az keyvault key

Manage keys.

Commands

az keyvault key backup Requests that a backup of the specified key be downloaded to the client.
az keyvault key create Creates a new key, stores it, then returns key parameters and attributes to the client.
az keyvault key delete Deletes a key of any type from storage in Azure Key Vault.
az keyvault key import Import a private key.
az keyvault key list List keys in the specified vault.
az keyvault key list-deleted Lists the deleted keys in the specified vault.
az keyvault key list-versions Retrieves a list of individual key versions with the same key name.
az keyvault key purge Permanently deletes the specified key.
az keyvault key recover Recovers the deleted key to its latest version.
az keyvault key restore Restores a backed up key to a vault.
az keyvault key set-attributes The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.
az keyvault key show Gets the public part of a stored key.
az keyvault key show-deleted Gets the public part of a deleted key.

az keyvault key backup

Requests that a backup of the specified key be downloaded to the client.

az keyvault key backup --file
[--id]
[--name]
[--subscription]
[--vault-name]

Required Parameters

--file -f

Local file path in which to store key backup.

Optional Parameters

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault key create

Creates a new key, stores it, then returns key parameters and attributes to the client.

az keyvault key create --name
--vault-name
[--curve {P-256, P-256K, P-384, P-521}]
[--disabled {false, true}]
[--expires]
[--kty {EC, EC-HSM, RSA, RSA-HSM, oct}]
[--not-before]
[--ops {decrypt, encrypt, sign, unwrapKey, verify, wrapKey}]
[--protection {hsm, software}]
[--size]
[--subscription]
[--tags]

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

Optional Parameters

--curve

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

accepted values: P-256, P-256K, P-384, P-521
--disabled

Create key in disabled state.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--kty

The type of key to create. For valid values, see JsonWebKeyType.

accepted values: EC, EC-HSM, RSA, RSA-HSM, oct
--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space-separated list of permitted JSON web key operations.

accepted values: decrypt, encrypt, sign, unwrapKey, verify, wrapKey
--protection -p

Specifies the type of key protection.

accepted values: hsm, software
--size

The key size in bits. For example: 2048, 3072, or 4096 for RSA.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

az keyvault key delete

Deletes a key of any type from storage in Azure Key Vault.

az keyvault key delete [--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault key import

Import a private key.

az keyvault key import --name
--vault-name
[--byok-file]
[--disabled {false, true}]
[--expires]
[--not-before]
[--ops {decrypt, encrypt, sign, unwrapKey, verify, wrapKey}]
[--pem-file]
[--pem-password]
[--protection {hsm, software}]
[--subscription]
[--tags]

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

Optional Parameters

--byok-file

BYOK file containing the key to be imported. Must not be password protected.

--disabled

Create key in disabled state.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space-separated list of permitted JSON web key operations.

accepted values: decrypt, encrypt, sign, unwrapKey, verify, wrapKey
--pem-file

PEM file containing the key to be imported.

--pem-password

Password of PEM file.

--protection -p

Specifies the type of key protection.

accepted values: hsm, software
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

az keyvault key list

List keys in the specified vault.

az keyvault key list --vault-name
[--maxresults]
[--subscription]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault key list-deleted

Lists the deleted keys in the specified vault.

az keyvault key list-deleted --vault-name
[--maxresults]
[--subscription]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault key list-versions

Retrieves a list of individual key versions with the same key name.

az keyvault key list-versions --name
--vault-name
[--maxresults]
[--subscription]

Required Parameters

--name -n

Name of the key.

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault key purge

Permanently deletes the specified key.

az keyvault key purge [--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--id

The recovery id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault key recover

Recovers the deleted key to its latest version.

az keyvault key recover [--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--id

The recovery id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault key restore

Restores a backed up key to a vault.

az keyvault key restore --file
--vault-name
[--subscription]

Required Parameters

--file -f

Local key backup from which to restore key.

--vault-name

Name of the key vault.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault key set-attributes

The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.

az keyvault key set-attributes [--enabled {false, true}]
[--expires]
[--id]
[--name]
[--not-before]
[--ops {decrypt, encrypt, sign, unwrapKey, verify, wrapKey}]
[--subscription]
[--tags]
[--vault-name]
[--version]

Optional Parameters

--enabled

Enable the key.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space-separated list of permitted JSON web key operations.

accepted values: decrypt, encrypt, sign, unwrapKey, verify, wrapKey
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

--vault-name

Name of the key vault. Required if --id is not specified.

--version -v

The key version. If omitted, uses the latest version.

az keyvault key show

Gets the public part of a stored key.

az keyvault key show [--id]
[--name]
[--subscription]
[--vault-name]
[--version]

Optional Parameters

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

--version -v

The key version. If omitted, uses the latest version.

az keyvault key show-deleted

Gets the public part of a deleted key.

az keyvault key show-deleted [--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--id

The recovery id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.