Backup-AzKeyVaultSecret

Module:: Az.KeyVault Module

Backs up a secret in a key vault.

Syntax

BySecretName (Default)

Backup-AzKeyVaultSecret
    [-VaultName] <String>
    [-Name] <String>
    [[-OutputFile] <String>]
    [-Force]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

BySecretUri

Backup-AzKeyVaultSecret
    [-Id] <String>
    [[-OutputFile] <String>]
    [-Force]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

BySecret

Backup-AzKeyVaultSecret
    [-InputObject] <PSKeyVaultSecretIdentityItem>
    [[-OutputFile] <String>]
    [-Force]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

The Backup-AzKeyVaultSecret cmdlet backs up a specified secret in a key vault by downloading it and storing it in a file. If there are multiple versions of the secret, all versions are included in the backup. Because the downloaded content is encrypted, it cannot be used outside of Azure Key Vault. You can restore a backed-up secret to any key vault in the subscription that it was backed up from. Typical reasons to use this cmdlet are:

You want to escrow a copy of your secret, so that you have an offline copy in case you accidentally delete your secret in your key vault.
You added a secret to a key vault and now want to clone the secret into a different Azure region, so that you can use it from all instances of your distributed application. Use the Backup-AzKeyVaultSecret cmdlet to retrieve the secret in encrypted format and then use the Restore-AzKeyVaultSecret cmdlet and specify a key vault in the second region. (Note that the regions must belong to the same geography.)

Examples

Example 1: Back up a secret with an automatically generated file name

Backup-AzKeyVaultSecret -VaultName 'MyKeyVault' -Name 'MySecret'

C:\Users\username\mykeyvault-mysecret-1527029447.01191

This command retrieves the secret named MySecret from the key vault named MyKeyVault and saves a backup of that secret to a file that is automatically named for you, and displays the file name.

Example 2: Back up a secret to a specified file name, overwriting the existing file without prompting

Backup-AzKeyVaultSecret -VaultName 'MyKeyVault' -Name 'MySecret' -OutputFile 'C:\Backup.blob' -Force

C:\Backup.blob

This command retrieves the secret named MySecret from the key vaultnamed MyKeyVault and saves a backup of that secret to a file named Backup.blob.

Example 3: Back up a secret previously retrieved to a specified file name

$secret = Get-AzKeyVaultSecret -VaultName 'MyKeyVault' -Name 'MySecret'
Backup-AzKeyVaultSecret -Secret $secret -OutputFile 'C:\Backup.blob'

C:\Backup.blob

This command uses the $secret object's vault name and name to retrieves the secret and saves its backup to a file named Backup.blob.

Example 4: Back up a secret with an automatically generated file name (using Uri)

Backup-AzKeyVaultSecret -Id 'https://MyKeyVault.vault.azure.net:443/secrets/MySecret'

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:	SwitchParameter
Default value:	False
Supports wildcards:	False
DontShow:	False
Aliases:	cf

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Parameter properties

Type:	IAzureContextContainer
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Force

Prompts you for confirmation before overwriting the output file, if that exists.

Parameter properties

Type:	SwitchParameter
Default value:	False
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Id

The URI of the KeyVault Secret. Please ensure it follows the format: https://<vault-name>.vault.azure.net/secrets/<secret-name>/<version>

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	SecretId

Parameter sets

BySecretUri

Position:	0
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-InputObject

Secret to be backed up, pipelined in from the output of a retrieval call.

Parameter properties

Type:	PSKeyVaultSecretIdentityItem
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	Secret

Parameter sets

BySecret

Position:	0
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Name

Specifies the name of the secret to back up.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	SecretName

Parameter sets

BySecretName

Position:	1
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-OutputFile

Specifies the output file in which the backup blob is stored. If you do not specify this parameter, this cmdlet generates a file name for you. If you specify the name of an existing output file, the operation will not complete and returns an error message that the backup file already exists.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	2
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-VaultName

Specifies the name of the key vault that contains the secret to back up.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

BySecretName

Position:	0
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:	SwitchParameter
Default value:	False
Supports wildcards:	False
DontShow:	False
Aliases:	wi

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Share via

Backup-AzKeyVaultSecret

Syntax

BySecretName (Default)

BySecretUri

BySecret

Description

Examples

Example 1: Back up a secret with an automatically generated file name

Example 2: Back up a secret to a specified file name, overwriting the existing file without prompting

Example 3: Back up a secret previously retrieved to a specified file name

Example 4: Back up a secret with an automatically generated file name (using Uri)

Parameters

-Confirm

Parameter properties

Parameter sets

-DefaultProfile

Parameter properties

Parameter sets

-Force

Parameter properties

Parameter sets

-Id

Parameter properties

Parameter sets

-InputObject

Parameter properties

Parameter sets

-Name

Parameter properties

Parameter sets

-OutputFile

Parameter properties

Parameter sets

-VaultName

Parameter properties

Parameter sets

-WhatIf

Parameter properties

Parameter sets

CommonParameters

Inputs

PSKeyVaultSecretIdentityItem

Outputs

String

Related Links

Feedback