Key Vault keys - az keyvault key

Manage keys.

Commands

az keyvault key backup Requests that a backup of the specified key be downloaded to the client.
az keyvault key create Creates a new key, stores it, then returns key parameters and attributes to the client.
az keyvault key delete Deletes a key of any type from storage in Azure Key Vault.
az keyvault key import Import a private key.
az keyvault key list List keys in the specified vault.
az keyvault key list-deleted List deleted keys in the specified vault.
az keyvault key list-versions Retrieves a list of individual key versions with the same key name.
az keyvault key purge Permanently deletes the specified key.
az keyvault key recover Recovers the deleted key back to its current version under /keys.
az keyvault key restore Restores a backed up key to a vault.
az keyvault key set-attributes The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.
az keyvault key show Gets the public part of a stored key.
az keyvault key show-deleted Retrieves the deleted key information plus its attributes.

az keyvault key backup

The Key Backup operation exports a key from Azure Key Vault in a protected form. Note that this operation does NOT return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to GENERATE a key in one Azure Key Vault instance, BACKUP the key, and then RESTORE it into another Azure Key Vault instance. The BACKUP operation may be used to export, in protected form, any key type from Azure Key Vault. Individual versions of a key cannot be backed up. BACKUP / RESTORE can be performed within geographical boundaries only; meaning that a BACKUP from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area.

az keyvault key backup --file
--name
--vault-name

Required Parameters

--file -f

Local file path in which to store key backup.

--name -n

Name of the key.

--vault-name

Name of the key vault.

az keyvault key create

The create key operation can be used to create any key type in Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key.

az keyvault key create --name
--protection {hsm, software}
--vault-name
[--disabled]
[--expires]
[--not-before]
[--ops]
[--size]
[--tags]

Required Parameters

--name -n

Name of the key.

--protection -p

Specifies the type of key protection.

accepted values: hsm, software
--vault-name

Name of the key vault.

Optional Parameters

--disabled

Create key in disabled state.

--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space separated list of permitted JSON web key operations. Possible values: encrypt, decrypt, sign, verify, wrapKey, unwrapKey.

--size

The key size in bytes. For example, 1024 or 2048.

--tags

Space separated tags in 'key[=value]' format. Use "" to clear existing tags.

az keyvault key delete

The delete key operation cannot be used to remove individual versions of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations.

az keyvault key delete --name
--vault-name

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

az keyvault key import

Supports importing base64 encoded private keys from PEM files. Supports importing BYOK keys into HSM for premium KeyVaults.

az keyvault key import --name
--vault-name
[--byok-file]
[--disabled]
[--expires]
[--not-before]
[--ops]
[--pem-file]
[--pem-password]
[--protection {hsm, software}]
[--tags]

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

Optional Parameters

--byok-file

BYOK file containing the key to be imported. Must not be password protected.

--disabled

Create key in disabled state.

--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space separated list of permitted JSON web key operations. Possible values: encrypt, decrypt, sign, verify, wrapKey, unwrapKey.

--pem-file

PEM file containing the key to be imported.

--pem-password

Password of PEM file.

--protection -p

Specifies the type of key protection.

accepted values: hsm, software
--tags

Space separated tags in 'key[=value]' format. Use "" to clear existing tags.

az keyvault key list

Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier,attributes, and tags are provided in the response. Individual versions of a key are not listed in the response. Authorization: Requires the keys/list permission.

az keyvault key list --vault-name
[--maxresults]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault key list-deleted

Authorization: Requires the keys/list permission.

az keyvault key list-deleted --vault-name
[--maxresults]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault key list-versions

The full key identifier, attributes, and tags are provided in the response.

az keyvault key list-versions --name
--vault-name
[--maxresults]

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault key purge

Aka purges the key. Authorization: Requires the keys/purge permission.

az keyvault key purge --name
--vault-name

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

az keyvault key recover

Authorization: Requires the keys/recover permission.

az keyvault key recover --name
--vault-name

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

az keyvault key restore

Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, attributes and access control policies. The RESTORE operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target Key Vault, the RESTORE operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different vault. Restore will restore all versions and preserve version identifiers. The RESTORE operation is subject to security constraints: The target Key Vault must be owned by the same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault.

az keyvault key restore --file
--vault-name

Required Parameters

--file -f

Local key backup from which to restore key.

--vault-name

Name of the key vault.

az keyvault key set-attributes

In order to perform this operation, the key must already exist in the Key Vault. Note: The cryptographic material of a key itself cannot be changed.

az keyvault key set-attributes --name
--vault-name
[--enabled {false, true}]
[--expires]
[--not-before]
[--ops]
[--tags]
[--version]

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

Optional Parameters

--enabled

Enable the key.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space separated list of permitted JSON web key operations. Possible values: encrypt, decrypt, sign, verify, wrapKey, unwrapKey.

--tags

Space separated tags in 'key[=value]' format. Use "" to clear existing tags.

--version -v

The key version. If omitted, uses the latest version.

az keyvault key show

The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response.

az keyvault key show --name
--vault-name
[--version]

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

Optional Parameters

--version -v

The key version. If omitted, uses the latest version.

az keyvault key show-deleted

Authorization: Requires the keys/get permission.

az keyvault key show-deleted --name
--vault-name

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.