# transit

The `transit` command groups subcommands for interacting with Vault's Transit Secrets Engine.

### Syntax <a href="#syntax" id="syntax"></a>

Option flags for a given subcommand are provided after the subcommand, but before the arguments.

### Examples <a href="#examples" id="examples"></a>

To import keys into a mount via the Transit BYOK mechanism, use the `vault transit import <path> <key>` or `vault transit import-version <path> <key>` commands:

```mdx-code-blocks_codeBlockMargin__TI7B4
$ vault transit import transit/keys/test-key @test-key type=rsa-2048
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!
```

## transit import and transit import-version <a href="#transit-import-and-transit-import-version" id="transit-import-and-transit-import-version"></a>

The `transit import` and `transit import-version` commands import the specified key into Transit, via the Transit BYOK mechanism. The former imports this key as a new key, failing if it already exists, whereas the latter will only update an existing key in Transit to a new version of the key material.

This needs access to read the transit mount's wrapping key (at `transit/wrapping_key`) and the ability to write to either import endpoints (either `transit/keys/:name/import` or `transit/keys/:name/import_version`).

### Examples <a href="#examples" id="examples"></a>

Imports a 2048-bit RSA key as a new key:

```mdx-code-blocks_codeBlockMargin__TI7B4
$ vault transit import transit/keys/test-key @test-key type=rsa-2048
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!
```

Imports a new version of an existing key:

```mdx-code-blocks_codeBlockMargin__TI7B4
$ vault transit import-version transit/keys/test-key @test-key-updated
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!
```

### Usage <a href="#usage" id="usage"></a>

This command does not have any unique flags and respects core Vault CLI commands. See `vault transit import -help` for more information.

This command requires two positional arguments:

1. `PATH`, the path to the transit key to import in the format of `<mount>/keys/<key-name>`, where `<mount>` is the path to the mount (using `-namespace=<ns>` to specify any namespaces), and `<key-name>` is the desired name of the key.
2. `KEY`, the key material to import in Standard Base64 encoding (either of a raw key in the case of symmetric keys such as AES, or of the DER encoded format for asymmetric keys such as RSA). If the value for `KEY` begins with an `@`, the CLI argument is assumed to be a path to a file on disk to be read.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/vault/cli/transit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.