az keyvault key

Manage keys.

Commands

az keyvault key backup

Request that a backup of the specified key be downloaded to the client.

az keyvault key create

Create a new key, stores it, then returns key parameters and attributes to the client.

az keyvault key decrypt

Decrypt a single block of encrypted data.

az keyvault key delete

Delete a key of any type from storage in Vault or HSM.

az keyvault key download

Download the public part of a stored key.

az keyvault key encrypt

Encrypt an arbitrary sequence of bytes using an encryption key that is stored in a Vault or HSM.

az keyvault key get-policy-template

Return policy template as JSON encoded policy definition.

az keyvault key import

Import a private key.

az keyvault key list

List keys in the specified Vault or HSM.

az keyvault key list-deleted

List the deleted keys in the specified Vault or HSM.

az keyvault key list-versions

Retrieves a list of individual key versions with the same key name.

az keyvault key purge

Permanently delete the specified key.

az keyvault key recover

Recover the deleted key to its latest version.

az keyvault key restore

Restore a backed up key to a Vault or HSM.

az keyvault key set-attributes

The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Vault or HSM.

az keyvault key show

Gets the public part of a stored key.

az keyvault key show-deleted

Get the public part of a deleted key.

az keyvault key backup

Request that a backup of the specified key be downloaded to the client.

The Key Backup operation exports a key from Vault or HSM in a protected form. Note that this operation does NOT return key material in a form that can be used outside the Vault or HSM system, the returned key material is either protected to a HSM or to Vault itself. The intent of this operation is to allow a client to GENERATE a key in one Vault or HSM instance, BACKUP the key, and then RESTORE it into another Vault or HSM instance. The BACKUP operation may be used to export, in protected form, any key type from Vault or HSM. Individual versions of a key cannot be backed up. BACKUP / RESTORE can be performed within geographical boundaries only; meaning that a BACKUP from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.

az keyvault key backup --file
                       [--hsm-name]
                       [--id]
                       [--name]
                       [--subscription]
                       [--vault-name]

Required Parameters

--file -f

Local file path in which to store key backup.

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Key Vault. Required if --id is not specified.

az keyvault key create

Create a new key, stores it, then returns key parameters and attributes to the client.

The create key operation can be used to create any key type in Vault or HSM. If the named key already exists, Vault or HSM creates a new version of the key. It requires the keys/create permission.

az keyvault key create [--curve {P-256, P-256K, P-384, P-521}]
                       [--disabled {false, true}]
                       [--expires]
                       [--hsm-name]
                       [--id]
                       [--kty {EC, EC-HSM, RSA, RSA-HSM, oct, oct-HSM}]
                       [--name]
                       [--not-before]
                       [--ops {decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey}]
                       [--protection {hsm, software}]
                       [--size]
                       [--subscription]
                       [--tags]
                       [--vault-name]

Optional Parameters

--curve

Elliptic curve name. For valid values, see: https://docs.microsoft.com/en-us/rest/api/keyvault/createkey/createkey#jsonwebkeycurvename.

accepted values: P-256, P-256K, P-384, P-521
--disabled

Create key in disabled state.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

--kty

The type of key to create. For valid values, see: https://docs.microsoft.com/en-us/rest/api/keyvault/createkey/createkey#jsonwebkeytype.

accepted values: EC, EC-HSM, RSA, RSA-HSM, oct, oct-HSM
--name -n

Name of the key.

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space-separated list of permitted JSON web key operations.

accepted values: decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey
--protection -p

Specifies the type of key protection.

accepted values: hsm, software
--size

The key size in bits. For example: 2048, 3072, or 4096 for RSA. 128, 192, or 256 for oct.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the Vault.

az keyvault key decrypt

Decrypt a single block of encrypted data.

The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Vault or HSM since it uses the private portion of the key. This operation requires the keys/decrypt permission.

az keyvault key decrypt --algorithm {RSA-OAEP, RSA-OAEP-256, RSA1_5}
                        --value
                        [--data-type {base64, plaintext}]
                        [--id]
                        [--name]
                        [--subscription]
                        [--vault-name]
                        [--version]

Required Parameters

--algorithm -a

Algorithm identifier.

accepted values: RSA-OAEP, RSA-OAEP-256, RSA1_5
--value

The value to be decrypted, which should be the result of "az keyvault encrypt".

Optional Parameters

--data-type

The type of the original data.

accepted values: base64, plaintext
default value: base64
--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The key version. If omitted, uses the latest version.

az keyvault key delete

Delete a key of any type from storage in Vault or HSM.

The delete key operation cannot be used to remove individual versions of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission.

az keyvault key delete [--hsm-name]
                       [--id]
                       [--name]
                       [--subscription]
                       [--vault-name]

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Key Vault. Required if --id is not specified.

az keyvault key download

Download the public part of a stored key.

az keyvault key download --file
                         [--encoding {DER, PEM}]
                         [--hsm-name]
                         [--id]
                         [--name]
                         [--subscription]
                         [--vault-name]
                         [--version]

Examples

Save the key with PEM encoding.

az keyvault key download --vault-name MyKeyVault -n MyKey -e PEM -f mykey.pem

Save the key with DER encoding.

az keyvault key download --vault-name MyKeyVault -n MyKey -e DER -f mykey.der

Required Parameters

--file -f

File to receive the key contents.

Optional Parameters

--encoding -e

Encoding of the key, default: PEM.

accepted values: DER, PEM
default value: PEM
--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The key version. If omitted, uses the latest version.

az keyvault key encrypt

Encrypt an arbitrary sequence of bytes using an encryption key that is stored in a Vault or HSM.

The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is stored in Vault or HSM. Note that the ENCRYPT operation only supports a single block of data, the size of which is dependent on the target key and the encryption algorithm to be used. The ENCRYPT operation is only strictly necessary for symmetric keys stored in Vault pr HSM since protection with an asymmetric key can be performed using public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission.

az keyvault key encrypt --algorithm {RSA-OAEP, RSA-OAEP-256, RSA1_5}
                        --value
                        [--data-type {base64, plaintext}]
                        [--id]
                        [--name]
                        [--subscription]
                        [--vault-name]
                        [--version]

Required Parameters

--algorithm -a

Algorithm identifier.

accepted values: RSA-OAEP, RSA-OAEP-256, RSA1_5
--value

The value to be encrypted. Default data type is Base64 encoded string.

Optional Parameters

--data-type

The type of the original data.

accepted values: base64, plaintext
default value: base64
--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The key version. If omitted, uses the latest version.

az keyvault key get-policy-template

Return policy template as JSON encoded policy definition.

az keyvault key get-policy-template [--subscription]

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault key import

Import a private key.

Supports importing base64 encoded private keys from PEM files or strings. Supports importing BYOK keys into HSM for premium key vaults.

az keyvault key import [--byok-file]
                       [--byok-string]
                       [--disabled {false, true}]
                       [--expires]
                       [--hsm-name]
                       [--id]
                       [--name]
                       [--not-before]
                       [--ops {decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey}]
                       [--pem-file]
                       [--pem-password]
                       [--pem-string]
                       [--protection {hsm, software}]
                       [--subscription]
                       [--tags]
                       [--vault-name]

Optional Parameters

--byok-file

BYOK file containing the key to be imported. Must not be password protected.

--byok-string

BYOK string containing the key to be imported. Must not be password protected.

--disabled

Create key in disabled state.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key.

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space-separated list of permitted JSON web key operations.

accepted values: decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey
--pem-file

PEM file containing the key to be imported.

--pem-password

Password of PEM file.

--pem-string

PEM string containing the key to be imported.

--protection -p

Specifies the type of key protection.

accepted values: hsm, software
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the Vault.

az keyvault key list

List keys in the specified Vault or HSM.

Retrieve a list of the keys in the Vault or HSM as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response. This operation requires the keys/list permission.

az keyvault key list [--hsm-name]
                     [--id]
                     [--maxresults]
                     [--query-examples]
                     [--subscription]
                     [--vault-name]

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Vault.

az keyvault key list-deleted

List the deleted keys in the specified Vault or HSM.

Retrieve a list of the keys in the Vault or HSM as JSON Web Key structures that contain the public part of a deleted key. This operation includes deletion-specific information. The Get Deleted Keys operation is applicable for vaults enabled for soft-delete. While the operation can be invoked on any Vault or HSM, it will return an error if invoked on a non soft-delete enabled Vault or HSM. This operation requires the keys/list permission.

az keyvault key list-deleted [--hsm-name]
                             [--id]
                             [--maxresults]
                             [--subscription]
                             [--vault-name]

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Vault.

az keyvault key list-versions

Retrieves a list of individual key versions with the same key name.

The full key identifier, attributes, and tags are provided in the response. This operation requires the keys/list permission.

az keyvault key list-versions [--hsm-name]
                              [--id]
                              [--maxresults]
                              [--name]
                              [--subscription]
                              [--vault-name]

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Key Vault. Required if --id is not specified.

az keyvault key purge

Permanently delete the specified key.

The Purge Deleted Key operation is applicable for soft-delete enabled Vaults or HSMs. While the operation can be invoked on any Vault or HSM, it will return an error if invoked on a non soft-delete enabled Vault or HSM. This operation requires the keys/purge permission.

az keyvault key purge [--hsm-name]
                      [--id]
                      [--name]
                      [--subscription]
                      [--vault-name]

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

The recovery id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Vault. Required if --id is not specified.

az keyvault key recover

Recover the deleted key to its latest version.

The Recover Deleted Key operation is applicable for deleted keys in soft-delete enabled Vaults or HSMs. It recovers the deleted key back to its latest version under /keys. An attempt to recover an non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled Vaults or HSMs. This operation requires the keys/recover permission.

az keyvault key recover [--hsm-name]
                        [--id]
                        [--name]
                        [--subscription]
                        [--vault-name]

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

The recovery id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Vault. Required if --id is not specified.

az keyvault key restore

Restore a backed up key to a Vault or HSM.

Import a previously backed up key into Vault or HSM, restoring the key, its key identifier, attributes and access control policies. The RESTORE operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target Key Vault, the RESTORE operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different Vault or HSM. Restore will restore all versions and preserve version identifiers. The RESTORE operation is subject to security constraints. The target Vault or HSM must be owned by the same Microsoft Azure Subscription as the source Vault or HSM. The user must have RESTORE permission in the target Vault or HSM. This operation requires the keys/restore permission.

az keyvault key restore --file
                        [--hsm-name]
                        [--id]
                        [--subscription]
                        [--vault-name]

Required Parameters

--file -f

Local key backup from which to restore key.

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Vault.

az keyvault key set-attributes

The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Vault or HSM.

In order to perform this operation, the key must already exist in the Vault or HSM. The cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission.

az keyvault key set-attributes [--enabled {false, true}]
                               [--expires]
                               [--hsm-name]
                               [--id]
                               [--name]
                               [--not-before]
                               [--ops {decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey}]
                               [--subscription]
                               [--tags]
                               [--vault-name]
                               [--version]

Optional Parameters

--enabled

Enable the key.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space-separated list of permitted JSON web key operations.

accepted values: decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The key version. If omitted, uses the latest version.

az keyvault key show

Gets the public part of a stored key.

The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response. This operation requires the keys/get permission.

az keyvault key show [--hsm-name]
                     [--id]
                     [--name]
                     [--query-examples]
                     [--subscription]
                     [--vault-name]
                     [--version]

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The key version. If omitted, uses the latest version.

az keyvault key show-deleted

Get the public part of a deleted key.

The Get Deleted Key operation is applicable for soft-delete enabled Vaults or HSMs. While the operation can be invoked on any Vault or HSM, it will return an error if invoked on a non soft-delete enabled Vault or HSM. This operation requires the keys/get permission.

az keyvault key show-deleted [--hsm-name]
                             [--id]
                             [--name]
                             [--subscription]
                             [--vault-name]

Optional Parameters

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

--id

The recovery id of the key. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the key. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the Vault. Required if --id is not specified.