az keyvault key

Manage keys.

Commands

az keyvault key backup Requests that a backup of the specified key be downloaded to the client.
az keyvault key create Creates a new key, stores it, then returns key parameters and attributes to the client.
az keyvault key delete Deletes a key of any type from storage in Azure Key Vault.
az keyvault key import Import a private key.
az keyvault key list List keys in the specified vault.
az keyvault key list-deleted List deleted keys in the specified vault.
az keyvault key list-versions Retrieves a list of individual key versions with the same key name.
az keyvault key purge Permanently deletes the specified key.
az keyvault key recover Recovers the deleted key back to its current version under /keys.
az keyvault key restore Restores a backed up key to a vault.
az keyvault key set-attributes The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.
az keyvault key show Gets the public part of a stored key.
az keyvault key show-deleted Retrieves the deleted key information plus its attributes.

az keyvault key backup

Requests that a backup of the specified key be downloaded to the client.

az keyvault key backup --file
--name
--vault-name

Required Parameters

--file -f
Local file path in which to store key backup.
--name -n
Name of the key.
--vault-name
Name of the key vault.

az keyvault key create

Creates a new key, stores it, then returns key parameters and attributes to the client.

az keyvault key create --name
--protection {hsm, software}
--vault-name
[--disabled]
[--expires]
[--not-before]
[--ops {decrypt, encrypt, sign, unwrapKey, verify, wrapKey}]
[--size]
[--tags]

Required Parameters

--name -n
Name of the key.
--protection -p
Specifies the type of key protection.
accepted values: hsm, software
--vault-name
Name of the key vault.

Optional Parameters

--disabled
Create key in disabled state.
--expires
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
--not-before
Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
--ops
Space separated list of permitted JSON web key operations.
accepted values: decrypt, encrypt, sign, unwrapKey, verify, wrapKey
--size
The key size in bytes. For example, 1024 or 2048.
--tags
Space separated tags in 'key[=value]' format. Use "" to clear existing tags.

az keyvault key delete

Deletes a key of any type from storage in Azure Key Vault.

az keyvault key delete --name
--vault-name

Required Parameters

--name -n
Name of the key.
--vault-name
Name of the key vault.

az keyvault key import

Import a private key.

az keyvault key import --name
--vault-name
[--byok-file]
[--disabled]
[--expires]
[--not-before]
[--ops {decrypt, encrypt, sign, unwrapKey, verify, wrapKey}]
[--pem-file]
[--pem-password]
[--protection {hsm, software}]
[--tags]

Required Parameters

--name -n
Name of the key.
--vault-name
Name of the key vault.

Optional Parameters

--byok-file
BYOK file containing the key to be imported. Must not be password protected.
--disabled
Create key in disabled state.
--expires
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
--not-before
Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
--ops
Space separated list of permitted JSON web key operations.
accepted values: decrypt, encrypt, sign, unwrapKey, verify, wrapKey
--pem-file
PEM file containing the key to be imported.
--pem-password
Password of PEM file.
--protection -p
Specifies the type of key protection.
accepted values: hsm, software
--tags
Space separated tags in 'key[=value]' format. Use "" to clear existing tags.

az keyvault key list

List keys in the specified vault.

az keyvault key list --vault-name
[--maxresults]

Required Parameters

--vault-name
Name of the key vault.

Optional Parameters

--maxresults
Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault key list-deleted

List deleted keys in the specified vault.

az keyvault key list-deleted --vault-name
[--maxresults]

Required Parameters

--vault-name
Name of the key vault.

Optional Parameters

--maxresults
Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault key list-versions

Retrieves a list of individual key versions with the same key name.

az keyvault key list-versions --name
--vault-name
[--maxresults]

Required Parameters

--name -n
Name of the key.
--vault-name
Name of the key vault.

Optional Parameters

--maxresults
Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault key purge

Permanently deletes the specified key.

az keyvault key purge --name
--vault-name

Required Parameters

--name -n
Name of the key.
--vault-name
Name of the key vault.

az keyvault key recover

Recovers the deleted key back to its current version under /keys.

az keyvault key recover --name
--vault-name

Required Parameters

--name -n
Name of the key.
--vault-name
Name of the key vault.

az keyvault key restore

Restores a backed up key to a vault.

az keyvault key restore --file
--vault-name

Required Parameters

--file -f
Local key backup from which to restore key.
--vault-name
Name of the key vault.

az keyvault key set-attributes

The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.

az keyvault key set-attributes --name
--vault-name
[--enabled {false, true}]
[--expires]
[--not-before]
[--ops {decrypt, encrypt, sign, unwrapKey, verify, wrapKey}]
[--tags]
[--version]

Required Parameters

--name -n
Name of the key.
--vault-name
Name of the key vault.

Optional Parameters

--enabled
Enable the key.
accepted values: false, true
--expires
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
--not-before
Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
--ops
Space separated list of permitted JSON web key operations.
accepted values: decrypt, encrypt, sign, unwrapKey, verify, wrapKey
--tags
Space separated tags in 'key[=value]' format. Use "" to clear existing tags.
--version -v
The key version. If omitted, uses the latest version.

az keyvault key show

Gets the public part of a stored key.

az keyvault key show --name
--vault-name
[--version]

Required Parameters

--name -n
Name of the key.
--vault-name
Name of the key vault.

Optional Parameters

--version -v
The key version. If omitted, uses the latest version.

az keyvault key show-deleted

Retrieves the deleted key information plus its attributes.

az keyvault key show-deleted --name
--vault-name

Required Parameters

--name -n
Name of the key.
--vault-name
Name of the key vault.