luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/content/docs/commands/transit/import.mdx
Alexander Scheel 7182949029
Fix transit byok tool, add docs, tests (#19373) 
* Fix Vault Transit BYOK helper argument parsing

This commit fixes the following issues with the importer:

 - More than two arguments were not supported, causing the CLI to error
   out and resulting in a failure to import RSA keys.
 - The @file notation support was not accepted for KEY, meaning
   unencrypted keys had to be manually specified on the CLI.
 - Parsing of additional argument data was done in a non-standard way.
 - Fix parsing of command line options and ensure only relevant
   options are included.

Additionally, some error messages and help text was clarified.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing documentation on Transit CLI to website

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for Transit BYOK vault subcommand

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Appease CI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-27 18:25:38 +00:00

63 lines
2.2 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: transit import and transit import-version - Command
description: |-
The "transit import" and "transit import-version" commands import the
specified key into Transit, via the Transit BYOK mechanism.
---
# transit import and transit import-version
The `transit import` and `transit import-version` commands import the
specified key into Transit, via the [Transit BYOK
mechanism](/vault/docs/secrets/transit#bring-your-own-key-byok). The former
imports this key as a new key, failing if it already exists, whereas the
latter will only update an existing key in Transit to a new version of the
key material.
This needs access to read the transit mount's wrapping key (at
`transit/wrapping_key`) and the ability to write to either import
endpoints (either `transit/keys/:name/import` or
`transit/keys/:name/import_version`).
## Examples
Imports a 2048-bit RSA key as a new key:
```
$ vault transit import transit/keys/test-key @test-key type=rsa-2048
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!
```
Imports a new version of an existing key:
```
$ vault transit import-version transit/keys/test-key @test-key-updated
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!
```
## Usage
This command does not have any unique flags and respects core Vault CLI
commands. See `vault transit import -help` for more information.
This command requires two positional arguments:
1. `PATH`, the path to the transit key to import in the format of
`<mount>/keys/<key-name>`, where `<mount>` is the path to the mount
(using `-namespace=<ns>` to specify any namespaces), and `<key-name>`
is the desired name of the key.
2. `KEY`, the key material to import in Standard Base64 encoding (either
of a raw key in the case of symmetric keys such as AES, or of the DER
encoded format for asymmetric keys such as RSA). If the value for `KEY`
begins with an `@`, the CLI argument is assumed to be a path to a file
on disk to be read.
Reference in a new issue View git blame Copy permalink