az keyvault security-domain
Manage security domain operations.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az keyvault security-domain download |
Download the security domain file from the HSM. |
Core | GA |
| az keyvault security-domain init-recovery |
Retrieve the exchange key of the HSM. |
Core | GA |
| az keyvault security-domain restore-blob |
Enable to decrypt and encrypt security domain file as blob. Can be run in offline environment, before file is uploaded to HSM using security-domain upload. |
Core | GA |
| az keyvault security-domain upload |
Start to restore the HSM. |
Core | GA |
| az keyvault security-domain wait |
Place the CLI in a waiting state until HSM security domain operation is finished. |
Core | GA |
az keyvault security-domain download
Download the security domain file from the HSM.
az keyvault security-domain download --sd-quorum
--sd-wrapping-keys
--security-domain-file
[--hsm-name]
[--id]
[--no-wait]Examples
Security domain download (N=3, M=2).
az keyvault security-domain download --hsm-name MyHSM --security-domain-file "{SD_FILE_NAME}" --sd-quorum 2 --sd-wrapping-keys "{PEM_PUBLIC_KEY1_FILE_NAME}" "{PEM_PUBLIC_KEY2_FILE_NAME}" "{PEM_PUBLIC_KEY3_FILE_NAME}"Required Parameters
The minimum number of shares required to decrypt the security domain for recovery.
Space-separated file paths to PEM files containing public keys.
Path to a file where the JSON blob returned by this command is stored.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Name of the HSM. Can be omitted if --id is specified.
| Property | Value |
|---|---|
| Parameter group: | HSM Id Arguments |
Full URI of the HSM.
| Property | Value |
|---|---|
| Parameter group: | HSM Id Arguments |
Do not wait for the long-running operation to finish.
| Property | Value |
|---|---|
| Default value: | False |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault security-domain init-recovery
Retrieve the exchange key of the HSM.
az keyvault security-domain init-recovery --sd-exchange-key
[--hsm-name]
[--id]Examples
Retrieve the exchange key and store it.
az keyvault security-domain init-recovery --hsm-name MyHSM --sd-exchange-key "{PATH_TO_RESTORE}"Required Parameters
Local file path to store the exported key.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Name of the HSM. Can be omitted if --id is specified.
| Property | Value |
|---|---|
| Parameter group: | HSM Id Arguments |
Full URI of the HSM.
| Property | Value |
|---|---|
| Parameter group: | HSM Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault security-domain restore-blob
Enable to decrypt and encrypt security domain file as blob. Can be run in offline environment, before file is uploaded to HSM using security-domain upload.
az keyvault security-domain restore-blob --sd-exchange-key
--sd-file
--sd-file-restore-blob
--sd-wrapping-keys
[--passwords]Examples
Security domain restore blob.
az keyvault security-domain restore-blob --sd-file "{SD_TRANSFER_FILE}" --sd-exchange-key "{PEM_FILE_NAME}" --sd-wrapping-keys "{PEM_PRIVATE_KEY1_FILE_NAME}" "{PEM_PRIVATE_KEY2_FILE_NAME}" --sd-file-restore-blob "{SD_TRANSFER_FILE_RESTORE_BLOB}"Required Parameters
The exchange key for security domain.
This file contains security domain encrypted using SD Exchange file downloaded in security-domain init-recovery command.
Local file path to store the security domain encrypted with the exchange key.
Space-separated file paths to PEM files containing private keys.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Space-separated password list for --sd-wrapping-keys. CLI will match them in order. Can be omitted if your keys are without password protection.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault security-domain upload
Start to restore the HSM.
az keyvault security-domain upload --sd-file
[--hsm-name]
[--id]
[--no-wait]
[--passwords]
[--restore-blob]
[--sd-exchange-key]
[--sd-wrapping-keys]Examples
Security domain upload (M=2).
az keyvault security-domain upload --hsm-name MyHSM --sd-file "{SD_TRANSFER_FILE}" --sd-exchange-key "{PEM_FILE_NAME}" --sd-wrapping-keys "{PEM_PRIVATE_KEY1_FILE_NAME}" "{PEM_PRIVATE_KEY2_FILE_NAME}"Security domain upload, in which sd_file is already restored using keyvault security-domain restore-blob command
az keyvault security-domain upload --hsm-name MyHSM --sd-file "{SD_TRANSFER_FILE}" --restore-blobRequired Parameters
This file contains security domain encrypted using SD Exchange file downloaded in security-domain init-recovery command.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Name of the HSM. Can be omitted if --id is specified.
| Property | Value |
|---|---|
| Parameter group: | HSM Id Arguments |
Full URI of the HSM.
| Property | Value |
|---|---|
| Parameter group: | HSM Id Arguments |
Do not wait for the long-running operation to finish.
| Property | Value |
|---|---|
| Default value: | False |
Space-separated password list for --sd-wrapping-keys. CLI will match them in order. Can be omitted if your keys are without password protection.
Indicator if blob is already restored.
| Property | Value |
|---|---|
| Default value: | False |
The exchange key for security domain.
Space-separated file paths to PEM files containing private keys.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault security-domain wait
Place the CLI in a waiting state until HSM security domain operation is finished.
az keyvault security-domain wait [--hsm-name]
[--id]
[--target-operation {download, restore_blob, upload}]Examples
Pause CLI until the security domain operation is finished.
az keyvault security-domain wait --hsm-name MyHSMOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Name of the HSM. Can be omitted if --id is specified.
| Property | Value |
|---|---|
| Parameter group: | HSM Id Arguments |
Full URI of the HSM.
| Property | Value |
|---|---|
| Parameter group: | HSM Id Arguments |
Target operation that needs waiting.
| Property | Value |
|---|---|
| Default value: | upload |
| Accepted values: | download, restore_blob, upload |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
