편집

다음을 통해 공유


Invoke-AzKeyVaultKeyOperation

Performs operation like "Encrypt", "Decrypt", "Wrap" or "Unwrap" using a specified key stored in a key vault or managed hsm.

Syntax

Invoke-AzKeyVaultKeyOperation
      [-Version <String>]
      -Operation <String>
      -Algorithm <String>
      [-ByteArrayValue <Byte[]>]
      [-Name] <String>
      [-VaultName] <String>
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Invoke-AzKeyVaultKeyOperation
      [-Version <String>]
      -Operation <String>
      -Algorithm <String>
      [-ByteArrayValue <Byte[]>]
      [-HsmName] <String>
      [-Name] <String>
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Invoke-AzKeyVaultKeyOperation
      [-Version <String>]
      -Operation <String>
      -Algorithm <String>
      [-ByteArrayValue <Byte[]>]
      [-InputObject] <PSKeyVaultKeyIdentityItem>
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Description

Invoke-AzKeyVaultKeyOperation cmdlet supports

  1. Encrypting an arbitrary sequence of bytes using an encryption key.
  2. Decrypting a single block of encrypted data.
  3. Wrapping a symmetric key using a specified key.
  4. Unwrapping a symmetric key using the specified key that was initially used for wrapping that key.

Examples

Example 1: Encrypts byte array using an encryption key

$byteArray = [Byte[]]@(58, 219)
$encryptedData = Invoke-AzKeyVaultKeyOperation -Operation Encrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $byteArray
$encryptedData

KeyId     : https://bez-kv.vault.azure.net/keys/bez-key/c96ce0fb18de446c9f4b911b686988af
RawResult : {21, 39, 82, 56…}
Algorithm : RSA1_5

Encrypts $byteArray using test-key stored in test-kv.

Example 2: Decrypts byte array using an encryption key

$decryptedData = Invoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $encryptedData.RawResult
$decryptedData

KeyId     : https://bez-kv.vault.azure.net/keys/bez-key/c96ce0fb18de446c9f4b911b686988af
RawResult : {58, 219}
Algorithm : RSA1_5

Decrypts $encryptedData.RawResult using test-key stored in test-kv. The $decryptedData.RawResult is same with $byteArray, which is original data.

Example 3: Encrypts plain text using an encryption key

$plainText = "test"
$byteArray = [system.Text.Encoding]::UTF8.GetBytes($plainText)
$encryptedData = Invoke-AzKeyVaultKeyOperation -Operation Encrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $byteArray
$encryptedData

KeyId     : https://test-kv.vault.azure.net/keys/test-key/bd8b77352a2443d4983bd70e9f660bc6
RawResult : {58, 219, 6, 236…}
Algorithm : RSA1_5

Encrypts string "test" using test-key stored in test-kv. The RawResult is the encrypted result in byte array format.

Example 4: Decrypt encrypted data to plain text

$decryptedData = Invoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $encryptedData.RawResult
$plainText = [system.Text.Encoding]::UTF8.GetString($decryptedData.RawResult)
$plainText

test

Decrypts encrypted data that is encrypted using test-key stored in test-kv. The RawResult is the decrypted result in byte array format.

Example 5: Wraps a symmetric key using a specified key

$key = "ovQIlbB0DgWhZA7sgkPxbg9H-Ly-VlNGPSgGrrZvlIo"
$byteArray = [system.Text.Encoding]::UTF8.GetBytes($key)
$wrappedResult = Invoke-AzKeyVaultKeyOperation -Operation Wrap -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $byteArray
$wrappedResult | Format-List

KeyId     : https://test-kv.vault.azure.net/keys/test-key/375cdf20252043b79c8ca0c57b6c7679
RawResult : {58, 219, 6, 236…}
Algorithm : RSA1_5

Wraps a symmetric key using key named test-key stored in test-kv. The RawResult is wrapped result in byte array format.

Example 6: Unwraps a symmetric key using a specified key

$unwrappedResult = Invoke-AzKeyVaultKeyOperation -Operation Unwrap -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $wrappedResult.RawResult
$key = [system.Text.Encoding]::UTF8.GetString($unwrappedResult.RawResult)
$key

ovQIlbB0DgWhZA7sgkPxbg9H-Ly-VlNGPSgGrrZvlIo

Unwraps a symmetric key using a specified key test-key stored in test-kv. The RawResult is unwrapped result in byte array format.

Parameters

-Algorithm

Algorithm identifier

Type:String
Aliases:EncryptionAlgorithm, WrapAlgorithm
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ByteArrayValue

The value to be operated in byte array format.

Type:Byte[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-HsmName

HSM name.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

Key object

Type:PSKeyVaultKeyIdentityItem
Aliases:Key
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Name

Key name.

Type:String
Aliases:KeyName
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Operation

Algorithm identifier

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-VaultName

Vault name.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Version

Key version.

Type:String
Aliases:KeyVersion
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

PSKeyVaultKeyIdentityItem

Outputs

PSKeyOperationResult