az keyvault security-domain

Manage security domain operations.

Commands

az keyvault security-domain download

Download the security domain file from the HSM.

az keyvault security-domain init-recovery

Retrieve the exchange key of the HSM.

az keyvault security-domain upload

Start to restore the HSM.

az keyvault security-domain wait

Place the CLI in a waiting state until HSM security domain operation is finished.

az keyvault security-domain download

Download the security domain file from the HSM.

az keyvault security-domain download --sd-quorum
                                     --sd-wrapping-keys
                                     --security-domain-file
                                     [--hsm-name]
                                     [--id]
                                     [--subscription]

Examples

Security domain download (N=3, M=2).

az keyvault security-domain download --hsm-name MyHSM --security-domain-file "{SD_FILE_NAME}" --sd-quorum 2 --sd-wrapping-keys "{PEM_PUBLIC_KEY1_FILE_NAME}" "{PEM_PUBLIC_KEY2_FILE_NAME}" "{PEM_PUBLIC_KEY3_FILE_NAME}"

Required Parameters

--sd-quorum

The minimum number of shares required to decrypt the security domain for recovery.

--sd-wrapping-keys

Space-separated file paths to PEM files containing public keys.

--security-domain-file

Path to a file where the JSON blob returned by this command is stored.

Optional Parameters

--hsm-name

Name of the HSM. Can be omitted if --id is specified.

--id

Id of the HSM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault security-domain init-recovery

Retrieve the exchange key of the HSM.

az keyvault security-domain init-recovery --sd-exchange-key
                                          [--hsm-name]
                                          [--id]
                                          [--subscription]

Examples

Retrieve the exchange key and store it.

az keyvault security-domain init-recovery --hsm-name MyHSM --sd-exchange-key "{PATH_TO_RESTORE}"

Required Parameters

--sd-exchange-key

Local file path to store the exported key.

Optional Parameters

--hsm-name

Name of the HSM. Can be omitted if --id is specified.

--id

Id of the HSM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault security-domain upload

Start to restore the HSM.

az keyvault security-domain upload --sd-exchange-key
                                   --sd-file
                                   --sd-wrapping-keys
                                   [--hsm-name]
                                   [--id]
                                   [--no-wait]
                                   [--passwords]
                                   [--subscription]

Examples

Security domain upload (M=2).

az keyvault security-domain upload --hsm-name MyHSM --sd-file "{SD_TRANSFER_FILE}" --sd-exchange-key "{PEM_FILE_NAME}" --sd-wrapping-keys "{PEM_PRIVATE_KEY1_FILE_NAME}" "{PEM_PRIVATE_KEY2_FILE_NAME}"

Required Parameters

--sd-exchange-key

The exchange key for security domain.

--sd-file

This file contains security domain encrypted using SD Exchange file downloaded in security-domain init-recovery command.

--sd-wrapping-keys

Space-separated file paths to PEM files containing private keys.

Optional Parameters

--hsm-name

Name of the HSM. Can be omitted if --id is specified.

--id

Id of the HSM.

--no-wait

Do not wait for the long-running operation to finish.

--passwords

Space-separated password list for --sd-wrapping-keys. CLI will match them in order. Can be omitted if your keys are without password protection.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault security-domain wait

Place the CLI in a waiting state until HSM security domain operation is finished.

az keyvault security-domain wait [--hsm-name]
                                 [--id]
                                 [--subscription]

Examples

Pause CLI until the security domain operation is finished.

az keyvault security-domain wait --hsm-name MyHSM

Optional Parameters

--hsm-name

Name of the HSM. Can be omitted if --id is specified.

--id

Id of the HSM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.