az keyvault security-domain
Manage security domain operations.
Commands
| az keyvault security-domain download |
Download the security domain file from the HSM. |
| az keyvault security-domain init-recovery |
Retrieve the exchange key of the HSM. |
| az keyvault security-domain upload |
Start to restore the HSM. |
| az keyvault security-domain wait |
Place the CLI in a waiting state until HSM security domain operation is finished. |
az keyvault security-domain download
Download the security domain file from the HSM.
az keyvault security-domain download --sd-quorum
--sd-wrapping-keys
--security-domain-file
[--hsm-name]
[--id]
[--subscription]Examples
Security domain download (N=3, M=2).
az keyvault security-domain download --hsm-name MyHSM --security-domain-file "{SD_FILE_NAME}" --sd-quorum 2 --sd-wrapping-keys "{PEM_PUBLIC_KEY1_FILE_NAME}" "{PEM_PUBLIC_KEY2_FILE_NAME}" "{PEM_PUBLIC_KEY3_FILE_NAME}"Required Parameters
The minimum number of shares required to decrypt the security domain for recovery.
Space-separated file paths to PEM files containing public keys.
Path to a file where the JSON blob returned by this command is stored.
Optional Parameters
Name of the HSM. Can be omitted if --id is specified.
Id of the HSM.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault security-domain init-recovery
Retrieve the exchange key of the HSM.
az keyvault security-domain init-recovery --sd-exchange-key
[--hsm-name]
[--id]
[--subscription]Examples
Retrieve the exchange key and store it.
az keyvault security-domain init-recovery --hsm-name MyHSM --sd-exchange-key "{PATH_TO_RESTORE}"Required Parameters
Local file path to store the exported key.
Optional Parameters
Name of the HSM. Can be omitted if --id is specified.
Id of the HSM.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault security-domain upload
Start to restore the HSM.
az keyvault security-domain upload --sd-exchange-key
--sd-file
--sd-wrapping-keys
[--hsm-name]
[--id]
[--no-wait]
[--passwords]
[--subscription]Examples
Security domain upload (M=2).
az keyvault security-domain upload --hsm-name MyHSM --sd-file "{SD_TRANSFER_FILE}" --sd-exchange-key "{PEM_FILE_NAME}" --sd-wrapping-keys "{PEM_PRIVATE_KEY1_FILE_NAME}" "{PEM_PRIVATE_KEY2_FILE_NAME}"Required Parameters
The exchange key for security domain.
This file contains security domain encrypted using SD Exchange file downloaded in security-domain init-recovery command.
Space-separated file paths to PEM files containing private keys.
Optional Parameters
Name of the HSM. Can be omitted if --id is specified.
Id of the HSM.
Do not wait for the long-running operation to finish.
Space-separated password list for --sd-wrapping-keys. CLI will match them in order. Can be omitted if your keys are without password protection.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault security-domain wait
Place the CLI in a waiting state until HSM security domain operation is finished.
az keyvault security-domain wait [--hsm-name]
[--id]
[--subscription]Examples
Pause CLI until the security domain operation is finished.
az keyvault security-domain wait --hsm-name MyHSMOptional Parameters
Name of the HSM. Can be omitted if --id is specified.
Id of the HSM.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.