Please take a look at the attached patch to add symmetric & asymmetric vaults. Some comments about the patch:

1. The vault_add was split into a client-side vault_add and server-side vault_add_internal since the parameters are different (i.e. public key file and future escrow-related params). Since vault_add inherits from Local all non-primary-key attributes have to be added explicitly.


2. Since the vault_archive_internal inherits from Update, it accepts all non primary-key attributes automatically. This is incorrect since we don't want to update these parameters during archival. Can this behavior be overridden?

--
Endi S. Dewata
>From 9cc5b1a22c4545124a13e73343db598d6fb58b2c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Fri, 24 Oct 2014 19:53:16 -0400
Subject: [PATCH] Added symmetric and asymmetric vaults.

The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt                                   |  52 ++-
 VERSION                                   |   4 +-
 freeipa.spec.in                           |   2 +
 install/share/60basev3.ldif               |   4 +-
 ipalib/plugins/vault.py                   | 507 +++++++++++++++++++++++++++---
 ipatests/test_xmlrpc/test_vault_plugin.py | 218 +++++++++++--
 6 files changed, 717 insertions(+), 70 deletions(-)

diff --git a/API.txt b/API.txt
index 
9e3f223b7ac338840d7090299f9108e951ea920a..2ce57fb09293bf3cf1f82f4d0bf4e93b30e0fd60
 100644
--- a/API.txt
+++ b/API.txt
@@ -5132,14 +5132,33 @@ output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: vault_add
-args: 1,9,3
+args: 1,12,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Str('addattr*', cli_name='addattr', exclude='webui')
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('description?', cli_name='desc')
+option: Bytes('ipapublickey?', cli_name='public_key')
+option: Str('ipavaulttype?', cli_name='type')
+option: Str('public_key_file?', cli_name='public_key_file')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('service?')
+option: Str('setattr*', cli_name='setattr', exclude='webui')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('user?')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: vault_add_internal
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True)
-option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, 
required=False)
+option: Bytes('ipapublickey', attribute=True, cli_name='public_key', 
multivalue=False, required=False)
+option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', 
multivalue=False, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', 
default=u'standard', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Str('service?')
-option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Flag('shared?', autofill=True, default=False)
 option: Str('user?')
 option: Str('version?', exclude='webui')
@@ -5147,11 +5166,13 @@ output: Entry('result', <type 'dict'>, Gettext('A 
dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: vault_archive
-args: 1,8,3
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Bytes('data?')
 option: Str('in?')
+option: Str('password?', cli_name='password')
+option: Str('password_file?', cli_name='password_file')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Str('service?')
 option: Flag('shared?', autofill=True, default=False)
@@ -5160,11 +5181,14 @@ option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
-command: vault_archive_encrypted
-args: 1,10,3
+command: vault_archive_internal
+args: 1,13,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', 
multivalue=False, required=False)
+option: Bytes('ipapublickey', attribute=True, autofill=False, 
cli_name='public_key', multivalue=False, required=False)
+option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', 
multivalue=False, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', 
default=u'standard', multivalue=False, required=False)
 option: Bytes('nonce')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Str('service?')
@@ -5188,11 +5212,12 @@ output: Output('result', <type 'dict'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: ListOfPrimaryKeys('value', None, None)
 command: vault_find
-args: 1,11,4
+args: 1,12,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('cn', attribute=True, autofill=False, cli_name='name', 
maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, 
query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', 
multivalue=False, query=True, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', 
default=u'standard', multivalue=False, query=True, required=False)
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Str('service?')
@@ -5206,12 +5231,15 @@ output: ListOfEntries('result', (<type 'list'>, <type 
'tuple'>), Gettext('A list
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: vault_mod
-args: 1,11,3
+args: 1,14,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', 
multivalue=False, required=False)
+option: Bytes('ipapublickey', attribute=True, autofill=False, 
cli_name='public_key', multivalue=False, required=False)
+option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', 
multivalue=False, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', 
default=u'standard', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Flag('rights', autofill=True, default=False)
 option: Str('service?')
@@ -5223,10 +5251,14 @@ output: Entry('result', <type 'dict'>, Gettext('A 
dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: vault_retrieve
-args: 1,7,3
+args: 1,11,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('out?')
+option: Str('password?', cli_name='password')
+option: Str('password_file?', cli_name='password_file')
+option: Bytes('private_key?', cli_name='private_key')
+option: Str('private_key_file?', cli_name='private_key_file')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Str('service?')
 option: Flag('shared?', autofill=True, default=False)
@@ -5235,7 +5267,7 @@ option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
-command: vault_retrieve_encrypted
+command: vault_retrieve_internal
 args: 1,7,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
diff --git a/VERSION b/VERSION
index 
535b3e228a3500f2013ea793b19a97d9fbd05021..efc3cf0d105db540680002cf814991f81816a089
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=126
-# Last change: edewata - added vault-archive and vault-retrieve
+IPA_API_VERSION_MINOR=127
+# Last change: edewata - added symmetric and asymmetric vaults
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 
23c3d1a8005d36ce253f9979235454ba80c3dbcf..fdf89f98a95e9d2d2818bd2bf5c506df63abcd79
 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -64,6 +64,7 @@ BuildRequires:  python-ldap
 BuildRequires:  python-setuptools
 BuildRequires:  python-krbV
 BuildRequires:  python-nss
+BuildRequires:  python-cryptography
 BuildRequires:  python-netaddr
 BuildRequires:  python-kerberos >= 1.1-14
 BuildRequires:  python-rhsm
@@ -286,6 +287,7 @@ Requires: iproute
 Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
+Requires: python-cryptography
 Requires: python-lxml
 Requires: python-netaddr
 Requires: libipa_hbac-python
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 
33f4804e30ff1b3814ecf295bb41f07e2a8cd12f..cb159db05a5371c71e421160f60140d85ba5496f
 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -56,6 +56,8 @@ attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 
'ipaSecretKeyRef' DESC 'DN of
 attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 
'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY 
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA 
v4.1')
 attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 
'Destination location to move an entry IPA permission ACI' EQUALITY 
distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE 
X-ORIGIN 'IPA v4.0' )
 attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 
'Source location from where moving an entry IPA permission ACI' EQUALITY 
distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE 
X-ORIGIN 'IPA v4.0' )
+attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA 
vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
X-ORIGIN 'IPA v4.2')
+attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA 
vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 
X-ORIGIN 'IPA v4.2' )
 objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top 
STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ 
owner) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top 
AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ 
ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA 
v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top 
AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -79,4 +81,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 
'ipaPublicKeyObject' DESC 'Wrap
 objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 
'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey 
$ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 
'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ 
ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 
'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( 
ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' 
SUP top STRUCTURAL MUST ( cn ) MAY ( description ) X-ORIGIN 'IPA v4.2' )
+objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' 
SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt 
$ ipaPublicKey ) X-ORIGIN 'IPA v4.2' )
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 
e1e64aa40331067e610661142fc7e4c1340a56dd..687e5da6e711ea376cea28d2631eea7626ccf51f
 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -18,11 +18,20 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import base64
+import getpass
 import json
 import os
 import sys
 import tempfile
 
+from cryptography.fernet import Fernet, InvalidToken
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.serialization import load_pem_public_key,\
+    load_pem_private_key
+
 import nss.nss as nss
 import krbV
 
@@ -50,6 +59,36 @@ Vaults
 """) + _("""
 Manage vaults.
 """) + _("""
+Vault is a secure place to store a secret.
+""") + _("""
+Based on the ownership there are three vault categories:
+* user/private vault
+* service vault
+* shared vault
+""") + _("""
+User vaults are vaults owned used by a particular user. Private
+vaults are vaults owned the current user. Service vaults are
+vaults owned by a service. Shared vaults are owned by the admin
+but they can be used by other users or services.
+""") + _("""
+Based on the security mechanism there are three types of
+vaults:
+* standard vault
+* symmetric vault
+* asymmetric vault
+""") + _("""
+Standard vault uses a secure mechanism to transport and
+store the secret. The secret can only be retrieved by users
+that have access to the vault.
+""") + _("""
+Symmetric vault is similar to the standard vault, but it
+pre-encrypts the secret using a password before transport.
+The secret can only be retrieved using the same password.
+""") + _("""
+Asymmetric vault is similar to the standard vault, but it
+pre-encrypts the secret using a public key before transport.
+The secret can only be retrieved using the private key.
+""") + _("""
 EXAMPLES:
 """) + _("""
  List private vaults:
@@ -76,6 +115,12 @@ EXAMPLES:
  Add a user vault:
    ipa vault-add <name> --user <username>
 """) + _("""
+ Add a symmetric vault:
+   ipa vault-add <name> --type symmetric
+""") + _("""
+ Add an asymmetric vault:
+   ipa vault-add <name> --type asymmetric
+""") + _("""
  Show a private vault:
    ipa vault-show <name>
 """) + _("""
@@ -113,7 +158,7 @@ EXAMPLES:
    ipa vault-del <name> --user <username>
 """) + _("""
  Display vault configuration:
-   ipa vault-config
+   ipa vaultconfig-show
 """) + _("""
  Archive data into private vault:
    ipa vault-archive <name> --in <input file>
@@ -127,6 +172,12 @@ EXAMPLES:
  Archive data into user vault:
    ipa vault-archive <name> --user <username> --in <input file>
 """) + _("""
+ Archive data into symmetric vault:
+   ipa vault-archive <name> --in <input file>
+""") + _("""
+ Archive data into asymmetric vault:
+   ipa vault-archive <name> --in <input file>
+""") + _("""
  Retrieve data from private vault:
    ipa vault-retrieve <name> --out <output file>
 """) + _("""
@@ -137,7 +188,13 @@ EXAMPLES:
    ipa vault-retrieve <name> --shared --out <output file>
 """) + _("""
  Retrieve data from user vault:
-   ipa vault-retrieve <name> --user <user name> --out <output file>
+   ipa vault-retrieve <name> --user <username> --out <output file>
+""") + _("""
+ Retrieve data from symmetric vault:
+   ipa vault-retrieve <name> --out data.bin
+""") + _("""
+ Retrieve data from asymmetric vault:
+   ipa vault-retrieve <name> --out data.bin --private-key-file private.pem
 """)
 
 register = Registry()
@@ -146,7 +203,7 @@ register = Registry()
 vault_options = (
     Str(
         'service?',
-        doc=_('Service name'),
+        doc=_('Service name of the service vault'),
     ),
     Flag(
         'shared?',
@@ -154,7 +211,7 @@ vault_options = (
     ),
     Str(
         'user?',
-        doc=_('Username'),
+        doc=_('Username of the user vault'),
     ),
 )
 
@@ -174,6 +231,14 @@ class vault(LDAPObject):
     default_attributes = [
         'cn',
         'description',
+        'ipavaulttype',
+        'ipavaultsalt',
+        'ipapublickey',
+    ]
+    search_display_attributes = [
+        'cn',
+        'description',
+        'ipavaulttype',
     ]
 
     label = _('Vaults')
@@ -195,6 +260,28 @@ class vault(LDAPObject):
             label=_('Description'),
             doc=_('Vault description'),
         ),
+        Str(
+            'ipavaulttype?',
+            cli_name='type',
+            label=_('Type'),
+            doc=_('Vault type'),
+            default=u'standard',
+            autofill=True,
+        ),
+        Bytes(
+            'ipavaultsalt?',
+            cli_name='salt',
+            label=_('Salt'),
+            doc=_('Vault salt'),
+            flags=['no_search'],
+        ),
+        Bytes(
+            'ipapublickey?',
+            cli_name='public_key',
+            label=_('Public key'),
+            doc=_('Vault public key'),
+            flags=['no_search'],
+        ),
     )
 
     def get_dn(self, *keys, **options):
@@ -307,12 +394,168 @@ class vault(LDAPObject):
 
         return 'ipa:' + id
 
+    def get_password(self):
+        """
+        Gets password from user.
+        """
+        return getpass.getpass('Password: ').decode(sys.stdin.encoding)
+
+    def generate_symmetric_key(self, password, salt):
+        """
+        Generates symmetric key from password and salt.
+        """
+        kdf = PBKDF2HMAC(
+            algorithm=hashes.SHA256(),
+            length=32,
+            salt=salt,
+            iterations=100000,
+            backend=default_backend()
+        )
+
+        return base64.b64encode(kdf.derive(password.encode('utf-8')))
+
+    def encrypt(self, data, symmetric_key=None, public_key=None):
+        """
+        Encrypts data with symmetric key or public key.
+        """
+        if symmetric_key:
+            fernet = Fernet(symmetric_key)
+            return fernet.encrypt(data)
+
+        elif public_key:
+            rsa_public_key = load_pem_public_key(
+                data=public_key,
+                backend=default_backend()
+            )
+            return rsa_public_key.encrypt(
+                data,
+                padding.OAEP(
+                    mgf=padding.MGF1(algorithm=hashes.SHA1()),
+                    algorithm=hashes.SHA1(),
+                    label=None
+                )
+            )
+
+    def decrypt(self, data, symmetric_key=None, private_key=None):
+        """
+        Decrypts data with symmetric key or public key.
+        """
+        if symmetric_key:
+            try:
+                fernet = Fernet(symmetric_key)
+                return fernet.decrypt(data)
+            except InvalidToken:
+                raise errors.AuthenticationError(
+                    message=_('Invalid credentials'))
+
+        elif private_key:
+            try:
+                rsa_private_key = load_pem_private_key(
+                    data=private_key,
+                    password=None,
+                    backend=default_backend()
+                )
+                return rsa_private_key.decrypt(
+                    data,
+                    padding.OAEP(
+                        mgf=padding.MGF1(algorithm=hashes.SHA1()),
+                        algorithm=hashes.SHA1(),
+                        label=None
+                    )
+                )
+            except AssertionError:
+                raise errors.AuthenticationError(
+                    message=_('Invalid credentials'))
+
 
 @register()
-class vault_add(LDAPCreate):
+class vault_add(PKQuery, Local):
     __doc__ = _('Create a new vault.')
 
-    takes_options = LDAPCreate.takes_options + vault_options
+    takes_options = LDAPCreate.takes_options + vault_options + (
+        Str(
+            'description?',
+            cli_name='desc',
+            doc=_('Vault description'),
+        ),
+        Str(
+            'ipavaulttype?',
+            cli_name='type',
+            doc=_('Vault type'),
+        ),
+        Bytes(
+            'ipapublickey?',
+            cli_name='public_key',
+            doc=_('Vault public key'),
+        ),
+        Str(  # TODO: use File parameter
+            'public_key_file?',
+            cli_name='public_key_file',
+            doc=_('File containing the vault public key'),
+        ),
+    )
+
+    has_output = output.standard_entry
+
+    def forward(self, *args, **options):
+
+        vault_type = options.get('ipavaulttype', u'standard')
+        public_key = options.get('ipapublickey')
+        public_key_file = options.get('public_key_file')
+
+        # don't send these parameters to server
+        if 'ipapublickey' in options:
+            del options['ipapublickey']
+        if 'public_key_file' in options:
+            del options['public_key_file']
+
+        if self.api.env.in_server:
+            backend = self.api.Backend.ldap2
+        else:
+            backend = self.api.Backend.rpcclient
+        if not backend.isconnected():
+            backend.connect(ccache=krbV.default_context().default_ccache())
+
+        if vault_type == u'standard':
+
+            pass
+
+        elif vault_type == u'symmetric':
+
+            # generate vault salt
+            options['ipavaultsalt'] = os.urandom(16)
+
+        elif vault_type == u'asymmetric':
+
+            # get new vault public key
+            if public_key and public_key_file:
+                raise errors.MutuallyExclusiveError(
+                    reason=_('Public key specified multiple times'))
+
+            elif public_key:
+                pass
+
+            elif public_key_file:
+                with open(public_key_file, 'rb') as f:
+                    public_key = f.read()
+
+            else:
+                raise errors.ValidationError(
+                    name='ipapublickey',
+                    error=_('Missing vault public key'))
+
+            # store vault public key
+            options['ipapublickey'] = public_key
+
+        return self.api.Command.vault_add_internal(*args, **options)
+
+
+@register()
+class vault_add_internal(LDAPCreate):
+
+    NO_CLI = True
+
+    takes_options = vault_options
 
     msg_summary = _('Added vault "%(value)s"')
 
@@ -513,29 +756,46 @@ class vault_archive(PKQuery, Local):
             'in?',
             doc=_('File containing data to archive'),
         ),
+        Str(
+            'password?',
+            cli_name='password',
+            doc=_('Vault password'),
+        ),
+        Str(  # TODO: use File parameter
+            'password_file?',
+            cli_name='password_file',
+            doc=_('File containing the vault password'),
+        ),
     )
 
     has_output = output.standard_entry
 
-    msg_summary = _('Archived data into vault "%(value)s"')
-
     def forward(self, *args, **options):
 
+        name = args[-1]
+
         data = options.get('data')
         input_file = options.get('in')
 
+        password = options.get('password')
+        password_file = options.get('password_file')
+
         # don't send these parameters to server
         if 'data' in options:
             del options['data']
         if 'in' in options:
             del options['in']
+        if 'password' in options:
+            del options['password']
+        if 'password_file' in options:
+            del options['password_file']
 
         # get data
         if data and input_file:
             raise errors.MutuallyExclusiveError(
                 reason=_('Input data specified multiple times'))
 
-        if input_file:
+        elif input_file:
             with open(input_file, 'rb') as f:
                 data = f.read()
 
@@ -549,13 +809,69 @@ class vault_archive(PKQuery, Local):
         if not backend.isconnected():
             backend.connect(ccache=krbV.default_context().default_ccache())
 
+        # retrieve vault info
+        vault = self.api.Command.vault_show(*args, **options)['result']
+
+        vault_type = vault['ipavaulttype'][0]
+
+        if vault_type == u'standard':
+
+            encrypted_key = None
+
+        elif vault_type == u'symmetric':
+
+            salt = vault['ipavaultsalt'][0]
+
+            # get password
+            if password and password_file:
+                raise errors.MutuallyExclusiveError(
+                    reason=_('Password specified multiple times'))
+
+            elif password:
+                pass
+
+            elif password_file:
+                with open(password_file) as f:
+                    password = f.read().rstrip('\n').decode('utf-8')
+
+            else:
+                password = self.obj.get_password()
+
+            # generate encryption key from vault password
+            encryption_key = self.obj.generate_symmetric_key(
+                password, salt)
+
+            # encrypt data with encryption key
+            data = self.obj.encrypt(data, symmetric_key=encryption_key)
+
+            encrypted_key = None
+
+        elif vault_type == u'asymmetric':
+
+            public_key = vault['ipapublickey'][0].encode('utf-8')
+
+            # generate encryption key
+            encryption_key = base64.b64encode(os.urandom(32))
+
+            # encrypt data with encryption key
+            data = self.obj.encrypt(data, symmetric_key=encryption_key)
+
+            # encrypt encryption key with public key
+            encrypted_key = self.obj.encrypt(
+                encryption_key, public_key=public_key)
+
+        else:
+            raise errors.ValidationError(
+                name='vault_type',
+                error=_('Invalid vault type'))
+
         # initialize NSS database
         current_dbdir = paths.IPA_NSSDB_DIR
         nss.nss_init(current_dbdir)
 
         # retrieve transport certificate
-        config = self.api.Command.vaultconfig_show()
-        transport_cert_der = config['result']['transport_cert']
+        config = self.api.Command.vaultconfig_show()['result']
+        transport_cert_der = config['transport_cert']
         nss_transport_cert = nss.Certificate(transport_cert_der)
 
         # generate session key
@@ -579,6 +895,10 @@ class vault_archive(PKQuery, Local):
         vault_data = {}
         vault_data[u'data'] = base64.b64encode(data).decode('utf-8')
 
+        if encrypted_key:
+            vault_data[u'encrypted_key'] = base64.b64encode(encrypted_key)\
+                .decode('utf-8')
+
         json_vault_data = json.dumps(vault_data)
 
         # wrap vault_data with session key
@@ -595,16 +915,12 @@ class vault_archive(PKQuery, Local):
 
         options['vault_data'] = wrapped_vault_data
 
-        response = self.api.Command.vault_archive_encrypted(*args, **options)
-
-        response['result'] = {}
-        del response['summary']
-
-        return response
+        return self.api.Command.vault_archive_internal(*args, **options)
 
 
 @register()
-class vault_archive_encrypted(Update):
+class vault_archive_internal(Update):
+
     NO_CLI = True
 
     takes_options = vault_options + (
@@ -622,6 +938,8 @@ class vault_archive_encrypted(Update):
         ),
     )
 
+    msg_summary = _('Archived data into vault "%(value)s"')
+
     def execute(self, *args, **options):
 
         if not self.api.env.enable_kra:
@@ -633,8 +951,7 @@ class vault_archive_encrypted(Update):
         wrapped_session_key = options.pop('session_key')
 
         # retrieve vault info
-        result = self.api.Command.vault_show(*args, **options)
-        vault = result['result']
+        vault = self.api.Command.vault_show(*args, **options)['result']
 
         # connect to KRA
         kra_client = self.api.Backend.kra.get_client()
@@ -666,7 +983,14 @@ class vault_archive_encrypted(Update):
 
         kra_account.logout()
 
-        return result
+        response = {
+            'value': args[-1],
+            'result': {},
+        }
+
+        response['summary'] = self.msg_summary % response
+
+        return response
 
 
 @register()
@@ -678,6 +1002,26 @@ class vault_retrieve(PKQuery, Local):
             'out?',
             doc=_('File to store retrieved data'),
         ),
+        Str(
+            'password?',
+            cli_name='password',
+            doc=_('Vault password'),
+        ),
+        Str(  # TODO: use File parameter
+            'password_file?',
+            cli_name='password_file',
+            doc=_('File containing the vault password'),
+        ),
+        Bytes(
+            'private_key?',
+            cli_name='private_key',
+            doc=_('Vault private key'),
+        ),
+        Str(  # TODO: use File parameter
+            'private_key_file?',
+            cli_name='private_key_file',
+            doc=_('File containing the vault private key'),
+        ),
     )
 
     has_output = output.standard_entry
@@ -688,15 +1032,28 @@ class vault_retrieve(PKQuery, Local):
         ),
     )
 
-    msg_summary = _('Retrieved data from vault "%(value)s"')
-
     def forward(self, *args, **options):
 
+        name = args[-1]
+
         output_file = options.get('out')
 
+        password = options.get('password')
+        password_file = options.get('password_file')
+        private_key = options.get('private_key')
+        private_key_file = options.get('private_key_file')
+
         # don't send these parameters to server
         if 'out' in options:
             del options['out']
+        if 'password' in options:
+            del options['password']
+        if 'password_file' in options:
+            del options['password_file']
+        if 'private_key' in options:
+            del options['private_key']
+        if 'private_key_file' in options:
+            del options['private_key_file']
 
         if self.api.env.in_server:
             backend = self.api.Backend.ldap2
@@ -705,13 +1062,18 @@ class vault_retrieve(PKQuery, Local):
         if not backend.isconnected():
             backend.connect(ccache=krbV.default_context().default_ccache())
 
+        # retrieve vault info
+        vault = self.api.Command.vault_show(*args, **options)['result']
+
+        vault_type = vault['ipavaulttype'][0]
+
         # initialize NSS database
         current_dbdir = paths.IPA_NSSDB_DIR
         nss.nss_init(current_dbdir)
 
         # retrieve transport certificate
-        config = self.api.Command.vaultconfig_show()
-        transport_cert_der = config['result']['transport_cert']
+        config = self.api.Command.vaultconfig_show()['result']
+        transport_cert_der = config['transport_cert']
         nss_transport_cert = nss.Certificate(transport_cert_der)
 
         # generate session key
@@ -729,7 +1091,7 @@ class vault_retrieve(PKQuery, Local):
         # send retrieval request to server
         options['session_key'] = wrapped_session_key.data
 
-        response = self.api.Command.vault_retrieve_encrypted(*args, **options)
+        response = self.api.Command.vault_retrieve_internal(*args, **options)
 
         result = response['result']
         nonce = result['nonce']
@@ -751,18 +1113,85 @@ class vault_retrieve(PKQuery, Local):
         vault_data = json.loads(json_vault_data)
         data = base64.b64decode(vault_data[u'data'].encode('utf-8'))
 
+        encrypted_key = None
+
+        if 'encrypted_key' in vault_data:
+            encrypted_key = base64.b64decode(vault_data[u'encrypted_key']
+                                             .encode('utf-8'))
+
+        if vault_type == u'standard':
+
+            pass
+
+        elif vault_type == u'symmetric':
+
+            salt = vault['ipavaultsalt'][0]
+
+            # get encryption key from vault password
+            if password and password_file:
+                raise errors.MutuallyExclusiveError(
+                    reason=_('Password specified multiple times'))
+
+            elif password:
+                pass
+
+            elif password_file:
+                with open(password_file) as f:
+                    password = f.read().rstrip('\n').decode('utf-8')
+
+            else:
+                password = self.obj.get_password()
+
+            # generate encryption key from password
+            encryption_key = self.obj.generate_symmetric_key(password, salt)
+
+            # decrypt data with encryption key
+            data = self.obj.decrypt(data, symmetric_key=encryption_key)
+
+        elif vault_type == u'asymmetric':
+
+            # get encryption key with vault private key
+            if private_key and private_key_file:
+                raise errors.MutuallyExclusiveError(
+                    reason=_('Private key specified multiple times'))
+
+            elif private_key:
+                pass
+
+            elif private_key_file:
+                with open(private_key_file, 'rb') as f:
+                    private_key = f.read()
+
+            else:
+                raise errors.ValidationError(
+                    name='private_key',
+                    error=_('Missing vault private key'))
+
+            # decrypt encryption key with private key
+            encryption_key = self.obj.decrypt(
+                encrypted_key, private_key=private_key)
+
+            # decrypt data with encryption key
+            data = self.obj.decrypt(data, symmetric_key=encryption_key)
+
+        else:
+            raise errors.ValidationError(
+                name='vault_type',
+                error=_('Invalid vault type'))
+
         if output_file:
             with open(output_file, 'w') as f:
                 f.write(data)
 
-        response['result'] = {'data': data}
-        del response['summary']
+        else:
+            response['result'] = {'data': data}
 
         return response
 
 
 @register()
-class vault_retrieve_encrypted(Retrieve):
+class vault_retrieve_internal(Retrieve):
+
     NO_CLI = True
 
     takes_options = vault_options + (
@@ -772,6 +1201,8 @@ class vault_retrieve_encrypted(Retrieve):
         ),
     )
 
+    msg_summary = _('Retrieved data from vault "%(value)s"')
+
     def execute(self, *args, **options):
 
         if not self.api.env.enable_kra:
@@ -781,8 +1212,7 @@ class vault_retrieve_encrypted(Retrieve):
         wrapped_session_key = options.pop('session_key')
 
         # retrieve vault info
-        result = self.api.Command.vault_show(*args, **options)
-        vault = result['result']
+        vault = self.api.Command.vault_show(*args, **options)['result']
 
         # connect to KRA
         kra_client = self.api.Backend.kra.get_client()
@@ -807,9 +1237,16 @@ class vault_retrieve_encrypted(Retrieve):
             key_info.get_key_id(),
             wrapped_session_key)
 
-        vault['vault_data'] = key.encrypted_data
-        vault['nonce'] = key.nonce_data
-
         kra_account.logout()
 
-        return result
+        response = {
+            'value': args[-1],
+            'result': {
+                'vault_data': key.encrypted_data,
+                'nonce': key.nonce_data,
+            },
+        }
+
+        response['summary'] = self.msg_summary % response
+
+        return response
diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py 
b/ipatests/test_xmlrpc/test_vault_plugin.py
index 
4b18672c102e9d1cc5513b159c4f903a711da3f4..d68d06f4b5d7634b48ff5672ece41ed50d69e089
 100644
--- a/ipatests/test_xmlrpc/test_vault_plugin.py
+++ b/ipatests/test_xmlrpc/test_vault_plugin.py
@@ -22,15 +22,63 @@ Test the `ipalib/plugins/vault.py` module.
 """
 
 from ipalib import api, errors
-from xmlrpc_test import Declarative
+from xmlrpc_test import Declarative, fuzzy_string
 
 vault_name = u'test_vault'
 service_name = u'HTTP/server.example.com'
 user_name = u'testuser'
 
+standard_vault_name = u'standard_test_vault'
+symmetric_vault_name = u'symmetric_test_vault'
+asymmetric_vault_name = u'asymmetric_test_vault'
+
 # binary data from \x00 to \xff
 secret = ''.join(map(chr, xrange(0, 256)))
 
+password = u'password'
+
+public_key = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnT61EFxUOQgCJdM0tmw/
+pRRPDPGchTClnU1eBtiQD3ItKYf1+weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDe
+k/zeB6nSVdk47OdaW1AHrJL+44r238Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqB
+tsxXaaAgjMp0AGq2U/aO/akeEYWQOYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7N
+otG4eR6c2o9Fyjd+M4Gai5Ce0fSrigRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLO
+pVThop+Xivcre3SpI0kt6oZPhBw9i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG6
+3wIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+private_key = """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAnT61EFxUOQgCJdM0tmw/pRRPDPGchTClnU1eBtiQD3ItKYf1
++weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDek/zeB6nSVdk47OdaW1AHrJL+44r2
+38Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqBtsxXaaAgjMp0AGq2U/aO/akeEYWQ
+OYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7NotG4eR6c2o9Fyjd+M4Gai5Ce0fSr
+igRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLOpVThop+Xivcre3SpI0kt6oZPhBw9
+i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG63wIDAQABAoIBAQCD2bXnfxPcMnvi
+jaPwpvoDCPF0EBBHmk/0g5ApO2Qon3uBDJFUqbJwXrCY6o2d9MOJfnGONlKmcYA8
+X+d4h+SqwGjIkjxdYeSauS+Jy6Rzr1ptH/P8EjPQrfG9uJxYQDflV3nxYwwwVrx7
+8kccMPdteRB+8Bb7FzOHufMimmayCNFETnVT5CKH2PrYoPB+fr0itCipWOenDp33
+e73OV+K9U3rclmtHaoRxGohqByKfQRUkipjw4m+T3qfZZc5eN77RGW8J+oL1GVom
+fwtiH7N1HVte0Dmd13nhiASg355kjqRPcIMPsRHvXkOpgg5HRUTKG5elqAyvvm27
+Fzj1YdeRAoGBAMnE61+FYh8qCyEGe8r6RGjO8iuoyk1t+0gBWbmILLBiRnj4K8Tc
+k7HBG/pg3XCNbCuRwiLg8tk3VAAXzn6o+IJr3QnKbNCGa1lKfYU4mt11sBEyuL5V
+NpZcZ8IiPhMlGyDA9cFbTMKOE08RqbOIdxOmTizFt0R5sYZAwOjEvBIZAoGBAMeC
+N/P0bdrScFZGeS51wEdiWme/CO0IyGoqU6saI8L0dbmMJquiaAeIEjIKLqxH1RON
+axhsyk97e0PCcc5QK62Utf50UUAbL/v7CpIG+qdSRYDO4bVHSCkwF32N3pYh/iVU
+EsEBEkZiJi0dWa/0asDbsACutxcHda3RI5pi7oO3AoGAcbGNs/CUHt1xEfX2UaT+
+YVSjb2iYPlNH8gYYygvqqqVl8opdF3v3mYUoP8jPXrnCBzcF/uNk1HNx2O+RQxvx
+lIQ1NGwlLsdfvBvWaPhBg6LqSHadVVrs/IMrUGA9PEp/Y9B3arIIqeSnCrn4Nxsh
+higDCwWKRIKSPwVD7qXVGBkCgYEAu5/CASIRIeYgEXMLSd8hKcDcJo8o1MoauIT/
+1Hyrvw9pm0qrn2QHk3WrLvYWeJzBTTcEzZ6aEG+fN9UodA8/VGnzUc6QDsrCsKWh
+hj0cArlDdeSZrYLQ4TNCFCiUePqU6QQM8weP6TMqlejxTKF+t8qi1bF5rCWuzP1P
+D0UU7DcCgYAUvmEGckugS+FTatop8S/rmkcQ4Bf5M/YCZfsySavucDiHcBt0QtXt
+Swh0XdDsYS3W1yj2XqqsQ7R58KNaffCHjjulWFzb5IiuSvvdxzWtiXHisOpO36MJ
+kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw==
+-----END RSA PRIVATE KEY-----
+"""
+
 
 class test_vault_plugin(Declarative):
 
@@ -42,6 +90,9 @@ class test_vault_plugin(Declarative):
         }),
         ('vault_del', [vault_name], {'shared': True, 'continue': True}),
         ('vault_del', [vault_name], {'user': user_name, 'continue': True}),
+        ('vault_del', [standard_vault_name], {'continue': True}),
+        ('vault_del', [symmetric_vault_name], {'continue': True}),
+        ('vault_del', [asymmetric_vault_name], {'continue': True}),
     ]
 
     tests = [
@@ -61,6 +112,7 @@ class test_vault_plugin(Declarative):
                           % (vault_name, api.env.basedn),
                     'objectclass': [u'top', u'ipaVault'],
                     'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -81,6 +133,7 @@ class test_vault_plugin(Declarative):
                         'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
                               % (vault_name, api.env.basedn),
                         'cn': [vault_name],
+                        'ipavaulttype': [u'standard'],
                     },
                 ],
             },
@@ -100,6 +153,7 @@ class test_vault_plugin(Declarative):
                     'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
                           % (vault_name, api.env.basedn),
                     'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -119,6 +173,7 @@ class test_vault_plugin(Declarative):
                 'result': {
                     'cn': [vault_name],
                     'description': [u'Test vault'],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -156,6 +211,7 @@ class test_vault_plugin(Declarative):
                           % (vault_name, service_name, api.env.basedn),
                     'objectclass': [u'top', u'ipaVault'],
                     'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -178,6 +234,7 @@ class test_vault_plugin(Declarative):
                         'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
                               % (vault_name, service_name, api.env.basedn),
                         'cn': [vault_name],
+                        'ipavaulttype': [u'standard'],
                     },
                 ],
             },
@@ -199,6 +256,7 @@ class test_vault_plugin(Declarative):
                     'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
                           % (vault_name, service_name, api.env.basedn),
                     'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -219,6 +277,7 @@ class test_vault_plugin(Declarative):
                 'result': {
                     'cn': [vault_name],
                     'description': [u'Test vault'],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -258,6 +317,7 @@ class test_vault_plugin(Declarative):
                           % (vault_name, api.env.basedn),
                     'objectclass': [u'top', u'ipaVault'],
                     'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -280,6 +340,7 @@ class test_vault_plugin(Declarative):
                         'dn': u'cn=%s,cn=shared,cn=vaults,%s'
                               % (vault_name, api.env.basedn),
                         'cn': [vault_name],
+                        'ipavaulttype': [u'standard'],
                     },
                 ],
             },
@@ -301,6 +362,7 @@ class test_vault_plugin(Declarative):
                     'dn': u'cn=%s,cn=shared,cn=vaults,%s'
                           % (vault_name, api.env.basedn),
                     'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -321,6 +383,7 @@ class test_vault_plugin(Declarative):
                 'result': {
                     'cn': [vault_name],
                     'description': [u'Test vault'],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -360,6 +423,7 @@ class test_vault_plugin(Declarative):
                           % (vault_name, user_name, api.env.basedn),
                     'objectclass': [u'top', u'ipaVault'],
                     'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -382,6 +446,7 @@ class test_vault_plugin(Declarative):
                         'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
                               % (vault_name, user_name, api.env.basedn),
                         'cn': [vault_name],
+                        'ipavaulttype': [u'standard'],
                     },
                 ],
             },
@@ -403,6 +468,7 @@ class test_vault_plugin(Declarative):
                     'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
                           % (vault_name, user_name, api.env.basedn),
                     'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -423,6 +489,7 @@ class test_vault_plugin(Declarative):
                 'result': {
                     'cn': [vault_name],
                     'description': [u'Test vault'],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
@@ -446,50 +513,53 @@ class test_vault_plugin(Declarative):
         },
 
         {
-            'desc': 'Create vault for archival',
+            'desc': 'Create standard vault',
             'command': (
                 'vault_add',
-                [vault_name],
+                [standard_vault_name],
                 {},
             ),
             'expected': {
-                'value': vault_name,
-                'summary': 'Added vault "%s"' % vault_name,
+                'value': standard_vault_name,
+                'summary': 'Added vault "%s"' % standard_vault_name,
                 'result': {
                     'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
-                          % (vault_name, api.env.basedn),
+                          % (standard_vault_name, api.env.basedn),
                     'objectclass': [u'top', u'ipaVault'],
-                    'cn': [vault_name],
+                    'cn': [standard_vault_name],
+                    'ipavaulttype': [u'standard'],
                 },
             },
         },
 
         {
-            'desc': 'Archive secret',
+            'desc': 'Archive secret into standard vault',
             'command': (
                 'vault_archive',
-                [vault_name],
+                [standard_vault_name],
                 {
                     'data': secret,
                 },
             ),
             'expected': {
-                'value': vault_name,
-                'summary': 'Archived data into vault "%s"' % vault_name,
+                'value': standard_vault_name,
+                'summary': 'Archived data into vault "%s"'
+                           % standard_vault_name,
                 'result': {},
             },
         },
 
         {
-            'desc': 'Retrieve secret',
+            'desc': 'Retrieve secret from standard vault',
             'command': (
                 'vault_retrieve',
-                [vault_name],
+                [standard_vault_name],
                 {},
             ),
             'expected': {
-                'value': vault_name,
-                'summary': 'Retrieved data from vault "%s"' % vault_name,
+                'value': standard_vault_name,
+                'summary': 'Retrieved data from vault "%s"'
+                           % standard_vault_name,
                 'result': {
                     'data': secret,
                 },
@@ -497,17 +567,121 @@ class test_vault_plugin(Declarative):
         },
 
         {
-            'desc': 'Delete vault for archival',
+            'desc': 'Create symmetric vault',
             'command': (
-                'vault_del',
-                [vault_name],
-                {},
+                'vault_add',
+                [symmetric_vault_name],
+                {
+                    'ipavaulttype': u'symmetric',
+                },
+            ),
+            'expected': {
+                'value': symmetric_vault_name,
+                'summary': 'Added vault "%s"' % symmetric_vault_name,
+                'result': {
+                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+                          % (symmetric_vault_name, api.env.basedn),
+                    'objectclass': [u'top', u'ipaVault'],
+                    'cn': [symmetric_vault_name],
+                    'ipavaulttype': [u'symmetric'],
+                    'ipavaultsalt': [fuzzy_string],
+                },
+            },
+        },
+
+        {
+            'desc': 'Archive secret into symmetric vault',
+            'command': (
+                'vault_archive',
+                [symmetric_vault_name],
+                {
+                    'password': password,
+                    'data': secret,
+                },
+            ),
+            'expected': {
+                'value': symmetric_vault_name,
+                'summary': 'Archived data into vault "%s"'
+                           % symmetric_vault_name,
+                'result': {},
+            },
+        },
+
+        {
+            'desc': 'Retrieve secret from symmetric vault',
+            'command': (
+                'vault_retrieve',
+                [symmetric_vault_name],
+                {
+                    'password': password,
+                },
+            ),
+            'expected': {
+                'value': symmetric_vault_name,
+                'summary': 'Retrieved data from vault "%s"'
+                           % symmetric_vault_name,
+                'result': {
+                    'data': secret,
+                },
+            },
+        },
+
+        {
+            'desc': 'Create asymmetric vault',
+            'command': (
+                'vault_add',
+                [asymmetric_vault_name],
+                {
+                    'ipavaulttype': u'asymmetric',
+                    'ipapublickey': public_key,
+                },
             ),
             'expected': {
-                'value': [vault_name],
-                'summary': u'Deleted vault "%s"' % vault_name,
+                'value': asymmetric_vault_name,
+                'summary': 'Added vault "%s"' % asymmetric_vault_name,
                 'result': {
-                    'failed': (),
+                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+                          % (asymmetric_vault_name, api.env.basedn),
+                    'objectclass': [u'top', u'ipaVault'],
+                    'cn': [asymmetric_vault_name],
+                    'ipavaulttype': [u'asymmetric'],
+                    'ipapublickey': [public_key],
+                },
+            },
+        },
+
+        {
+            'desc': 'Archive secret into asymmetric vault',
+            'command': (
+                'vault_archive',
+                [asymmetric_vault_name],
+                {
+                    'data': secret,
+                },
+            ),
+            'expected': {
+                'value': asymmetric_vault_name,
+                'summary': 'Archived data into vault "%s"'
+                           % asymmetric_vault_name,
+                'result': {},
+            },
+        },
+
+        {
+            'desc': 'Retrieve secret from asymmetric vault',
+            'command': (
+                'vault_retrieve',
+                [asymmetric_vault_name],
+                {
+                    'private_key': private_key,
+                },
+            ),
+            'expected': {
+                'value': asymmetric_vault_name,
+                'summary': 'Retrieved data from vault "%s"'
+                           % asymmetric_vault_name,
+                'result': {
+                    'data': secret,
                 },
             },
         },
-- 
1.9.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to