transit

The transit command groups subcommands for interacting with Vault's Transit Secrets Engine.

Syntax

Option flags for a given subcommand are provided after the subcommand, but before the arguments.

Examples

To import keys into a mount via the Transit BYOK mechanism, use the vault transit import <path> <key> or vault transit import-version <path> <key> commands:

$ vault transit import transit/keys/test-key @test-key type=rsa-2048
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!

transit import and transit import-version

The transit import and transit import-version commands import the specified key into Transit, via the Transit BYOK mechanism. The former imports this key as a new key, failing if it already exists, whereas the latter will only update an existing key in Transit to a new version of the key material.

This needs access to read the transit mount's wrapping key (at transit/wrapping_key) and the ability to write to either import endpoints (either transit/keys/:name/import or transit/keys/:name/import_version).

Examples

Imports a 2048-bit RSA key as a new key:

Imports a new version of an existing key:

Usage

This command does not have any unique flags and respects core Vault CLI commands. See vault transit import -help for more information.

This command requires two positional arguments:

1. PATH, the path to the transit key to import in the format of <mount>/keys/<key-name>, where <mount> is the path to the mount (using -namespace=<ns> to specify any namespaces), and <key-name> is the desired name of the key.

2. KEY, the key material to import in Standard Base64 encoding (either of a raw key in the case of symmetric keys such as AES, or of the DER encoded format for asymmetric keys such as RSA). If the value for KEY begins with an @, the CLI argument is assumed to be a path to a file on disk to be read.