Import Key - Import Key

Imports an externally created key, stores it, and returns key parameters and attributes to the client.
The import key operation may be used to import any key type into an Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

PUT {vaultBaseUrl}/keys/{key-name}?api-version=7.4

URI Parameters

Name In Required Type Description
key-name
path True

string

Name for the imported key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information.

Regex pattern: ^[0-9a-zA-Z-]+$

vaultBaseUrl
path True

string

The vault name, for example https://myvault.vault.azure.net.

api-version
query True

string

Client API version.

Request Body

Name Required Type Description
key True

JsonWebKey

The Json web key

Hsm

boolean

Whether to import as a hardware key (HSM) or software key.

attributes

KeyAttributes

The key management attributes.

release_policy

KeyReleasePolicy

The policy rules under which the key can be exported.

tags

object

Application specific metadata in the form of key-value pairs.

Responses

Name Type Description
200 OK

KeyBundle

Imported key bundle to the vault.

Other Status Codes

KeyVaultError

Key Vault error response describing why the operation failed.

Examples

Import key

Sample Request

PUT https://myvault.vault.azure.net//keys/ImportSoftKeyTest?api-version=7.4

{
  "key": {
    "kty": "RSA",
    "n": "nKAwarTrOpzd1hhH4cQNdVTgRF-b0ubPD8ZNVf0UXjb62QuAk3Dn68ESThcF7SoDYRx2QVcfoMC9WCcuQUQDieJF-lvJTSer1TwH72NBovwKlHvrXqEI0a6_uVYY5n-soGt7qFZNbwQLdWWA6PrbqTLIkv6r01dcuhTiQQAn6OWEa0JbFvWfF1kILQIaSBBBaaQ4R7hZs7-VQTHGD7J1xGteof4gw2VTiwNdcE8p5UG5b6S9KQwAeET4yB4KFPwQ3TDdzxJQ89mwYVi_sgAIggN54hTq4oEKYJHBOMtFGIN0_HQ60ZSUnpOi87xNC-8VFqnv4rfTQ7nkK6XMvjMVfw",
    "e": "AQAB",
    "d": "GeT1_D5LAZa7qlC7WZ0DKJnOth8kcPrN0urTEFtWCbmHQWkAad_px_VUpGp0BWDDzENbXbQcu4QCCdf4crve5eXt8dVI86OSah-RpEdBq8OFsETIhg2Tmq8MbYTJexoynRcIC62xAaCmkFMmu931gQSvWnYWTEuOPgmD2oE_F-bP9TFlGRc69a6MSbtcSRyFTsd5KsUr40QS4zf2W4kZCOWejyLuxk88SXgUqcJx86Ulc1Ol1KkTBLadvReAZCyCMwKBlNRGw46BU_iK0vK7rTD9fmEd639Gjti6eLpnyQYpnVe8uGgwVU1fHBkAKyapWoEG6VMhMntcrvgukKLIsQ",
    "dp": "ZGnmWx-Nca71z9a9vvT4g02iv3S-3kSgmhl8JST09YQwK8tfiK7nXnNMtXJi2K4dLKKnLicGtCzB6W3mXdLcP2SUOWDOeStoBt8HEBT4MrI1psCKqnBum78WkHju90rBFj99amkP6UeQy5EASAzgmKQu2nUaUnRV0lYP8LHMCkE",
    "dq": "dtpke0foFs04hPS6XYLA5lc7-1MAHfZKN4CkMAofwDqPmRQzCxpDJUk0gMWGJEdU_Lqfbg22Py44cci0dczH36NW3UU5BL86T2_SPPDOuyX7kDscrIJCdowxQCGJHGRBEozM_uTL46wu6UnUIv7m7cuGgodJyZBcdwpo6ziFink",
    "qi": "Y9KD5GaHkAYmAqpOfAQUMr71QuAAaBb0APzMuUvoEYw39PD3_vJeh9HZ15QmJ8zCX10-nlzUB-bWwvK-rGcJXbK4pArilr5MiaYv7e8h5eW2zs2_itDJ6Oebi-wVbMhg7DvUTBbkCvPhhIedE4UlDQmMYP7RhzVVs7SfmkGs_DQ",
    "p": "v1jeCPnuJQM2PW2690Q9KJk0Ulok8VFGjkcHUHVi3orKdy7y_TCIWM6ZGvgFzI6abinzYbTEPKV4wFdMAwvOWmawXj5YrsoeB44_HXJ0ak_5_iP6XXR8MLGXbd0ZqsxvAZyzMj9vyle7EN2cBod6aenI2QZoRDucPvjPwZsZotk",
    "q": "0Yv-Dj6qnvx_LL70lUnKA6MgHE_bUC4drl5ZNDDsUdUUYfxIK4G1rGU45kHGtp-Qg-Uyf9s52ywLylhcVE3jfbjOgEozlSwKyhqfXkLpMLWHqOKj9fcfYd4PWKPOgpzWsqjA6fJbBUMYo0CU2G9cWCtVodO7sBJVSIZunWrAlBc"
  },
  "tags": {
    "purpose": "unit test"
  }
}

Sample Response

{
  "key": {
    "kid": "https://myvault.vault.azure.net/keys/ImportSoftKeyTest/2eb4a15d74184c6f84159c3ca90f0f4b",
    "kty": "RSA",
    "key_ops": [
      "encrypt",
      "decrypt",
      "sign",
      "verify",
      "wrapKey",
      "unwrapKey"
    ],
    "n": "nKAwarTrOpzd1hhH4cQNdVTgRF-b0ubPD8ZNVf0UXjb62QuAk3Dn68ESThcF7SoDYRx2QVcfoMC9WCcuQUQDieJF-lvJTSer1TwH72NBovwKlHvrXqEI0a6_uVYY5n-soGt7qFZNbwQLdWWA6PrbqTLIkv6r01dcuhTiQQAn6OWEa0JbFvWfF1kILQIaSBBBaaQ4R7hZs7-VQTHGD7J1xGteof4gw2VTiwNdcE8p5UG5b6S9KQwAeET4yB4KFPwQ3TDdzxJQ89mwYVi_sgAIggN54hTq4oEKYJHBOMtFGIN0_HQ60ZSUnpOi87xNC-8VFqnv4rfTQ7nkK6XMvjMVfw",
    "e": "AQAB"
  },
  "attributes": {
    "enabled": true,
    "created": 1493942691,
    "updated": 1493942691,
    "recoveryLevel": "Recoverable+Purgeable"
  },
  "tags": {
    "purpose": "unit test"
  }
}

Definitions

Name Description
DeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval.

Error

The key vault server error.

JsonWebKey

As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18

JsonWebKeyCurveName

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

JsonWebKeyType

JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.

KeyAttributes

The attributes of a key managed by the key vault service.

KeyBundle

A KeyBundle consisting of a WebKey plus its attributes.

KeyImportParameters

The key import parameters.

KeyReleasePolicy

The policy rules under which the key can be exported.

KeyVaultError

The key vault error exception.

DeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval.

Name Type Description
CustomizedRecoverable

string

Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge when 7<= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available.

CustomizedRecoverable+ProtectedSubscription

string

Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled when 7<= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled.

CustomizedRecoverable+Purgeable

string

Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge when 7<= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled.

Purgeable

string

Denotes a vault state in which deletion is an irreversible operation, without the possibility for recovery. This level corresponds to no protection being available against a Delete operation; the data is irretrievably lost upon accepting a Delete operation at the entity level or higher (vault, resource group, subscription etc.)

Recoverable

string

Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered

Recoverable+ProtectedSubscription

string

Denotes a vault and subscription state in which deletion is recoverable within retention interval (90 days), immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled. System wil permanently delete it after 90 days, if not recovered

Recoverable+Purgeable

string

Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days), unless a Purge operation is requested, or the subscription is cancelled. System wil permanently delete it after 90 days, if not recovered

Error

The key vault server error.

Name Type Description
code

string

The error code.

innererror

Error

The key vault server error.

message

string

The error message.

JsonWebKey

As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18

Name Type Description
crv

JsonWebKeyCurveName

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

d

string

RSA private exponent, or the D component of an EC private key.

dp

string

RSA private key parameter.

dq

string

RSA private key parameter.

e

string

RSA public exponent.

k

string

Symmetric key.

key_hsm

string

Protected Key, used with 'Bring Your Own Key'.

key_ops

string[]

Supported key operations.

kid

string

Key identifier.

kty

JsonWebKeyType

JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.

n

string

RSA modulus.

p

string

RSA secret prime.

q

string

RSA secret prime, with p < q.

qi

string

RSA private key parameter.

x

string

X component of an EC public key.

y

string

Y component of an EC public key.

JsonWebKeyCurveName

Elliptic curve name. For valid values, see JsonWebKeyCurveName.

Name Type Description
P-256

string

The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.

P-256K

string

The SECG SECP256K1 elliptic curve.

P-384

string

The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.

P-521

string

The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.

JsonWebKeyType

JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.

Name Type Description
EC

string

Elliptic Curve.

EC-HSM

string

Elliptic Curve with a private key which is stored in the HSM.

RSA

string

RSA (https://tools.ietf.org/html/rfc3447)

RSA-HSM

string

RSA with a private key which is stored in the HSM.

oct

string

Octet sequence (used to represent symmetric keys)

oct-HSM

string

Octet sequence (used to represent symmetric keys) which is stored the HSM.

KeyAttributes

The attributes of a key managed by the key vault service.

Name Type Description
created

integer

Creation time in UTC.

enabled

boolean

Determines whether the object is enabled.

exp

integer

Expiry date in UTC.

exportable

boolean

Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key.

nbf

integer

Not before date in UTC.

recoverableDays

integer

softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0.

recoveryLevel

DeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval.

updated

integer

Last updated time in UTC.

KeyBundle

A KeyBundle consisting of a WebKey plus its attributes.

Name Type Description
attributes

KeyAttributes

The key management attributes.

key

JsonWebKey

The Json web key.

managed

boolean

True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true.

release_policy

KeyReleasePolicy

The policy rules under which the key can be exported.

tags

object

Application specific metadata in the form of key-value pairs.

KeyImportParameters

The key import parameters.

Name Type Description
Hsm

boolean

Whether to import as a hardware key (HSM) or software key.

attributes

KeyAttributes

The key management attributes.

key

JsonWebKey

The Json web key

release_policy

KeyReleasePolicy

The policy rules under which the key can be exported.

tags

object

Application specific metadata in the form of key-value pairs.

KeyReleasePolicy

The policy rules under which the key can be exported.

Name Type Default Value Description
contentType

string

application/json; charset=utf-8

Content type and version of key release policy

data

string

Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded.

immutable

boolean

Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances.

KeyVaultError

The key vault error exception.

Name Type Description
error

Error

The key vault server error.