_attribute(attribute, options = {})
@@ -345,6 +345,8 @@ def __vault_persist_attribute!(attribute, options)
         generated_context = __vault_generate_context(context)
 
         if transform
+          # If this is a secret encrypted with FPE, we should not encrypt it in vault
+          # This prevents a double encryption via standard vault encryption and FPE.
           ciphertext = plaintext
         else
           # Generate the ciphertext and store it back as an attribute