PASERK uses symmetric-key encryption to wrap PASETO keys.
This is the most flexible mode in PASERK, as it offers a way to integrate PASERK with multiple key management solutions.
local-wrapforlocaltokenssecret-wrapforpublictokens
Unlike other PASERKs, the [data] portion is not base64url-encoded when
with these types.
The [data] payload described in the respective type above will further
be segmented as follows.
[prefix].[encrypted key]
Where [prefix] is a distinct lowercase alphanumeric string that
uniquely identifies the key-wrapping encryption protocol in use.
PASERK Implementors MAY define custom wrapping protocols, but they MUST
support the PASERK standard wrapping protocol (pie).
Implementors SHOULD register their prefix in this document so that interoperability can be assured by other implementations.
Implementations MUST authenticate the version, type, and prefix
alongside their ciphertext. Implementors MAY authenticate additional
data beyond what we require.
Implementations MUST return an ASCII string.
Implementations SHOULD Return a URL-safe string (i.e., using base64url from RFC 4648).
| Prefix | Key-Wrapping Protocol | Owner |
|---|---|---|
pie |
PASERK standard wrapping protocol | Paragon Initiative Enterprises |