vhsm transit

Learn to manage vHSM's Transit secrets engine

The vhsm transit command manages interactions with vHSM's Transit Secrets Engine, including importing and updating encryption keys.

Usage

vhsm transit <subcommand> [options] [arguments]

Option flags for a given subcommand must be provided after the subcommand but before the arguments.

Subcommands

Command
Description

import

Imports a new encryption key into vHSM via the Transit BYOK mechanism. Fails if the key already exists.

import-version

Updates an existing key with a new version of the key material.

Example 1: Import a new RSA key into Transit

vhsm transit import transit/keys/test-key @test-key type=rsa-2048

Output

Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to vHSM transit.
Success!

Example 2: Import a new version of an existing key

vhsm transit import-version transit/keys/test-key @test-key-updated

Output

Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to vHSM transit.
Success!

Options

Options
Description

PATH

The path to the transit key to import. Format: <mount>/keys/<key-name>. Use -namespace=<ns> to specify a namespace.

KEY

The key material to import, encoded in Standard Base64. If KEY begins with @, it is treated as a file path on disk.

This command does not have any unique flags and follows standard vHSM CLI conventions. Use vhsm transit import -help for additional details.

Last updated

Was this helpful?