--- layout: docs page_title: transform import and transform import-version - Command description: |- The "transform import" and "transform import-version" commands import the specified key into Transform, via the Transform BYOK mechanism. --- # transform import and transform import-version The `transform import` and `transform import-version` commands import the specified key into Transform, via the [Transform BYOK mechanism](/vault/docs/secrets/transform#bring-your-own-key-byok). The former imports this key as a new key, failing if it already exists, whereas the latter will only update an existing key in Transform to a new version of the key material. This needs access to read the transform mount's wrapping key (at `transform/wrapping_key`) and the ability to write to either import endpoints (either `transform/keys/:name/import` or `transform/keys/:name/import_version`). ## Examples Imports a 2048-bit RSA key as a new key: ``` $ vault transform import transform/keys/test-key @test-key type=rsa-2048 Retrieving transform wrapping key. Wrapping source key with ephemeral key. Encrypting ephemeral key with transform wrapping key. Submitting wrapped key to Vault transform. Success! ``` Imports a new version of an existing key: ``` $ vault transform import-version transform/keys/test-key @test-key-updated Retrieving transform wrapping key. Wrapping source key with ephemeral key. Encrypting ephemeral key with transform wrapping key. Submitting wrapped key to Vault transform. Success! ``` ## Usage This command does not have any unique flags and respects core Vault CLI commands. See `vault transform import -help` for more information. This command requires two positional arguments: 1. `PATH`, the path to the transform key to import in the format of `/keys/`, where `` is the path to the mount (using `-namespace=` to specify any namespaces), and `` is the desired name of the key. 2. `KEY`, the key material to import in Standard Base64 encoding (either of a raw key in the case of symmetric keys such as AES, or of the DER encoded format for asymmetric keys such as RSA). If the value for `KEY` begins with an `@`, the CLI argument is assumed to be a path to a file on disk to be read.