---
descriptions:
  data_key:
    id: Unique ID of the data key.
    key: Base64 encoded data key that can be used for encryption operations.
    encrypted_keys: >-
      An encrypted data key. The data key is encrypted once with each key
      identified from the key context and then Base64 encoded.
  data_encryption:
    plaintext: A blob of unencrypted data.
    ciphertext: >-
      An encrypted blob of data. The data key used to encrypt the data is
      separately encrypted and encoded as part of the ciphertext.
    aad: >-
      Additional authenticated data used to authenticate the message and ensure
      that it has not been tampered with. This optional parameter can be used to
      bind the encrypted message to a given context, such as the row ID in a
      database. If set during encryption, the same AAD must be used during
      decryption or the operation will fail.
originalPath: .tmp-workos-clone/packages/docs/content/reference/vault/key/index.mdx
---

# Encryption Key Management

The key management APIs can be used to generate isolated encryption keys for local encryption and decryption operations.