New-AzCosmosDbClientEncryptionKey

Reference

Module:: Az.CosmosDB

Creates a new CosmosDB Client Encryption Key.

Syntax

PowerShell

New-AzCosmosDbClientEncryptionKey
   -ResourceGroupName <String>
   -AccountName <String>
   -DatabaseName <String>
   -Name <String>
   -EncryptionAlgorithmName <String>
   -KeyWrapMetadata <PSSqlKeyWrapMetadata>
   [-KeyEncryptionKeyResolver <IKeyEncryptionKeyResolver>]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

PowerShell

New-AzCosmosDbClientEncryptionKey
   -Name <String>
   -EncryptionAlgorithmName <String>
   -KeyWrapMetadata <PSSqlKeyWrapMetadata>
   [-KeyEncryptionKeyResolver <IKeyEncryptionKeyResolver>]
   -SqlDatabaseObject <PSSqlDatabaseGetResults>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AzCosmosDbClientEncryptionKey creates a new CosmosDB Client Encryption Key.

Examples

Example 1

PowerShell

$myKeyWrapMetadataObject = [Microsoft.Azure.Commands.CosmosDB.Models.PSSqlKeyWrapMetadata]::new([Microsoft.Azure.Management.CosmosDB.Models.KeyWrapMetadata]::new("myKekV1","AZURE_KEY_VAULT", "https://contoso.vault.azure.net/keys/myKekV1/78deebed173b48e48f55abf87ed4cf71", "RSA-OAEP"))
New-AzCosmosDbClientEncryptionKey -AccountName myAccountName -DatabaseName myDatabaseName -ResourceGroupName myRgName -Name myClientEncryptionKeyName -EncryptionAlgorithmName "AEAD_AES_256_CBC_HMAC_SHA256" -KeyWrapMetadata $myKeyWrapMetadataObject

Name     : myContainerName
Id       : /subscriptions/mySubscriptionId/resourceGroups/myRgName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/sqlDatabases/myDatabaseName/clientEncryptionKeys/myClientEncryptionKeyName
Resource : Microsoft.Azure.Commands.CosmosDB.Models.PSSqlClientEncryptionKeyGetPropertiesResource

This example shows how a new key is created. If KeyEncryptionKeyResolver is not passed Azure Key Vault KeyResolver is used by default. The first command creates a KeyWrapMetadata object with name myKekV1 of type AZURE_KEY_VAULT with value set to key id https://contoso.vault.azure.net/keys/myKekV1/78deebed173b48e48f55abf87ed4cf71 and algorithm type "RSA-OAEP" used to encrypt the key. In the second command a new key is created with name as set in myClientEncryptionKeyName variable and with KeyWrapMetadata set to value returned by first command.

Example 2

PowerShell

$myKeyWrapMetadataObject = [Microsoft.Azure.Commands.CosmosDB.Models.PSSqlKeyWrapMetadata]::new([Microsoft.Azure.Management.CosmosDB.Models.KeyWrapMetadata]::new("myKekV1","AZURE_KEY_VAULT", "https://contoso.vault.azure.net/keys/myKekV1/78deebed173b48e48f55abf87ed4cf71", "RSA-OAEP"))
$azureKeyVaultKeyResolver = [Azure.Security.KeyVault.Keys.Cryptography.KeyResolver]::new([Azure.Identity.DefaultAzureCredential]::new())
New-AzCosmosDbClientEncryptionKey -AccountName myAccountName -DatabaseName myDatabaseName -ResourceGroupName myRgName -Name myClientEncryptionKeyName -EncryptionAlgorithmName "AEAD_AES_256_CBC_HMAC_SHA256" -KeyWrapMetadata $myKeyWrapMetadataObject -KeyEncryptionKeyResolver $azureKeyVaultKeyResolver

Name     : myContainerName
Id       : /subscriptions/mySubscriptionId/resourceGroups/myRgName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/sqlDatabases/myDatabaseName/clientEncryptionKeys/myClientEncryptionKeyName
Resource : Microsoft.Azure.Commands.CosmosDB.Models.PSSqlClientEncryptionKeyGetPropertiesResource

This example shows how a new key is created and how KeyEncryptionKeyResolver can be passed as a parameter. The first command creates a KeyWrapMetadata object with name myKekV1 of type AZURE_KEY_VAULT with value set to key id https://contoso.vault.azure.net/keys/myKekV1/78deebed173b48e48f55abf87ed4cf71 and algorithm type "RSA-OAEP" used to encrypt the key. The second command creates a Azure Key Vault KeyResolver object using the Azure Default credentials. In the third command a new key is created with name as set in myClientEncryptionKeyName variable, KeyWrapMetadata set to value returned by first command and KeyEncryptionKeyResolver value set to KeyResolver object obtained via the second command.

Parameters

-AccountName

Name of the Cosmos DB database account.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:	SwitchParameter
Aliases:	cf
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-DatabaseName

Database name.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:	IAzureContextContainer
Aliases:	AzContext, AzureRmContext, AzureCredential
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-EncryptionAlgorithmName

Client Encryption Algorithm name.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-KeyEncryptionKeyResolver

IKeyEncryptionKeyResolver interface of type Azure.Core.Cryptography.IKeyEncryptionKeyResolver

Type:	IKeyEncryptionKeyResolver
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-KeyWrapMetadata

KeyWrapMetaData Object of type Microsoft.Azure.Commands.CosmosDB.PSSqlKeyWrapMetadata.

Type:	PSSqlKeyWrapMetadata
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-Name

Client Encryption Key name.

Type:	String
Aliases:	ClientEncryptionKeyName
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-ResourceGroupName

Name of resource group.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-SqlDatabaseObject

Sql Database object.

Type:	PSSqlDatabaseGetResults
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:	SwitchParameter
Aliases:	wi
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Inputs

PSSqlKeyWrapMetadata

Byte[]

Microsoft.Data.Encryption.Cryptography.EncryptionKeyStoreProvider

PSSqlDatabaseGetResults

Outputs

PSSqlClientEncryptionKeyGetResults

ConflictingResourceException

Share via

New-AzCosmosDbClientEncryptionKey

Syntax

Description

Examples

Example 1

Example 2

Parameters

-AccountName

-Confirm

-DatabaseName

-DefaultProfile

-EncryptionAlgorithmName

-KeyEncryptionKeyResolver

-KeyWrapMetadata

-Name

-ResourceGroupName

-SqlDatabaseObject

-WhatIf

Inputs

Outputs

Additional resources

Share via

New-AzCosmosDbClientEncryptionKey

Syntax

Description

Examples

Example 1

Example 2

Parameters

-AccountName

-Confirm

-DatabaseName

-DefaultProfile

-EncryptionAlgorithmName

-KeyEncryptionKeyResolver

-KeyWrapMetadata

-Name

-ResourceGroupName

-SqlDatabaseObject

-WhatIf

Inputs

Outputs

Related Links

Additional resources