transit import and transit import-version
The transit import
and transit import-version
commands import the
specified key into Transit, via the Transit BYOK
mechanism. The former
imports this key as a new key, failing if it already exists, whereas the
latter will only update an existing key in Transit to a new version of the
key material.
This needs access to read the transit mount's wrapping key (at
transit/wrapping_key
) and the ability to write to either import
endpoints (either transit/keys/:name/import
or
transit/keys/:name/import_version
).
Examples
Imports a 2048-bit RSA key as a new key:
Imports a new version of an existing key:
Usage
This command does not have any unique flags and respects core Vault CLI
commands. See vault transit import -help
for more information.
This command requires two positional arguments:
PATH
, the path to the transit key to import in the format of<mount>/keys/<key-name>
, where<mount>
is the path to the mount (using-namespace=<ns>
to specify any namespaces), and<key-name>
is the desired name of the key.KEY
, the key material to import in Standard Base64 encoding (either of a raw key in the case of symmetric keys such as AES, or of the DER encoded format for asymmetric keys such as RSA). If the value forKEY
begins with an@
, the CLI argument is assumed to be a path to a file on disk to be read.