az keyvault key

Manage keys.

Commands

Name	Description	Type	Status
az keyvault key backup	Request that a backup of the specified key be downloaded to the client.	Core	GA
az keyvault key create	Create a new key, stores it, then returns key parameters and attributes to the client.	Core	GA
az keyvault key decrypt	Decrypt a single block of encrypted data.	Core	Preview
az keyvault key delete	Delete a key of any type from storage in Vault or HSM.	Core	GA
az keyvault key download	Download the public part of a stored key.	Core	GA
az keyvault key encrypt	Encrypt an arbitrary sequence of bytes using an encryption key that is stored in a Vault or HSM.	Core	Preview
az keyvault key get-attestation	Get a key's attestation blob.	Core	GA
az keyvault key get-policy-template	Return policy template as JSON encoded policy definition.	Core	Preview
az keyvault key import	Import a private key.	Core	GA
az keyvault key list	List keys in the specified Vault or HSM.	Core	GA
az keyvault key list-deleted	List the deleted keys in the specified Vault or HSM.	Core	GA
az keyvault key list-versions	List the identifiers and properties of a key's versions.	Core	GA
az keyvault key purge	Permanently delete the specified key.	Core	GA
az keyvault key random	Get the requested number of random bytes from a managed HSM.	Core	GA
az keyvault key recover	Recover the deleted key to its latest version.	Core	GA
az keyvault key restore	Restore a backed up key to a Vault or HSM.	Core	GA
az keyvault key rotate	Rotate the key based on the key policy by generating a new version of the key.	Core	GA
az keyvault key rotation-policy	Manage key's rotation policy.	Core	GA
az keyvault key rotation-policy show	Get the rotation policy of a Key Vault key.	Core	GA
az keyvault key rotation-policy update	Update the rotation policy of a Key Vault key.	Core	GA
az keyvault key set-attributes	The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Vault or HSM.	Core	GA
az keyvault key show	Get a key's attributes and, if it's an asymmetric key, its public material.	Core	GA
az keyvault key show-deleted	Get the public part of a deleted key.	Core	GA
az keyvault key sign	Create a signature from a digest using a key that is stored in a Vault or HSM.	Core	GA
az keyvault key verify	Verify a signature using the key that is stored in a Vault or HSM.	Core	GA

az keyvault key backup

Edit

Request that a backup of the specified key be downloaded to the client.

The Key Backup operation exports a key from Vault or HSM in a protected form. Note that this operation does NOT return key material in a form that can be used outside the Vault or HSM system, the returned key material is either protected to a HSM or to Vault itself. The intent of this operation is to allow a client to GENERATE a key in one Vault or HSM instance, BACKUP the key, and then RESTORE it into another Vault or HSM instance. The BACKUP operation may be used to export, in protected form, any key type from Vault or HSM. Individual versions of a key cannot be backed up. BACKUP / RESTORE can be performed within geographical boundaries only; meaning that a BACKUP from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.

az keyvault key backup --file
                       [--hsm-name]
                       [--id]
                       [--name]
                       [--vault-name]

Required Parameters

--file -f

Local file path in which to store key backup.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key create

Edit

Create a new key, stores it, then returns key parameters and attributes to the client.

The create key operation can be used to create any key type in Vault or HSM. If the named key already exists, Vault or HSM creates a new version of the key. It requires the keys/create permission.

az keyvault key create [--curve {P-256, P-256K, P-384, P-521}]
                       [--default-cvm-policy]
                       [--disabled {false, true}]
                       [--expires]
                       [--exportable {false, true}]
                       [--hsm-name]
                       [--id]
                       [--immutable {false, true}]
                       [--kty {EC, EC-HSM, RSA, RSA-HSM, oct, oct-HSM}]
                       [--name]
                       [--not-before]
                       [--ops {decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey}]
                       [--policy]
                       [--protection {hsm, software}]
                       [--size]
                       [--tags]
                       [--vault-name]

Examples

Create a key in a specified Key Vault with a given name. (autogenerated)

az keyvault key create --vault-name envault -n enkey

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--curve

Elliptic curve name. For valid values, see: https://learn.microsoft.com/rest/api/keyvault/keys/create-key/create-key#jsonwebkeycurvename.

Property	Value
Accepted values:	P-256, P-256K, P-384, P-521

--default-cvm-policy

Use default policy under which the key can be exported for CVM disk encryption.

Property	Value
Default value:	False

--disabled

Create key in disabled state.

Property	Value
Default value:	False
Accepted values:	false, true

--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--exportable

Whether the private key can be exported. To create key with release policy, "exportable" must be true and caller must have "export" permission.

Property	Value
Accepted values:	false, true

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--immutable

Mark a release policy as immutable. An immutable release policy cannot be changed or updated after being marked immutable. Release policies are mutable by default.

Property	Value
Accepted values:	false, true

--kty

The type of key to create. For valid values, see: https://learn.microsoft.com/rest/api/keyvault/keys/create-key/create-key#jsonwebkeytype.

Property	Value
Accepted values:	EC, EC-HSM, RSA, RSA-HSM, oct, oct-HSM

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space-separated list of permitted JSON web key operations.

Property	Value
Accepted values:	decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey

--policy

The policy rules under which the key can be exported. Policy definition as JSON, or a path to a file containing JSON policy definition.

--protection -p

Specifies the type of key protection.

Property	Value
Accepted values:	hsm, software

--size

The key size in bits. For example: 2048, 3072, or 4096 for RSA. 128, 192, or 256 for oct.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key decrypt

Edit

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Decrypt a single block of encrypted data.

The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Vault or HSM since it uses the private portion of the key. This operation requires the keys/decrypt permission.

az keyvault key decrypt --algorithm {A128CBC, A128CBCPAD, A128GCM, A192CBC, A192CBCPAD, A192GCM, A256CBC, A256CBCPAD, A256GCM, CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PAD, RSA-OAEP, RSA-OAEP-256, RSA1_5}
                        --value
                        [--aad]
                        [--data-type {base64, plaintext}]
                        [--hsm-name]
                        [--id]
                        [--iv]
                        [--name]
                        [--tag]
                        [--vault-name]
                        [--version]

Examples

Decrypt value(Base64 encoded string returned by encrypt command) with vault's key using RSA-OAEP and get result as base64 encoded.

az keyvault key decrypt --name mykey --vault-name myvault --algorithm RSA-OAEP --data-type base64 --value "CbFcCxHG7WTU+nbpFRrHoqSduwlPy8xpWxf1JxZ2y12BY/qFJirMSYq1i4SO9rvSmvmEMxFV5kw5s9Tc+YoKmv8X6oe+xXx+JytYV8obA5l3OQD9epuuQHWW0kir/mp88lzhcYWxYuF7mKDpPKDV4if+wnAZqQ4woB6t2JEZU5MVK3s+3E/EU4ehb5XrVxAl6xpYy8VYbyF33uJ5s+aUsYIrsVtXgrW99HQ3ic7tJtIOGuWqKhPCdQRezRkOcyxkJcmnDHOLjWA/9strzzx/dyg/t884gT7qrkmIHh8if9SFal/vi1h4XhoDqUleMTnKev2IFHyDNcYVYG3pftJiuA=="

Decrypt value(Base64 encoded string returned by encrypt command) with MHSM's key using AES-GCM and get result as plaintext.

az keyvault key decrypt --name mykey --hsm-name myhsm --algorithm A256GCM --value "N5w02jS77xg536Ddzv/xPWQ=" --data-type plaintext
--aad "101112131415161718191a1b1c1d1e1f" --iv "727b26f78e55cf4cd8d34216" --tag "f7207d02cead35a77a1c7e5f8af959e9"

Required Parameters

--algorithm -a

Algorithm identifier.

Property	Value
Accepted values:	A128CBC, A128CBCPAD, A128GCM, A192CBC, A192CBCPAD, A192GCM, A256CBC, A256CBCPAD, A256GCM, CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PAD, RSA-OAEP, RSA-OAEP-256, RSA1_5

--value

The value to be decrypted, which should be the result of "az keyvault encrypt".

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--aad

Optional data that is authenticated but not encrypted. For use with AES-GCM decryption.

--data-type

The type of the original data.

Property	Value
Default value:	base64
Accepted values:	base64, plaintext

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--iv

The initialization vector used during encryption. Required for AES decryption.

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--tag

The authentication tag generated during encryption. Required for only AES-GCM decryption.

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

--version -v

The key version. If omitted, uses the latest version.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key delete

Edit

Delete a key of any type from storage in Vault or HSM.

The delete key operation cannot be used to remove individual versions of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission.

az keyvault key delete [--hsm-name]
                       [--id]
                       [--name]
                       [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key download

Edit

Download the public part of a stored key.

az keyvault key download --file
                         [--encoding {DER, PEM}]
                         [--hsm-name]
                         [--id]
                         [--name]
                         [--vault-name]
                         [--version]

Examples

Save the key with PEM encoding.

az keyvault key download --vault-name MyKeyVault -n MyKey -e PEM -f mykey.pem

Save the key with DER encoding.

az keyvault key download --vault-name MyKeyVault -n MyKey -e DER -f mykey.der

Required Parameters

--file -f

File to receive the key contents.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--encoding -e

Encoding of the key, default: PEM.

Property	Value
Default value:	PEM
Accepted values:	DER, PEM

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

--version -v

The key version. If omitted, uses the latest version.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key encrypt

Edit

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Encrypt an arbitrary sequence of bytes using an encryption key that is stored in a Vault or HSM.

The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is stored in Vault or HSM. Note that the ENCRYPT operation only supports a single block of data, the size of which is dependent on the target key and the encryption algorithm to be used. The ENCRYPT operation is only strictly necessary for symmetric keys stored in Vault pr HSM since protection with an asymmetric key can be performed using public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission.

az keyvault key encrypt --algorithm {A128CBC, A128CBCPAD, A128GCM, A192CBC, A192CBCPAD, A192GCM, A256CBC, A256CBCPAD, A256GCM, CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PAD, RSA-OAEP, RSA-OAEP-256, RSA1_5}
                        --value
                        [--aad]
                        [--data-type {base64, plaintext}]
                        [--hsm-name]
                        [--id]
                        [--iv]
                        [--name]
                        [--vault-name]
                        [--version]

Examples

Encrypt value(Base64 encoded string) with vault's key using RSA-OAEP.

az keyvault key encrypt --name mykey --vault-name myvault --algorithm RSA-OAEP --value "YWJjZGVm" --data-type base64

Encrypt value(plaintext) with MHSM's key using AES-GCM.

az keyvault key encrypt --name mykey --hsm-name myhsm --algorithm A256GCM --value "this is plaintext" --data-type plaintext --aad "101112131415161718191a1b1c1d1e1f"

Required Parameters

--algorithm -a

Algorithm identifier.

Property	Value
Accepted values:	A128CBC, A128CBCPAD, A128GCM, A192CBC, A192CBCPAD, A192GCM, A256CBC, A256CBCPAD, A256GCM, CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PAD, RSA-OAEP, RSA-OAEP-256, RSA1_5

--value

The value to be encrypted. Default data type is Base64 encoded string.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--aad

Optional data that is authenticated but not encrypted. For use with AES-GCM encryption.

--data-type

The type of the original data.

Property	Value
Default value:	base64
Accepted values:	base64, plaintext

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--iv

Initialization vector. Required for only AES-CBC(PAD) encryption.

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

--version -v

The key version. If omitted, uses the latest version.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key get-attestation

Edit

Get a key's attestation blob.

This command is applicable to any key stored in Azure Key Vault Managed HSM. This operation requires the keys/get permission.

az keyvault key get-attestation [--file]
                                [--hsm-name]
                                [--id]
                                [--name]
                                [--version]

Examples

Get a key's attestation.

az keyvault key get-attestation --hsm-name myhsm -n mykey

Save the key's attestation to local file.

az keyvault key get-attestation --hsm-name myhsm -n mykey -f mykeyattestation.json

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--file -f

File to receive the key's attestation if you want to save it.

--hsm-name

Name of the HSM. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--version -v

The key version. If omitted, uses the latest version.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key get-policy-template

Edit

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Return policy template as JSON encoded policy definition.

az keyvault key get-policy-template

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key import

Edit

Import a private key.

Supports importing base64 encoded private keys from PEM files or strings. Supports importing BYOK keys into HSM for premium key vaults.

az keyvault key import [--byok-file]
                       [--byok-string]
                       [--curve {P-256, P-256K, P-384, P-521}]
                       [--default-cvm-policy]
                       [--disabled {false, true}]
                       [--expires]
                       [--exportable {false, true}]
                       [--hsm-name]
                       [--id]
                       [--immutable {false, true}]
                       [--kty {EC, RSA, oct}]
                       [--name]
                       [--not-before]
                       [--ops {decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey}]
                       [--pem-file]
                       [--pem-password]
                       [--pem-string]
                       [--policy]
                       [--protection {hsm, software}]
                       [--tags]
                       [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--byok-file

BYOK file containing the key to be imported. Must not be password protected.

Property	Value
Parameter group:	Key Source Arguments

--byok-string

BYOK string containing the key to be imported. Must not be password protected.

Property	Value
Parameter group:	Key Source Arguments

--curve

The curve name of the key to import (only for BYOK).

Property	Value
Accepted values:	P-256, P-256K, P-384, P-521

--default-cvm-policy

Use default policy under which the key can be exported for CVM disk encryption.

Property	Value
Default value:	False

--disabled

Create key in disabled state.

Property	Value
Default value:	False
Accepted values:	false, true

--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--exportable

Whether the private key can be exported. To create key with release policy, "exportable" must be true and caller must have "export" permission.

Property	Value
Accepted values:	false, true

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--immutable

Mark a release policy as immutable. An immutable release policy cannot be changed or updated after being marked immutable. Release policies are mutable by default.

Property	Value
Accepted values:	false, true

--kty

The type of key to import (only for BYOK).

Property	Value
Default value:	RSA
Accepted values:	EC, RSA, oct

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space-separated list of permitted JSON web key operations.

Property	Value
Accepted values:	decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey

--pem-file

PEM file containing the key to be imported.

Property	Value
Parameter group:	Key Source Arguments

--pem-password

Password of PEM file.

Property	Value
Parameter group:	Key Source Arguments

--pem-string

PEM string containing the key to be imported.

Property	Value
Parameter group:	Key Source Arguments

--policy

The policy rules under which the key can be exported. Policy definition as JSON, or a path to a file containing JSON policy definition.

--protection -p

Specifies the type of key protection.

Property	Value
Accepted values:	hsm, software

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key list

Edit

List keys in the specified Vault or HSM.

Retrieve a list of the keys in the Vault or HSM as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response. This operation requires the keys/list permission.

az keyvault key list [--hsm-name]
                     [--id]
                     [--include-managed {false, true}]
                     [--maxresults]
                     [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. Can be omitted if --id is specified.

Property	Value
Parameter group:	Id Arguments

--id

Full URI of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--include-managed

Include managed keys.

Property	Value
Default value:	False
Accepted values:	false, true

--maxresults

Maximum number of results to return.

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key list-deleted

Edit

List the deleted keys in the specified Vault or HSM.

Retrieve a list of the keys in the Vault or HSM as JSON Web Key structures that contain the public part of a deleted key. This operation includes deletion-specific information. The Get Deleted Keys operation is applicable for vaults enabled for soft-delete. While the operation can be invoked on any Vault or HSM, it will return an error if invoked on a non soft-delete enabled Vault or HSM. This operation requires the keys/list permission.

az keyvault key list-deleted [--hsm-name]
                             [--id]
                             [--maxresults]
                             [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. Can be omitted if --id is specified.

Property	Value
Parameter group:	Id Arguments

--id

Full URI of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--maxresults

Maximum number of results to return.

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key list-versions

Edit

List the identifiers and properties of a key's versions.

Requires keys/list permission.

az keyvault key list-versions [--hsm-name]
                              [--id]
                              [--maxresults]
                              [--name]
                              [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--maxresults

Maximum number of results to return.

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key purge

Edit

Permanently delete the specified key.

The Purge Deleted Key operation is applicable for soft-delete enabled Vaults or HSMs. While the operation can be invoked on any Vault or HSM, it will return an error if invoked on a non soft-delete enabled Vault or HSM. This operation requires the keys/purge permission.

az keyvault key purge [--hsm-name]
                      [--id]
                      [--name]
                      [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

The recovery id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key random

Edit

Get the requested number of random bytes from a managed HSM.

az keyvault key random --count
                       [--hsm-name]
                       [--id]

Required Parameters

--count

The requested number of random bytes.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM.

Property	Value
Parameter group:	Id Arguments

--id

Full URI of the HSM.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key recover

Edit

Recover the deleted key to its latest version.

The Recover Deleted Key operation is applicable for deleted keys in soft-delete enabled Vaults or HSMs. It recovers the deleted key back to its latest version under /keys. An attempt to recover an non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled Vaults or HSMs. This operation requires the keys/recover permission.

az keyvault key recover [--hsm-name]
                        [--id]
                        [--name]
                        [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

The recovery id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key restore

Edit

Restore a backed up key to a Vault or HSM.

Import a previously backed up key into Vault or HSM, restoring the key, its key identifier, attributes and access control policies. The RESTORE operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target Key Vault, the RESTORE operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different Vault or HSM. Restore will restore all versions and preserve version identifiers. The RESTORE operation is subject to security constraints. The target Vault or HSM must be owned by the same Microsoft Azure Subscription as the source Vault or HSM. The user must have RESTORE permission in the target Vault or HSM. This operation requires the keys/restore permission.

az keyvault key restore [--backup-folder]
                        [--blob-container-name]
                        [--file]
                        [--hsm-name]
                        [--id]
                        [--name]
                        [--no-wait]
                        [--storage-account-name]
                        [--storage-container-SAS-token]
                        [--storage-resource-uri]
                        [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--backup-folder

Name of the blob container which contains the backup.

Property	Value
Parameter group:	Restoring keys from storage account Arguments

--blob-container-name

Name of Blob Container.

Property	Value
Parameter group:	Storage Id Arguments

--file -f

Local key backup from which to restore key.

--hsm-name

Name of the HSM. Can be omitted if --id is specified.

Property	Value
Parameter group:	Id Arguments

--id

Full URI of the Vault or HSM. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. (Only for restoring from storage account).

Property	Value
Parameter group:	Restoring keys from storage account Arguments

--no-wait

Do not wait for the long-running operation to finish.

Property	Value
Default value:	False

--storage-account-name

Name of Azure Storage Account.

Property	Value
Parameter group:	Storage Id Arguments

--storage-container-SAS-token -t

The SAS token pointing to an Azure Blob storage container.

Property	Value
Parameter group:	Restoring keys from storage account Arguments

--storage-resource-uri -u

Azure Blob storage container Uri. If specified, all other 'Storage Id' arguments should be omitted.

Property	Value
Parameter group:	Storage Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key rotate

Edit

Rotate the key based on the key policy by generating a new version of the key.

az keyvault key rotate [--hsm-name]
                       [--id]
                       [--name]
                       [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key set-attributes

Edit

The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Vault or HSM.

In order to perform this operation, the key must already exist in the Vault or HSM. The cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission.

az keyvault key set-attributes [--enabled {false, true}]
                               [--expires]
                               [--hsm-name]
                               [--id]
                               [--immutable {false, true}]
                               [--name]
                               [--not-before]
                               [--ops {decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey}]
                               [--policy]
                               [--tags]
                               [--vault-name]
                               [--version]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--enabled

Enable the key.

Property	Value
Accepted values:	false, true

--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--immutable

Mark a release policy as immutable. An immutable release policy cannot be changed or updated after being marked immutable. Release policies are mutable by default.

Property	Value
Accepted values:	false, true

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--ops

Space-separated list of permitted JSON web key operations.

Property	Value
Accepted values:	decrypt, encrypt, export, import, sign, unwrapKey, verify, wrapKey

--policy

The policy rules under which the key can be exported. Policy definition as JSON, or a path to a file containing JSON policy definition.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

--version -v

The key version. If omitted, uses the latest version.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key show

Edit

Get a key's attributes and, if it's an asymmetric key, its public material.

Requires keys/get permission.

az keyvault key show [--hsm-name]
                     [--id]
                     [--name]
                     [--vault-name]
                     [--version]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

--version -v

The key version. If omitted, uses the latest version.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key show-deleted

Edit

Get the public part of a deleted key.

The Get Deleted Key operation is applicable for soft-delete enabled Vaults or HSMs. While the operation can be invoked on any Vault or HSM, it will return an error if invoked on a non soft-delete enabled Vault or HSM. This operation requires the keys/get permission.

az keyvault key show-deleted [--hsm-name]
                             [--id]
                             [--name]
                             [--vault-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key sign

Edit

Create a signature from a digest using a key that is stored in a Vault or HSM.

az keyvault key sign --algorithm {ES256, ES256K, ES384, ES512, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512}
                     --digest
                     [--hsm-name]
                     [--id]
                     [--name]
                     [--vault-name]
                     [--version]

Examples

Create a signature from a digest using keyvault's key.

az keyvault key sign --name mykey --vault-name myvault --algorithm RS256 --digest "12345678901234567890123456789012"

Required Parameters

--algorithm -a

Algorithm identifier.

Property	Value
Accepted values:	ES256, ES256K, ES384, ES512, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512

--digest

The value to sign.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

--version -v

The key version. If omitted, uses the latest version.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault key verify

Edit

Verify a signature using the key that is stored in a Vault or HSM.

az keyvault key verify --algorithm {ES256, ES256K, ES384, ES512, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512}
                       --digest
                       --signature
                       [--hsm-name]
                       [--id]
                       [--name]
                       [--vault-name]
                       [--version]

Examples

Verify a signature using keyvault's key.

az keyvault key verify --name mykey --vault-name myvault --algorithm RS256 --digest "12345678901234567890123456789012" --signature XXXYYYZZZ

Required Parameters

--algorithm -a

Algorithm identifier.

Property	Value
Accepted values:	ES256, ES256K, ES384, ES512, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512

--digest

The value to sign.

--signature

Signature to verify.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--hsm-name

Name of the HSM. (--hsm-name and --vault-name are mutually exclusive, please specify just one of them).

Property	Value
Parameter group:	Id Arguments

--id

Id of the key. If specified all other 'Id' arguments should be omitted.

Property	Value
Parameter group:	Id Arguments

--name -n

Name of the key. Required if --id is not specified.

Property	Value
Parameter group:	Id Arguments

--vault-name

Name of the Vault.

Property	Value
Parameter group:	Id Arguments

--version -v

The key version. If omitted, uses the latest version.

Property	Value
Parameter group:	Id Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

Share via

az keyvault key

Commands

az keyvault key backup

Required Parameters

Optional Parameters

az keyvault key create

Examples

Optional Parameters

az keyvault key decrypt

Examples

Required Parameters

Optional Parameters

az keyvault key delete

Optional Parameters

az keyvault key download

Examples

Required Parameters

Optional Parameters

az keyvault key encrypt

Examples

Required Parameters

Optional Parameters

az keyvault key get-attestation

Examples

Optional Parameters

az keyvault key get-policy-template

az keyvault key import

Optional Parameters

az keyvault key list

Optional Parameters

az keyvault key list-deleted

Optional Parameters

az keyvault key list-versions

Optional Parameters

az keyvault key purge

Optional Parameters

az keyvault key random

Required Parameters

Optional Parameters

az keyvault key recover

Optional Parameters

az keyvault key restore

Optional Parameters

az keyvault key rotate

Optional Parameters

az keyvault key set-attributes

Optional Parameters

az keyvault key show

Optional Parameters

az keyvault key show-deleted

Optional Parameters

az keyvault key sign

Examples

Required Parameters

Optional Parameters

az keyvault key verify

Examples

Required Parameters

Optional Parameters

Feedback