mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-10 08:37:00 +02:00
Code Issues Projects Releases Wiki Activity
04e75372fb
vault/website/content/docs/commands/transform/import.mdx

63 lines
2.2 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: transform import and transform import-version - Command
description: |-
The "transform import" and "transform import-version" commands import the
specified key into Transform, via the Transform BYOK mechanism.
---
# transform import and transform import-version
The `transform import` and `transform import-version` commands import the
specified key into Transform, via the [Transform BYOK
mechanism](/vault/docs/secrets/transform#bring-your-own-key-byok). The former
imports this key as a new key, failing if it already exists, whereas the
latter will only update an existing key in Transform to a new version of the
key material.
This needs access to read the transform mount's wrapping key (at
`transform/wrapping_key`) and the ability to write to either import
endpoints (either `transform/keys/:name/import` or
`transform/keys/:name/import_version`).
## Examples
Imports a 2048-bit RSA key as a new key:
```
$ vault transform import transform/keys/test-key @test-key type=rsa-2048
Retrieving transform wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transform wrapping key.
Submitting wrapped key to Vault transform.
Success!
```
Imports a new version of an existing key:
```
$ vault transform import-version transform/keys/test-key @test-key-updated
Retrieving transform wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transform wrapping key.
Submitting wrapped key to Vault transform.
Success!
```
## Usage
This command does not have any unique flags and respects core Vault CLI
commands. See `vault transform import -help` for more information.
This command requires two positional arguments:
1. `PATH`, the path to the transform key to import in the format of
`<mount>/keys/<key-name>`, where `<mount>` is the path to the mount
(using `-namespace=<ns>` to specify any namespaces), and `<key-name>`
is the desired name of the key.
2. `KEY`, the key material to import in Standard Base64 encoding (either
of a raw key in the case of symmetric keys such as AES, or of the DER
encoded format for asymmetric keys such as RSA). If the value for `KEY`
begins with an `@`, the CLI argument is assumed to be a path to a file
on disk to be read.
Reference in New Issue View Git Blame Copy Permalink