Vault docker container does not return public key for ed25519 vault transit keys #31576
Description
Describe the bug
The vault docker container does not return the public key for keys created in the vault transit engine
To Reproduce
Steps to reproduce the behavior:
- Enable transit
vault secrets enable transit. - Create key
vault write transit/keys/my-key type="ed25519" derived=true - Attempt to retrieve the public key
vault read transit/keys/my-key - See output with an empty value for
public_key:
Key Value
allow_plaintext_backup false
auto_rotate_period 0s
convergent_encryption false
deletion_allowed false
derived true
exportable false
imported_key false
kdf hkdf_sha256
keys map[1:map[certificate_chain: creation_time:2025-10-03T03:31:26.850259447Z hybrid_public_key: name:ed25519 public_key:]]
latest_version 1
min_available_version 0
min_decryption_version 1
min_encryption_version 0
name my-key
supports_decryption false
supports_derivation true
supports_encryption false
supports_signing true
type ed25519
Expected behavior
The public key should be returned in the vault read transit/keys/my-key response as detailed in the vault documentation that states "an asymmetric key will return its public key in a standard format for the type."
Environment:
- Vault Server Version (retrieve with
vault status): 1.20.4 - Vault CLI Version (retrieve with
vault version): v1.20.4 - Server Operating System/Architecture: linux x86 (ubuntu latest) running in docker v27.3.1
Vault server configuration file(s):
docker hcl config
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}