az keyvault security-domain
Manage security domain operations.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az keyvault security-domain download |
Download the security domain file from the HSM. |
Core | GA |
| az keyvault security-domain init-recovery |
Retrieve the exchange key of the HSM. |
Core | GA |
| az keyvault security-domain restore-blob |
Enable to decrypt and encrypt security domain file as blob. Can be run in offline environment, before file is uploaded to HSM using security-domain upload. |
Core | GA |
| az keyvault security-domain upload |
Start to restore the HSM. |
Core | GA |
| az keyvault security-domain wait |
Place the CLI in a waiting state until HSM security domain operation is finished. |
Core | GA |
az keyvault security-domain download
Download the security domain file from the HSM.
az keyvault security-domain download --sd-quorum
--sd-wrapping-keys
--security-domain-file
[--hsm-name]
[--id]
[--no-wait]Examples
Security domain download (N=3, M=2).
az keyvault security-domain download --hsm-name MyHSM --security-domain-file "{SD_FILE_NAME}" --sd-quorum 2 --sd-wrapping-keys "{PEM_PUBLIC_KEY1_FILE_NAME}" "{PEM_PUBLIC_KEY2_FILE_NAME}" "{PEM_PUBLIC_KEY3_FILE_NAME}"Required Parameters
The minimum number of shares required to decrypt the security domain for recovery.
Space-separated file paths to PEM files containing public keys.
Path to a file where the JSON blob returned by this command is stored.
Optional Parameters
Name of the HSM. Can be omitted if --id is specified.
Full URI of the HSM.
Do not wait for the long-running operation to finish.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault security-domain init-recovery
Retrieve the exchange key of the HSM.
az keyvault security-domain init-recovery --sd-exchange-key
[--hsm-name]
[--id]Examples
Retrieve the exchange key and store it.
az keyvault security-domain init-recovery --hsm-name MyHSM --sd-exchange-key "{PATH_TO_RESTORE}"Required Parameters
Local file path to store the exported key.
Optional Parameters
Name of the HSM. Can be omitted if --id is specified.
Full URI of the HSM.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault security-domain restore-blob
Enable to decrypt and encrypt security domain file as blob. Can be run in offline environment, before file is uploaded to HSM using security-domain upload.
az keyvault security-domain restore-blob --sd-exchange-key
--sd-file
--sd-file-restore-blob
--sd-wrapping-keys
[--passwords]Examples
Security domain restore blob.
az keyvault security-domain restore-blob --sd-file "{SD_TRANSFER_FILE}" --sd-exchange-key "{PEM_FILE_NAME}" --sd-wrapping-keys "{PEM_PRIVATE_KEY1_FILE_NAME}" "{PEM_PRIVATE_KEY2_FILE_NAME}" --sd-file-restore-blob "{SD_TRANSFER_FILE_RESTORE_BLOB}"Required Parameters
The exchange key for security domain.
This file contains security domain encrypted using SD Exchange file downloaded in security-domain init-recovery command.
Local file path to store the security domain encrypted with the exchange key.
Space-separated file paths to PEM files containing private keys.
Optional Parameters
Space-separated password list for --sd-wrapping-keys. CLI will match them in order. Can be omitted if your keys are without password protection.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault security-domain upload
Start to restore the HSM.
az keyvault security-domain upload --sd-file
[--hsm-name]
[--id]
[--no-wait]
[--passwords]
[--restore-blob]
[--sd-exchange-key]
[--sd-wrapping-keys]Examples
Security domain upload (M=2).
az keyvault security-domain upload --hsm-name MyHSM --sd-file "{SD_TRANSFER_FILE}" --sd-exchange-key "{PEM_FILE_NAME}" --sd-wrapping-keys "{PEM_PRIVATE_KEY1_FILE_NAME}" "{PEM_PRIVATE_KEY2_FILE_NAME}"Security domain upload, in which sd_file is already restored using keyvault security-domain restore-blob command
az keyvault security-domain upload --hsm-name MyHSM --sd-file "{SD_TRANSFER_FILE}" --restore-blobRequired Parameters
This file contains security domain encrypted using SD Exchange file downloaded in security-domain init-recovery command.
Optional Parameters
Name of the HSM. Can be omitted if --id is specified.
Full URI of the HSM.
Do not wait for the long-running operation to finish.
Space-separated password list for --sd-wrapping-keys. CLI will match them in order. Can be omitted if your keys are without password protection.
Indicator if blob is already restored.
The exchange key for security domain.
Space-separated file paths to PEM files containing private keys.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault security-domain wait
Place the CLI in a waiting state until HSM security domain operation is finished.
az keyvault security-domain wait [--hsm-name]
[--id]
[--target-operation {download, restore_blob, upload}]Examples
Pause CLI until the security domain operation is finished.
az keyvault security-domain wait --hsm-name MyHSMOptional Parameters
Name of the HSM. Can be omitted if --id is specified.
Full URI of the HSM.
Target operation that needs waiting.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for