Import Key - Import Key

Imports an externally created key, stores it, and returns key parameters and attributes to the client.
The import key operation may be used to import any key type into an Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

PUT {vaultBaseUrl}/keys/{key-name}?api-version=7.0

URI Parameters

Name In Required Type Description
key-name
path True
  • string

Name for the imported key.

Regex pattern: ^[0-9a-zA-Z-]+$

vaultBaseUrl
path True
  • string

The vault name, for example https://myvault.vault.azure.net.

api-version
query True
  • string

Client API version.

Request Body

Name Required Type Description
Hsm
  • boolean

Whether to import as a hardware key (HSM) or software key.

attributes

The key management attributes.

key True

The Json web key

tags
  • object

Application specific metadata in the form of key-value pairs.

Responses

Name Type Description
200 OK

Imported key bundle to the vault.

Other Status Codes

Key Vault error response describing why the operation failed.

Examples

Import key

Sample Request

PUT {vaultBaseUrl}/keys/ImportSoftKeyTest?api-version=7.0
{
  "key": {
    "kty": "RSA",
    "n": "nKAwarTrOpzd1hhH4cQNdVTgRF-b0ubPD8ZNVf0UXjb62QuAk3Dn68ESThcF7SoDYRx2QVcfoMC9WCcuQUQDieJF-lvJTSer1TwH72NBovwKlHvrXqEI0a6_uVYY5n-soGt7qFZNbwQLdWWA6PrbqTLIkv6r01dcuhTiQQAn6OWEa0JbFvWfF1kILQIaSBBBaaQ4R7hZs7-VQTHGD7J1xGteof4gw2VTiwNdcE8p5UG5b6S9KQwAeET4yB4KFPwQ3TDdzxJQ89mwYVi_sgAIggN54hTq4oEKYJHBOMtFGIN0_HQ60ZSUnpOi87xNC-8VFqnv4rfTQ7nkK6XMvjMVfw",
    "e": "AQAB",
    "d": "GeT1_D5LAZa7qlC7WZ0DKJnOth8kcPrN0urTEFtWCbmHQWkAad_px_VUpGp0BWDDzENbXbQcu4QCCdf4crve5eXt8dVI86OSah-RpEdBq8OFsETIhg2Tmq8MbYTJexoynRcIC62xAaCmkFMmu931gQSvWnYWTEuOPgmD2oE_F-bP9TFlGRc69a6MSbtcSRyFTsd5KsUr40QS4zf2W4kZCOWejyLuxk88SXgUqcJx86Ulc1Ol1KkTBLadvReAZCyCMwKBlNRGw46BU_iK0vK7rTD9fmEd639Gjti6eLpnyQYpnVe8uGgwVU1fHBkAKyapWoEG6VMhMntcrvgukKLIsQ",
    "dp": "ZGnmWx-Nca71z9a9vvT4g02iv3S-3kSgmhl8JST09YQwK8tfiK7nXnNMtXJi2K4dLKKnLicGtCzB6W3mXdLcP2SUOWDOeStoBt8HEBT4MrI1psCKqnBum78WkHju90rBFj99amkP6UeQy5EASAzgmKQu2nUaUnRV0lYP8LHMCkE",
    "dq": "dtpke0foFs04hPS6XYLA5lc7-1MAHfZKN4CkMAofwDqPmRQzCxpDJUk0gMWGJEdU_Lqfbg22Py44cci0dczH36NW3UU5BL86T2_SPPDOuyX7kDscrIJCdowxQCGJHGRBEozM_uTL46wu6UnUIv7m7cuGgodJyZBcdwpo6ziFink",
    "qi": "Y9KD5GaHkAYmAqpOfAQUMr71QuAAaBb0APzMuUvoEYw39PD3_vJeh9HZ15QmJ8zCX10-nlzUB-bWwvK-rGcJXbK4pArilr5MiaYv7e8h5eW2zs2_itDJ6Oebi-wVbMhg7DvUTBbkCvPhhIedE4UlDQmMYP7RhzVVs7SfmkGs_DQ",
    "p": "v1jeCPnuJQM2PW2690Q9KJk0Ulok8VFGjkcHUHVi3orKdy7y_TCIWM6ZGvgFzI6abinzYbTEPKV4wFdMAwvOWmawXj5YrsoeB44_HXJ0ak_5_iP6XXR8MLGXbd0ZqsxvAZyzMj9vyle7EN2cBod6aenI2QZoRDucPvjPwZsZotk",
    "q": "0Yv-Dj6qnvx_LL70lUnKA6MgHE_bUC4drl5ZNDDsUdUUYfxIK4G1rGU45kHGtp-Qg-Uyf9s52ywLylhcVE3jfbjOgEozlSwKyhqfXkLpMLWHqOKj9fcfYd4PWKPOgpzWsqjA6fJbBUMYo0CU2G9cWCtVodO7sBJVSIZunWrAlBc"
  },
  "tags": {
    "purpose": "unit test"
  }
}

Sample Response

{
  "key": {
    "kid": "https://kv-sdk-test.vault-int.azure-int.net/keys/ImportSoftKeyTest/2eb4a15d74184c6f84159c3ca90f0f4b",
    "kty": "RSA",
    "key_ops": [
      "encrypt",
      "decrypt",
      "sign",
      "verify",
      "wrapKey",
      "unwrapKey"
    ],
    "n": "nKAwarTrOpzd1hhH4cQNdVTgRF-b0ubPD8ZNVf0UXjb62QuAk3Dn68ESThcF7SoDYRx2QVcfoMC9WCcuQUQDieJF-lvJTSer1TwH72NBovwKlHvrXqEI0a6_uVYY5n-soGt7qFZNbwQLdWWA6PrbqTLIkv6r01dcuhTiQQAn6OWEa0JbFvWfF1kILQIaSBBBaaQ4R7hZs7-VQTHGD7J1xGteof4gw2VTiwNdcE8p5UG5b6S9KQwAeET4yB4KFPwQ3TDdzxJQ89mwYVi_sgAIggN54hTq4oEKYJHBOMtFGIN0_HQ60ZSUnpOi87xNC-8VFqnv4rfTQ7nkK6XMvjMVfw",
    "e": "AQAB"
  },
  "attributes": {
    "enabled": true,
    "created": 1493942691,
    "updated": 1493942691,
    "recoveryLevel": "Recoverable+Purgeable"
  },
  "tags": {
    "purpose": "unit test"
  }
}

Definitions

DeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval.

Error

The key vault server error.

JsonWebKey

As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18

JsonWebKeyCurveName

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

JsonWebKeyType

JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.

KeyAttributes

The attributes of a key managed by the key vault service.

KeyBundle

A KeyBundle consisting of a WebKey plus its attributes.

KeyImportParameters

The key import parameters.

KeyVaultError

The key vault error exception.

DeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval.

Name Type Description
Purgeable
  • string
Recoverable
  • string
Recoverable+ProtectedSubscription
  • string
Recoverable+Purgeable
  • string

Error

The key vault server error.

Name Type Description
code
  • string

The error code.

innererror

The key vault server error.

message
  • string

The error message.

JsonWebKey

As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18

Name Type Description
crv

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

d
  • string

RSA private exponent, or the D component of an EC private key.

dp
  • string

RSA private key parameter.

dq
  • string

RSA private key parameter.

e
  • string

RSA public exponent.

k
  • string

Symmetric key.

key_hsm
  • string

HSM Token, used with 'Bring Your Own Key'.

key_ops
  • string[]

Supported key operations.

kid
  • string

Key identifier.

kty

JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.

n
  • string

RSA modulus.

p
  • string

RSA secret prime.

q
  • string

RSA secret prime, with p < q.

qi
  • string

RSA private key parameter.

x
  • string

X component of an EC public key.

y
  • string

Y component of an EC public key.

JsonWebKeyCurveName

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

Name Type Description
P-256
  • string

The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.

P-256K
  • string

The SECG SECP256K1 elliptic curve.

P-384
  • string

The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.

P-521
  • string

The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.

JsonWebKeyType

JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.

Name Type Description
EC
  • string

Elliptic Curve.

EC-HSM
  • string

Elliptic Curve with a private key which is not exportable from the HSM.

RSA
  • string

RSA (https://tools.ietf.org/html/rfc3447)

RSA-HSM
  • string

RSA with a private key which is not exportable from the HSM.

oct
  • string

Octet sequence (used to represent symmetric keys)

KeyAttributes

The attributes of a key managed by the key vault service.

Name Type Description
created
  • integer

Creation time in UTC.

enabled
  • boolean

Determines whether the object is enabled.

exp
  • integer

Expiry date in UTC.

nbf
  • integer

Not before date in UTC.

recoveryLevel

Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval.

updated
  • integer

Last updated time in UTC.

KeyBundle

A KeyBundle consisting of a WebKey plus its attributes.

Name Type Description
attributes

The key management attributes.

key

The Json web key.

managed
  • boolean

True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true.

tags
  • object

Application specific metadata in the form of key-value pairs.

KeyImportParameters

The key import parameters.

Name Type Description
Hsm
  • boolean

Whether to import as a hardware key (HSM) or software key.

attributes

The key management attributes.

key

The Json web key

tags
  • object

Application specific metadata in the form of key-value pairs.

KeyVaultError

The key vault error exception.

Name Type Description
error

The key vault server error.