transit
The transit command groups subcommands for interacting with Vault's Transit Secrets Engine.
Syntax
Option flags for a given subcommand are provided after the subcommand, but before the arguments.
Examples
To import keys into a mount via the Transit BYOK mechanism, use the vault transit import <path> <key> or vault transit import-version <path> <key> commands:
$ vault transit import transit/keys/test-key @test-key type=rsa-2048
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!transit import and transit import-version
The transit import and transit import-version commands import the specified key into Transit, via the Transit BYOK mechanism. The former imports this key as a new key, failing if it already exists, whereas the latter will only update an existing key in Transit to a new version of the key material.
This needs access to read the transit mount's wrapping key (at transit/wrapping_key) and the ability to write to either import endpoints (either transit/keys/:name/import or transit/keys/:name/import_version).
Examples
Imports a 2048-bit RSA key as a new key:
Imports a new version of an existing key:
Usage
This command does not have any unique flags and respects core Vault CLI commands. See vault transit import -help for more information.
This command requires two positional arguments:
PATH, the path to the transit key to import in the format of<mount>/keys/<key-name>, where<mount>is the path to the mount (using-namespace=<ns>to specify any namespaces), and<key-name>is the desired name of the key.KEY, the key material to import in Standard Base64 encoding (either of a raw key in the case of symmetric keys such as AES, or of the DER encoded format for asymmetric keys such as RSA). If the value forKEYbegins with an@, the CLI argument is assumed to be a path to a file on disk to be read.
Last updated