Invoke-AzKeyVaultKeyOperation

Module:

Az.KeyVault

Performs operation like "Encrypt", "Decrypt", "Wrap" or "Unwrap" using a specified key stored in a key vault or managed hsm.

Note

This is the previous version of our documentation. Please consult the most recent version for up-to-date information.

Syntax

Invoke-AzKeyVaultKeyOperation
      -Operation <String>
      -Algorithm <String>
      -Value <SecureString>
      [-VaultName] <String>
      [-Name] <String>
      [-Version <String>]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Invoke-AzKeyVaultKeyOperation
      -Operation <String>
      -Algorithm <String>
      -Value <SecureString>
      [-HsmName] <String>
      [-Name] <String>
      [-Version <String>]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Invoke-AzKeyVaultKeyOperation
      -Operation <String>
      -Algorithm <String>
      -Value <SecureString>
      [-InputObject] <PSKeyVaultKeyIdentityItem>
      [-Version <String>]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Description

Invoke-AzKeyVaultKeyOperation cmdlet supports

1. Encrypting an arbitrary sequence of bytes using an encryption key.
2. Decrypting a single block of encrypted data.
3. Wrapping a symmetric key using a specified key.
4. Unwrapping a symmetric key using the specified key that was initially used for wrapping that key.

Examples

Encrypts using an encryption key

$result = Invoke-AzKeyVaultKeyOperation -Operation Encrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -Value (ConvertTo-SecureString -String "test" -AsPlainText -Force) ult
$result | Format-List

KeyId     : https://test-kv.vault.azure.net/keys/test-key/375cdf20252043b79c8ca0c57b6c7679
Result    : e01HmkipqwCZyQd2QZ5XOTSA3rlZ719qqHHadzepFGtvTSoDwr+sBPmODVqScvq5/MBS9YyT+u6AM5hsFKD+h2FJOB6Pj/nwO5MZ/tZ8F974qAxXXT2qvdNm6pHKhREgPlCHmz+L6xK/8KOF+LS1E9wmuAt8ZPsJ7BtcT2bcvR4VmeOaUhvxcuNMV675nsFpwHBv6GWSfQA+RkDCIpmv6msdpK8NG6+la+fSPA6EKMJkmqF3SZ6RhSOjg00S7jXEWncIzdp6RRKYZFKY+QhqLgFVABL876IW4nDGYgdVSG7KnH0K56QqtK5L4MhvU4XYE69I4WiWbZ7rcVLE3cO/9A==
Algorithm : RSA1_5

Encrypts string "test" using test-key stored in test-kv. The returned result is Base64 string format.

Decrypt encrypted data

$result
$result = Invoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -Value (ConvertTo-SecureString -String $result.Result -AsPlainText -Force) ult
$result | Format-List

KeyId     : https://test-kv.vault.azure.net/keys/test-key/375cdf20252043b79c8ca0c57b6c7679
Result    : test
Algorithm : RSA1_5

Decrypts encrypted data that is encrypted using test-key stored in test-kv.

Encrypts using an encryption key

$result = Invoke-AzKeyVaultKeyOperation -Operation Encrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -Value (ConvertTo-SecureString -String "test" -AsPlainText -Force) 

$result | Format-List

KeyId     : https://test-kv.vault.azure.net/keys/test-key/375cdf20252043b79c8ca0c57b6c7679
Result    : e01HmkipqwCZyQd2QZ5XOTSA3rlZ719qqHHadzepFGtvTSoDwr+sBPmODVqScvq5/MBS9YyT+u6AM5hsFKD+h2FJOB6Pj/nwO5MZ/tZ8F974qAxXXT2qvdNm6pHKhREgPlCHmz+L6xK/8KOF+LS1E9wmuAt8ZPsJ7BtcT2bcvR4VmeOaUhvxcuNMV675nsFpwHBv6GWSfQA+RkDCIpmv6msdpK8NG6+la+fSPA6EKMJkmqF3SZ6RhSOjg00S7jXEWncIzdp6RRKYZFKY+QhqLgFVABL876IW4nDGYgdVSG7KnH0K56QqtK5L4MhvU4XYE69I4WiWbZ7rcVLE3cO/9A==
Algorithm : RSA1_5

Encrypts string "test" using test-key stored in test-kv. The returned result is Base64 string format.

Wraps a symmetric key using a specified key

$result = Invoke-AzKeyVaultKeyOperation -Operation Wrap -Algorithm RSA1_5 -VaultName test-kv -Name test-key -Value (ConvertTo-SecureString -String "ovQIlbB0DgWhZA7sgkPxbg9H-Ly-VlNGPSgGrrZvlIo" -AsPlainText -Force) 

$result | Format-List

KeyId     : https://test-kv.vault.azure.net/keys/test-key/375cdf20252043b79c8ca0c57b6c7679
Result    : e01HmkipqwCZyQd2QZ5XOTSA3rlZ719qqHHadzepFGtvTSoDwr+sBPmODVqScvq5/MBS9YyT+u6AM5hsFKD+h2FJOB6Pj/nwO5MZ/tZ8F974qAxXXT2qvdNm6pHKhREgPlCHmz+L6xK/8KOF+LS1E9wmuAt8ZPsJ7BtcT2bcvR4VmeOaUhvxcuNMV675nsFpwHBv6GWSfQA+RkDCIpmv6msdpK8NG6+la+fSPA6EKMJkmqF3SZ6RhSOjg00S7jXEWncIzdp6RRKYZFKY+QhqLgFVABL876IW4nDGYgdVSG7KnH0K56QqtK5L4MhvU4XYE69I4WiWbZ7rcVLE3cO/9A==
Algorithm : RSA1_5

Wraps a symmetric key using key named test-key stored in test-kv. The returned result is Base64 string.

Unwraps a symmetric key using a specified key

Invoke-AzKeyVaultKeyOperation -Operation Unwrap -Algorithm RSA1_5 -VaultName test-kv -Name test-key -Value (ConvertTo-SecureString -String $result.Result -AsPlainText -Force)

KeyId     : https://test-kv.vault.azure.net/keys/test-key/375cdf20252043b79c8ca0c57b6c7679
Result    : ovQIlbB0DgWhZA7sgkPxbg9H-Ly-VlNGPSgGrrZvlIo
Algorithm : RSA1_5

Unwraps a symmetric key using a specified key test-key stored in test-kv.

Parameters

-Algorithm

Algorithm identifier

Type:	String
Aliases:	EncryptionAlgorithm, WrapAlgorithm
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:	SwitchParameter
Aliases:	cf
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:	IAzureContextContainer
Aliases:	AzContext, AzureRmContext, AzureCredential
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-HsmName

HSM name.

Type:	String
Position:	0
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-InputObject

Key object

Type:	PSKeyVaultKeyIdentityItem
Aliases:	Key
Position:	0
Default value:	None
Accept pipeline input:	True
Accept wildcard characters:	False

-Name

Key name.

Type:	String
Aliases:	KeyName
Position:	1
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-Operation

Algorithm identifier

Type:	String
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-Value

The value to be operated

Type:	SecureString
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-VaultName

Vault name.

Type:	String
Position:	0
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-Version

Key version.

Type:	String
Aliases:	KeyVersion
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:	SwitchParameter
Aliases:	wi
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Inputs

PSKeyVaultKeyIdentityItem

Outputs

PSKeyOperationResult