Invoke-AzKeyVaultKeyOperation
Performs operation like "Encrypt", "Decrypt", "Wrap" or "Unwrap" using a specified key stored in a key vault or managed hsm.
Syntax
Invoke-AzKeyVaultKeyOperation
[-Version <String>]
-Operation <String>
-Algorithm <String>
[-Value <SecureString>]
[-ByteArrayValue <Byte[]>]
[-Name] <String>
[-VaultName] <String>
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Invoke-AzKeyVaultKeyOperation
[-Version <String>]
-Operation <String>
-Algorithm <String>
[-Value <SecureString>]
[-ByteArrayValue <Byte[]>]
[-HsmName] <String>
[-Name] <String>
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Invoke-AzKeyVaultKeyOperation
[-Version <String>]
-Operation <String>
-Algorithm <String>
[-Value <SecureString>]
[-ByteArrayValue <Byte[]>]
[-InputObject] <PSKeyVaultKeyIdentityItem>
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
Invoke-AzKeyVaultKeyOperation cmdlet supports
- Encrypting an arbitrary sequence of bytes using an encryption key.
- Decrypting a single block of encrypted data.
- Wrapping a symmetric key using a specified key.
- Unwrapping a symmetric key using the specified key that was initially used for wrapping that key.
Examples
Example 1: Encrypts byte array using an encryption key
$byteArray = [Byte[]]@(58, 219)
$encryptedData = Invoke-AzKeyVaultKeyOperation -Operation Encrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $byteArray
$encryptedData
KeyId : https://bez-kv.vault.azure.net/keys/bez-key/c96ce0fb18de446c9f4b911b686988af
RawResult : {21, 39, 82, 56…}
Algorithm : RSA1_5Encrypts $byteArray using test-key stored in test-kv.
Example 2: Decrypts byte array using an encryption key
$decryptedData = Invoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $encryptedData.RawResult
$decryptedData
KeyId : https://bez-kv.vault.azure.net/keys/bez-key/c96ce0fb18de446c9f4b911b686988af
RawResult : {58, 219}
Algorithm : RSA1_5Decrypts $encryptedData.RawResult using test-key stored in test-kv. The $decryptedData.RawResult is same with $byteArray, which is original data.
Example 3: Encrypts plain text using an encryption key
$encryptedData = Invoke-AzKeyVaultKeyOperation -Operation Encrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -Value (ConvertTo-SecureString -String "test" -AsPlainText -Force)
$encryptedData
KeyId : https://test-kv.vault.azure.net/keys/test-key/bd8b77352a2443d4983bd70e9f660bc6
RawResult : {58, 219, 6, 236…}
Algorithm : RSA1_5Encrypts string "test" using test-key stored in test-kv. The RawResult is the encrypted result in byte array format, where [System.Convert]::ToBase64String($encryptedData.RawResult) equals $encryptedData.Result.
Example 4: Decrypt encrypted data to plain text
$decryptedData = Invoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $encryptedData.RawResult
$decryptedData
KeyId : https://bez-kv.vault.azure.net/keys/bez-key/c96ce0fb18de446c9f4b911b686988af
RawResult : $byteArray
Algorithm : RSA1_5Decrypts encrypted data that is encrypted using test-key stored in test-kv. The $decryptedData.Result is test. The RawResult is the decrypted result in byte array format, where [System.Text.UTF8Encoding]::UTF8.GetString($decryptedData.RawResult) equals $decryptedData.Result.
Example 5: Wraps a symmetric key using a specified key
$wrappedResult = Invoke-AzKeyVaultKeyOperation -Operation Wrap -Algorithm RSA1_5 -VaultName test-kv -Name test-key -Value (ConvertTo-SecureString -String "ovQIlbB0DgWhZA7sgkPxbg9H-Ly-VlNGPSgGrrZvlIo" -AsPlainText -Force)
$wrappedResult | Format-List
KeyId : https://test-kv.vault.azure.net/keys/test-key/375cdf20252043b79c8ca0c57b6c7679
RawResult : {58, 219, 6, 236…}
Algorithm : RSA1_5Wraps a symmetric key using key named test-key stored in test-kv. The Result is wrapped result in Base64 string format.
Example 6: Unwraps a symmetric key using a specified key
Invoke-AzKeyVaultKeyOperation -Operation Unwrap -Algorithm RSA1_5 -VaultName test-kv -Name test-key -Value (ConvertTo-SecureString -String $result.Result -AsPlainText -Force)
KeyId : https://test-kv.vault.azure.net/keys/test-key/375cdf20252043b79c8ca0c57b6c7679
RawResult : {58, 219, 6, 236…}
Algorithm : RSA1_5Unwraps a symmetric key using a specified key test-key stored in test-kv. The Result is a plain string.
Parameters
-Algorithm
Algorithm identifier
| Type: | String |
| Aliases: | EncryptionAlgorithm, WrapAlgorithm |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ByteArrayValue
The value to be operated in byte array format.
| Type: | Byte[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HsmName
HSM name.
| Type: | String |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InputObject
Key object
| Type: | PSKeyVaultKeyIdentityItem |
| Aliases: | Key |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Name
Key name.
| Type: | String |
| Aliases: | KeyName |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Operation
Algorithm identifier
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Value
The value to be operated. This parameter will be converted to byte array in UTF-8 encoding way. If your value can't be encoded by UTF-8, please use parameter ByteArrayValue as its alternative.
| Type: | SecureString |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-VaultName
Vault name.
| Type: | String |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Version
Key version.
| Type: | String |
| Aliases: | KeyVersion |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Outputs
Azure PowerShell
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for