CLI Reference - Encryption Keys
This section outlines the CLI commands relevant to Encryption Keys.
General Flags:
--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-token: The universal identity token, Required only for universal_identity authentication
-h, --help: Display help information
--json[=false]: Set output format to JSON
--jq-expression: JQ expression to filter result output
--no-creds-cleanup[=false]: Do not clean local temporary expired creds
assoc-target-item
assoc-target-item
Create an association between a Target and a Classic Key for External KMS Integration
Usage
akeyless assoc-target-item \
--target-name <Target to associate> \
--name <Item to associate> \
--vault-name <Name of the vault used> \
--key-operations <A list of allowed operations for the key> \
--project-id <Project id of the GCP KMS> \
--location-id <Location id of the GCP KMS> \
--keyring-name <Keyring name of the GCP KMS> \
--purpose <Purpose if the key in GCP KMS>
Flags
-t, --target-name: Required, The target to associate
-n, --name: Required, The item to associate
--vault-name: Name of the vault used. (Relevant only for Classic Key and target association. Required for azure targets)
--key-operations: A list of allowed operations for the key. (Relevant only for Classic Key and target association. Required for azure targets)
--project-id: Project id of the GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--location-id: Location id of the GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--keyring-name: Keyring name of the GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--purpose: Purpose if the key in GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--kms-algorithm: Algorithm of the key in GCP KMS. (Relevant only for Classic Key and target association, Required for gcp targets)
--tenant-secret-type: Set to 'true' to create a multi-region managed key. (Relevant only for Classic Key AWS targets)
--multi-region[=false]: The list of regions in which to create a copy of the key. (Relevant only for Classic Key AWS targets). To specify multiple regions use argument multiple times: --regions us-east-1 --regions us-west-1
--protection-level[=software]: Protection level of the key [software/hardware]. (Relevant only for Classic Key and target association, for gcp targets)
create-classic-key
create-classic-key
Creates a new Classic Key in the current account
Usage
akeyless create-classic-key \
--name <Key Name> \
--alg <Key type> \
--gateway-url <API Gateway URL:8000> \
--generate-self-signed-certificate <True/False> \
--certificate-ttl <Certificate TTL> \
--certificate-common-name <Certificate common name>
--certificate-format <pem / der>
Flags
-n, --name: Required, Classic key name/path.
-a, --alg : Required, Key type; options: [AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048, RSA3072, RSA4096, EC256, EC384, GPG]
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-p, --key-file-path : Path to file with the classic key value provided by user
--key-data: Base64-encoded classic key value provided by user
-c, --cert: Path to a file that contain the certificate in a PEM format.
--cert-file-data: PEM Certificate in a Base64 format.
--gpg-alg: gpg alg: Relevant only if GPG key type selected; options: [RSA1024, RSA2048, RSA3072, RSA4096, Ed25519]
-k, --protection-key-name: The name of the key that protects the classic key value (if empty, the account default key will be used)
--generate-self-signed-certificate[=false]: Whether to generate a self signed certificate with the key. If set, --certificate-ttl must be provided.
--certificate-ttl: TTL in days for the generated certificate. Required only for generate-self-signed-certificate.
--certificate-common-name: Common name for the generated certificate. Relevant only for generate-self-signed-certificate.
--cerificate-format: The format of the returned certificate can be pem or der
--certificate-organization: Organization name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-country: Country name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-locality: Locality for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-province: Province name for the generated certificate. Relevant only for generate-self-signed-certificate.
--conf-file-path: Path to the configuration file that contains csr config data
--conf-file-data: The csr config data in base64 encoding
--certificate-format : The format of the returned certificate can be pem or der.
-e, --expiration-event-in : How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation [true/false]
--rotation-interval: The number of days to wait between every automatic rotation (1-365)
--rotation-event-in: How many days before the rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
create-dfc-key
create-dfc-key
Creates a new DFC key in the current account
Usage
akeyless create-dfc-key \
--name <Key name> \
--alg <Key type> \
--generate-self-signed-certificate <True/False> \
--certificate-ttl <Certificate TTL> \
--certificate-common-name <Certificate common name>
--certificate-format <pem / der>
Flags
-n, --name: Required, DFCKey name
-a, --alg: Required, DFCKey type; options: [AES128GCM, AES256GCM, AES128SIV, AES256SIV, AES128CBC, AES256CBC, RSA1024, RSA2048, RSA3072, RSA4096]
-t, --tag: List of the tags attached to this DFC key. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=3]: The number of fragments that the item will be split into (not includes customer fragment)
-f, --customer-frg-id: The customer fragment ID that will be used to create the DFC key (if empty, the key will be created independently of a customer fragment)
--generate-self-signed-certificate[=false]: Whether to generate a self signed certificate with the key. If set, --certificate-ttl must be provided.
--certificate-ttl: TTL in days for the generated certificate. Required only for generate-self-signed-certificate.
--certificate-common-name: Common name for the generated certificate. Relevant only for generate-self-signed-certificate.
--cerificate-format: The format of the returned certificate can be pem or der
--certificate-organization: Organization name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-country: Country name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-locality: Locality for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-province: Province name for the generated certificate. Relevant only for generate-self-signed-certificate.
--conf-file-path: Path to the configuration file that contains csr config data
--conf-file-data: The csr config data in base64 encoding
--certificate-format : The format of the returned certificate can be pem or der.
-e, --expiration-event-in : How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation [true/false]
--rotation-interval: The number of days to wait between every automatic rotation (1-365)
--rotation-event-in: How many days before the rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--delete-protection: Protection from accidental deletion of this item, [true/false]
decrypt
decrypt
Decrypts ciphertext into plaintext by using an AES key
Usage
akeyless decrypt \
--key-name <Key Name> \
--display-id <Display id of the key> \
--item-id <Item id of the key>
Flags
-k, --key-name: Required, The name of the key to use in the decryption process.
-d, --display-id: The display id of the key to use in the decryption process
-I, --item-id: The item id of the key to use in the decryption process
-i, --in: Path to the file to be decrypted (base64 encoded)
-o, --out: Path to the output file. If not provided, the output will be printed as text.
-c, --ciphertext: Ciphertext to be decrypted in base64 encoded format, if a file was not provided
-X, --encryption-context: The encryption context. If this was specified in the encrypt command, it must be specified here or the decryption operation will fail
-F, --output-format: If specified, the output will be formatted accordingly. options: [base64]
decrypt-file
decrypt-file
Decrypts a file by using an AES key
Usage
akeyless decrypt-file \
--key-name <key name> \
--in <file to decrypt> \
--out <Path to the output file> \
--display-id <Display id of the key to use in the decryption process> \
--item-id <Item id of the key to use in the encryption process>
Flags
--key-name: Required, The name of the key to use in the decryption process
-d, --display-id: The display id of the key to use in the decryption process
-I, --item-id: The item id of the key to use in the decryption process
-i, --in: Path to the file to be decrypted. If not provided, the content will be taken from stdin
-o, --out: Path to the output file. If not provided, the output will be sent to stdout
-F, --output-format[=base64]: The output will be formatted accordingly. options: [base64, raw]
-X, --encryption-context: The encryption context. If this was specified in the encrypt command, it must be specified here or the decryption operation will fail
-v, --version: key version (relevant only for classic key)
decrypt-gpg
decrypt-gpg
Decrypts the given GPG message using an RSA key
Usage
akeyless decrypt-gpg \
--key-name <Key Name> \
--display-id <Display id of the key> \
--item-id <Item id of the key>
Flags
-k, --key-name: Required, The name of the key to use in the decryption process.
-d, --display-id: The display id of the key to use in the decryption process
-I, --item-id: The item id of the key to use in the decryption process
-i, --in: Path to the file to be decrypted (base64 encoded)
-o, --out: Path to the output file. If not provided, the output will be printed as text.
-c, --ciphertext: Ciphertext to be decrypted in base64 encoded format, if a file was not provided
-N, --input-format[=base64]: Select default assumed format for the ciphertext. Currently supported options: [base64,raw]
-p, --passphrase: Passphrase to decrypt the message
-F, --output-format: If specified, the output will be formatted accordingly. options: [base64]
decrypt-pkcs1
decrypt-pkcs1
Decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5
Usage
akeyless decrypt-pkcs1 \
--key-name <Key Name> \
--ciphertext <Ciphertxt to decrypt> \
--display-id <Display id of the key> \
--item-id <Item id of the key>
Flags
-k, --key-name: Required, The name of the key to use in the decryption process
-d, --display-id: The display id of the key to use in the decryption process
-I, --item-id: The item id of the key to use in the decryption process
-c, --ciphertext: Required, Ciphertext to be decrypted in base64 encoded format
-F, --output-format: If specified, the output will be formatted accordingly. options: [base64]
encrypt
encrypt
Encrypts plaintext into ciphertext by using an AES key
Usage
akeyless encrypt \
--key-name <Key name> \
--display-id <Display id of the key to use in the encryption process \
--item-id <Item id of the key to use in the encryption process> \
--in <Path to the file to be encrypted in base64 format>
Flags
-k, --key-name: The name of the key to use in the encryption process
-d, --display-id: The display id of the key to use in the encryption process
-I, --item-id: The item id of the key to use in the encryption process
-i, --in: Path to the file to be encrypted in base64 format
-o, --out: Path to the output file. If not provided, the output will be printed as base64
-p, --plaintext: Data to be encrypted, if a file was not provided
-X, --encryption-context: name-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail
-F, --input-format: If specified, the plaintext input is assumed to be formatted accordingly. Current supported options: [base64]
encrypt-file
encrypt-file
Encrypts a file by using an AES key
Usage
akeyless encrypt-file \
--key-name <Key Name> \
--in <File to be encrypted> \
--out <Output file> \
--display-id <Display id of the key>
Flags
-k, --key-name: Required, The name of the key to use in the encryption process
-d, --display-id: The display id of the key to use in the encryption process
-I, --item-id: The item id of the key to use in the encryption process
-i, --in: Required, Path to the file to be encrypted. If not provided, the content will be taken from stdin
-o, --out: Required, Path to the output file. If not provided, the output will be sent to stdout
-F, --output-format[=base64]: The output will be formatted accordingly. options: [base64, raw]
-X, --encryption-context: name-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail
encrypt-gpg
encrypt-gpg
Encrypts the given message with GPG using an RSA key
Usage
akeyless encrypt-gpg \
--key-name <Key name> \
--display-id <Display id of the key> \
--item-id <Item id of the key> \
--in <Path to the file to be encrypted in base64 format>
Flags
-k, --key-name: Required, The name of the key to use in the encryption process
-d, --display-id: The display id of the key to use in the encryption process
-I, --item-id: The item id of the key to use in the encryption process
-i, --in: Path to the file to be encrypted in base64 format
-o, --out: Path to the output file. If not provided, the output will be printed as base64
-p, --plaintext: Data to be encrypted, if a file was not provided
-F, --input-format: If specified, the plaintext input is assumed to be formatted accordingly. Current supported options: [base64]
encrypt-pkcs1
encrypt-pkcs1
Encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5
Usage
akeyless encrypt-pkcs1 \
--key-name <key Name> \
--plaintext <Data to encrypt> \
--display-id <Display id of the key> \
--item-id <Item id of the key>
Flags
-k, --key-name: Required,The name of the key to use in the encryption process
-d, --display-id: The display id of the key to use in the encryption process
-I, --item-id: The item id of the key to use in the encryption process
-p, --plaintext: Required, Data to be encrypted
export-classic-key
export-classic-key
Returns the Classic Key material
Usage
akeyless export-classic-key \
--name <Key name> \
--version <Key version> \
--gateway-url <API Gateway URL:8000>
Flags
-n, --name: Required, Classic key name
-v, --version: Classic key version
--export-public-key[=false]: Export only the public key
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--ignore-cache[=false]: Retrieve the Secret value without checking the Gateway's cache. This flag is only relevant when using the RestAPI
gateway-download-customer-fragments
gateway-download-customer-fragments
Download gateway customer fragments
Usage
akeyless gateway-download-customer-fragments \
--file-folder <path to download to> \
--gateway-url <API Gateway URL:8000>
gen-customer-fragment
gen-customer-fragment
Generates Customer Fragment
Usage
akeyless gen-customer-fragment \
--name <CF-Name> \
--type <standard/hsm_wrapped/hsm_secured> \
--hsm-key-label <Key-1> \
--description <Customer Fragment Description>
Flags
-n, --name: Customer Fragment name
-t, --type[=standard]: Customer fragment type [standard/hsm_wrapped/hsm_secured]
-k, --hsm-key-label: The label of the hsm key to use for customer fragment operations (relevant for hsm_wrapped/hsm_secured customer fragments)
get-rsa-public
get-rsa-public
Obtain the public key from a specific RSA private key
Usage
akeyless get-rsa-public --name <Key name>
Flags
-n, --name: Required, Name of RSA key to extract the public key from
hmac
hmac
Generates a hash-based message authentication code (HMAC) for a message, using an HMAC algorithm
Usage
akeyless hmac \
--key-name <Key name> \
--display-id <Display id of the key> \
--item-id <Item id of the key>
Flags
-k, --key-name: Required, The name of the key to use in the encryption process
-d, --display-id: The display id of the key to use in the encryption process
-I, --item-id: The item id of the key to use in the encryption process
-i, --in: Path to the input file
-o, --out: Path to the output file. If not provided, the output will be printed as base64
-p, --plaintext: Data to perform hmac on, if a file was not provided
-f, --hash-function[=sha-256]: Hash function sha-256,sha-512
-F, --input-format: Select the default assumed format for any plaintext input. Currently supported options: [base64]
refresh-key
refresh-key
Refresh a key in the current account
Usage
akeyless refresh-key --name <Key name>
Flags
-n, --name: Required, Key name
rotate-key
rotate-key
Rotates an existing key, by creating a new version of the key
Usage
akeyless rotate-key \
--name <Key name> \
--gateway-url <API Gateway URL:8000> \
--new-key-data <The new value of the key, base64 encoded>
Flags
-n, --name: Required, Key name
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port). Relevant only for Classic Key.
--new-key-data: The new value of the key, base64 encoded. Relevant only for Classic Key provided by the user (BYOK).
set-item-state
set-item-state
Set an item's state (Enabled, Disabled)
Usage
akeyless set-item-state \
--name <Item name> \
--desired-state [Enabled, Disabled]
Flags
-n, --name: Required, Current item name
-s, --desired-state: Required, Desired item state [Enabled, Disabled]
--version[=0]: The specific version you want to update: 0=item level state (default)
sign-ecdsa
sign-ecdsa
Calculates the signature of a given message using ECDSA and a sha hash algorithm matching the key size
Usage
akeyless sign-ecdsa \
--message <Input message> \
--key-name <Key name> \
--display-id <Display id of the RSA key> \
--item-id <Item id of the RSA key>
Flags
-k, --key-name: The name of the EC key to use for the signing process
-d, --display-id: The display id of the EC key to use for the signing process
-I, --item-id: The item id of the key EC to use for the signing process
--version: The version of the key to use for signing
--prehashed: Markes that the message is already hashed
-m, --message: (Mandatory) The input message to sign in a base64 format
sign-gpg
sign-gpg
Calculates the signature of a message using GPG from an RSA key
Usage
akeyless sign-gpg \
--key-name <RSA key> \
--message <Message to sign> \
--display-id <Display id of the key> \
--item-id <Item id of the key>
Flags
-k, --key-name: Required, The name of the RSA key to use in the signing process
-d, --display-id: The display id of the key to use in the signing process
-I, --item-id: The item id of the key to use in the signing process
-m, --message: Required, The message to be signed
-p, --passphrase: Passphrase to decrypt the message
sign-pkcs1
sign-pkcs1
Calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5
Usage
akeyless sign-pkcs1 \
--key-name <RSA key > \
--message <Message to sign> \
--display-id <Display id of the key> \
--item-id <Item id of the key>
Flags
-k, --key-name: Required, The name of the RSA key to use in the signing process
-d, --display-id: The display id of the key to use in the signing process
-I, --item-id: The item id of the key to use in the signing process
--version: The version of the key to use for signing
-f, --hash-function[=sha-256]: Hash function [sha-256,sha-384,sha-512]
--prehashed: Markes that the message is already hashed
-F, --input-format: Select default assumed format for the message input. Currently supported options: [base64]
-m, --message: Required, The message to be signed
sign-rsassa-pss
sign-rsassa-pss
Calculates the signature of a given message using rsassa-pss
Usage
akeyless sign-rsassa-pss \
--message <Input message> \
--key-name <Key name> \
--display-id <Display id of the RSA key> \
--item-id <Item id of the RSA key>
Flags
-k, --key-name: The name of the RSA key to use for the signing process
-d, --display-id: The display id of the RSA key to use for the signing process
-I, --item-id: The item id of the RSA key to use for the signing process
--version: The version of the key to use for signing
-f, --hash-function[=sha-256]: Hash function sha-256,sha-384,sha-512
-m, --message: (Mandatory) The input message to sign in a base64 format
--prehashed: Markes that the message is already hashed
update-classic-key-certificate
update-classic-key-certificate
Update the certificate for a classic key
Usage
akeyless update-classic-key-certificate \
--name <Classic key name> \
--gateway-url <API Gateway URL:8000> \
--cert-file-path <path/to/cert/file> \
--cert-file-data <PEM Certificate in a Base64 format>
Flags
-n, --name: (Mandatory) Classic key name
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-c, --cert-file-path: Path to a file that contains the certificate in a PEM format
--cert-file-data: PEM Certificate in a Base64 format
--certificate-format: The format of the returned certificate [pem/der]
update-rotation-settings
update-rotation-settings
Updates rotation settings of an existing key
Usage
akeyless update-rotation-settings \
--name <Key name> \
--auto-rotate <True/False>
Flags
-n, --name: Required, Key name
-r, --auto-rotate[=false]: Required, [true/false] Sets automatic rotation to be enabled or disabled, if enabled rotation will be triggered periodically based on --rotation-interval
--rotation-interval: The number of days to wait between every automatic key rotation (7-365)
--rotation-event-in : How many days before the rotation of the item would you like to be notified. To specify multiple events, use argument multiple times:--rotation-event-in 1 --rotation-event-in 5
upload-pkcs12
upload-pkcs12
Upload a PKCS#12 key and certificates
Usage
akeyless upload-pkcs12 \
--name <Key name> \
--in <Input file (private key and certificate only> \
--passphrase <Passphrase> \
--description <Key description>
Flags
-n, --name: Required, Name of key to be created
-i, --in: Required, PKCS#12 input file (private key and certificate only)
-p, --passphrase: Required, Passphrase to unlock the pkcs#12 bundle
--description: Key description
-t, --tag: List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=2]: The number of fragments that the item will be split into
-f, --customer-frg-id: The customer fragment ID that will be used to split the key (if empty, the key will be created independently of a customer fragment)
-c, --cert: Path to a file that contain the certificate in a PEM format. If this is not empty, the certificate will be taken from here and not from the PKCS#12 input file
--delete-protection[=false]: Protection from accidental deletion of this item, [true/false]
upload-rsa
upload-rsa
Upload RSA key
Usage
akeyless upload-rsa \
--name <Key Name> \
--alg <Key type> \
--rsa-key-file-path <RSA private key file path> \
--rsa-key-data <RSA private key data, base64 encoded> \
--cert <Certificate in a PEM format> \
--cert-file-data <PEM Certificate in a Base64 format>
Flags
-n, --name: Required, Name of key to be created
-a, --alg: Required, Key type. options: [RSA1024, RSA2048, RSA3072, RSA4096]
-p, --rsa-key-file-path: RSA private key file path.
--rsa-key-data: RSA private key data, base64 encoded
-c, --cert: Path to a file that contain the certificate in a PEM format
--cert-file-data: PEM Certificate in a Base64 format
--description: Key description
-t, --tag: List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=2]: The number of fragments that the item will be split into
-f, --customer-frg-id: The customer fragment ID that will be used to split the key (if empty, the key will be created independently of a customer fragment)
--overwrite[=false]: When the overwrite flag is set, this command will only update an existing key. [true, false]
--delete-protection: Protection from accidental deletion of this item, [true/false]
verify-ecdsa
verify-ecdsa
Verifies an ECDSA signature using a sha hash algorithm matching the key size
Usage
akeyless verify-rsassa-pss \
--message <Input message> \
--signature <messages signature> \
--key-name <Key name> \
--display-id <Display id of the RSA key> \
--item-id <Item id of the RSA key>
Flags
-k, --key-name: The name of the EC key to use for the verification process
-d, --display-id: The display id of the key EC to use for the verification process
-I, --item-id: The item id of the EC key to use for the verification process
-m, --message: (Mandatory) The input message to sign in a base64 format
-s, --signature: (Mandatory) The message's signature
verify-gpg
verify-gpg
Verifies a GPG based on RSA signature
Usage
akeyless verify-gpg \
--key-name <RSA Key> \
--signature <message signature> \
--message <message to verify> \
--display-id <Display id of the key> \
--item-id <Item id of the key>
Flags
-k, --key-name: The name of the RSA key to use in the verification process
-d, --display-id: The display id of the key to use in the verification process
-I, --item-id: The item id of the key to use in the verification process
-m, --message: Required, The message to be verified.
-s, --signature: Required, The message's signature.
-p, --passphrase: Passphrase to decrypt the message
verify-pkcs1
verify-pkcs1
Verifies an RSA PKCS#1 v1.5 signature
Usage
akeyless verify-pkcs1 \
--key-name <RSA Key> \
--message <message to verify> \
--signature <message signature> \
--display-id <Display id of the key> \
--item-id <Item id of the key>
Flags
-k, --key-name: Required, The name of the RSA key to use in the verification process
-d, --display-id: The display id of the key to use in the verification process
-I, --item-id: The item id of the key to use in the verification process
-m, --message: Required, The message to be verified.
-s, --signature: Required, The message's signature.
verify-rsassa-pss
verify-rsassa-pss
Verifies an rsassa-pss signature
Usage
akeyless verify-rsassa-pss \
--message <Input message> \
--signature <messages signature> \
--key-name <Key name> \
--display-id <Display id of the RSA key> \
--item-id <Item id of the RSA key>
Flags
-k, --key-name: The name of the RSA key to use for the verification process
-d, --display-id: The display id of the RSA key to use for the verification process
-I, --item-id: The item id of the RSA key to use for the verification process
-f, --hash-function[=sha-256]: Hash function [sha-256,sha-384,sha-512]
-m, --message:(Mandatory) The input message to sign in a base64 format
-s, --signature: (Mandatory) The message's signature
Tokenization
create-tokenizer
create-tokenizer
Creates a new tokenizer
Usage
akeyless create-tokenizer \
--name <Tokenizer name> \
--tokenizer-type <Tokenizer type> \
--template-type <SSN,CreditCard,USPhoneNumber,Custom> \
--tweak-type <Supplied, Generated, Internal, Masking>
akeyless create-tokenizer \
--name *<Tokenizer name> \
--tokenizer-type *<vaultless> \
--template-type *<SSN,CreditCard,USPhoneNumber,Custom> \
--tweak-type <Supplied, Generated, Internal, Masking> \
--alphabet <Symbols to use for tokenization> \
--pattern <A regexp pattern to extract tokenized parts> \
--encoding-template <An expression to alter the template of the encryption output> \
--decoding-template <An expression to alter the template of the decryption output>
Flags
-n, --name: Required, Tokenizer name
-y, --tokenizer-type[=vaultless]: Required, Tokenizer type(vaultless)
-T, --template-type: Required, Which template type this tokenizer is used for [SSN,CreditCard,USPhoneNumber,Custom]
--encryption-key-name: AES key name to use in vaultless tokenization
--tweak-type: The tweak type to use in vaultless tokenization [Supplied, Generated, Internal, Masking]
--alphabet: Alphabet to use in custom vaultless tokenization, such as '0123456789' for credit cards.
--pattern: Pattern to use in custom vaultless tokenization
--encoding-template: The Encoding output template to use in custom vaultless tokenization
--decoding-template: The Decoding output template to use in custom vaultless tokenization
--description: Tokenizer description
--tag: List of the tags attached to this key. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
detokenize
detokenize
Decrypts text with a tokenizer
Usage
akeyless detokenize \
--tokenizer-name <Tokenizer name> \
--ciphertext <Data to be decrypted> \
--tweak <Base64-encoded tweak value that was used for encryption>
Flags
-n, --tokenizer-name: Required, The name of the tokenizer to use in the decryption process
-c, --ciphertext: Required, Data to be decrypted
--tweak: Base64 encoded tweak for vaultless encryption
tokenize
tokenize
Encrypts text with a tokenizer
Usage
akeyless tokenize \
--tokenizer-name <Tokenizer name> \
--plaintext <Data to be encrypted> \
--tweak <Base64-encoded tweak value
Flags
-n, --tokenizer-name : Required, The name of the tokenizer to use in the encryption process
-p, --plaintext: Required, Data to be encrypted
--tweak: Base64 encoded tweak for vaultless encryption
Updated about 1 month ago