CLI Reference - Encryption Keys

Encryption Keys

create-key

Create a new encryption key.

Usage
akeyless create-key -n <Path/to/Key> -a <algorithm>
Mandatory Parameters

Parameter

Description

-n, --name

Key name/path.

-a, --alg

Algorithm type [AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048]

Optional Parameters

Parameter

Description

-m, --metadata

Metadata about the key.

-t, --tag

List of the tags attached to this key. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2.

-s, --split-level

The number of fragments that the item will be split into (not including customer fragment). Default is 2.

-f, --customer-frg-id

The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment).

--delete-protection[=false]

Protection from accidental deletion of a secret. Possible values: [true/false]

To delete a protected secret, the customer should run the update-item command with the --item-protected false parameter.

create-classic-key

Creates a classic key.

Usage
akeyless create-classic-key -n <Path/to/Key> -a <algorithm>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Classic key name.

-a, --alg

**Y**

Key type; options: AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048, RSA3072, RSA4096, EC256, EC384.

-u, --gateway-url[=http://localhost:8000]

Akeyless Gateway URL (with the Configuration Management port).

-p, --key-file-path

Path to file with the classic key value provided by the user.

--key-data

Base64-encoded classic key value provided by the user.

-c, --cert

Path to a file that contains the certificate in a PEM format.

--cert-file-data

PEM Certificate in a Base64 format.

-m, --metadata

Metadata about the classic key.

-t, --tag

List of tags attached to this secret. To specify multiple tags, use the argument multiple times: -t Tag1 -t Tag2.

-k, --protection-key-name

The name of the key that protects the classic key value (if empty, the account default key will be used).

--delete-protection

Protection from accidental deletion of this item, [true/false].

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token. It is required only for universal_identity authentication.

create-dfc-key

Creates a DFC key.

Usage
akeyless create-dfc-key -n <Path/to/Key> -a <algorithm>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

DFC Key name.

-a, --alg

**Y**

DFC Key type. Options: AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048, RSA3072, RSA4096.

-m, --metadata

Metadata about the DFC key.

-t, --tag

List of tags attached to this DFC key. To specify multiple tags, use the argument multiple times: -t Tag1 -t Tag2.

-s, --split-level[=2]

The number of fragments that the item will be split into (this doesn't include a customer fragment).

-f, --customer-frg-id

The customer fragment ID that will be used to create the DFC key (if empty, the key will be created without a customer fragment).

--delete-protection

Protection from accidental deletion of this item, [true/false].

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token. It is required only for universal_identity authentication.

rotate-key

Rotates an existing key, creating a new version of it.

Usage
akeyless rotate-key -n <Path/to/key>
Mandatory Parameters

Parameter

Description

-n, --name

Key name/path.

Optional Parameters

Parameter

Description

--auto-rotate

Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation.

--rotation-interval

The number of days to wait between every automatic key rotation (7-365).

get-rsa-public

Obtain the public key from a specific RSA private key

Usage
akeyless get-rsa-public -n <RSA_private_Key_name>
Mandatory Parameters

Parameter

Description

-n, --name

Name of RSA key to extract the public key from.

upload-pkcs12

Upload a PKCS#12 key and certificates

Usage
akeyless upload-pkcs12 -n <Path/to/Key> --in <location/of/pkcs12>
Mandatory Parameters

Parameter

Description

-n, --name

Name of key to be created.

-i, --in

PKCS#12 input file (private key and certificate only).

-p, --passphrase

The passphrase to unlock the pkcs#12 bundle.

Optional Parameters

Parameter

Description

-m, --metadata

Metadata about the key.

-t, --tag

List of the tags attached to this key. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2.

-s, --split-level

The number of fragments that the item will be split into (not including customer fragment). Default is 2.

-f, --customer-frg-id

The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment).

-c, --cert

Path to a file that contains the certificate in a PEM format. If this parameter is not empty, the certificate will be taken from here and not from the PKCS#12 input file.

--delete-protection[=false]

Protection from accidental deletion of a secret. Possible values: [true/false]

To delete a protected secret, the customer should run the update-item command with the --item-protected false parameter.

upload-rsa

Upload RSA key

Usage
akeyless upload-rsa -n <path/to/Key> -a <algorithm> -p <RSA\Private\Key\Path>
Mandatory Parameters

Parameter

Description

-n, --name

Name of key to be created.

-a, --alg

Key type. options: [RSA1024, RSA2048].

-p, --rsa-key-file-path

RSA private key file path.

Optional Parameters

Parameter

Description

--rsa-key-data

RSA private key data, base64 encoded

-m, --metadata

Metadata about the key.

-t, --tag

List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2.

-s, --split-level

The number of fragments that the item will be split into (not includes customer fragment). Default is 2.

-f, --customer-frg-id

The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment).

-c, --cert

Path to a file that contains the certificate in PEM format.

--cert-file-data

Certificate in a PEM format.

--delete-protection[=false]

Protection from accidental deletion of a secret. Possible values: [true/false]

To delete a protected secret, the customer should run the update-item command with the --item-protected false parameter.

encrypt

Encrypts plaintext into ciphertext by using an AES key

Usage
akeyless encrypt -k < Path to Key> -p <Data to be encrypted>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the key to use in the encryption process.

-p, --plaintext

Data to be encrypted.

Optional Parameters

Parameter

Description

-X, --encryption-context

Name-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail.

encrypt-file

Encrypts a file by using an AES key

Usage
akeyless encrypt-file -k <Key Name> -i <Path/to/file>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the key to use in the encryption process.

-i, --in

Path to the file to be encrypted. If not provided, the content will be taken from stdin.

Optional Parameters

Parameter

Description

-o, --out

Path to the output file. If not provided, the output will be sent to stdout.

-X, --encryption-context

Name-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail.

encrypt-pkcs1

Encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5

Usage
akeyless encrypt-pkcs1 -k <key Name> -p <Data to encrypt>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the key to use in the encryption process.

-p, --plaintext

Data to be encrypted.

decrypt

Decrypts ciphertext into plaintext by using an AES key

Usage
akeyless decrypt -k <Key Name> -c <Ciphertext to be decrypt>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the key to use in the decryption process.

-c, --ciphertext

Ciphertext to be decrypted in base64 encoded format.

Optional Parameters

Parameter

Description

-X, --encryption-context

The encryption context. If this was specified in the encrypt command, it must be specified here or the decryption operation will fail.

decrypt-file

Decrypts a file by using an AES key

Usage
akeyless decrypt-file --key-name <key name> --in <file to decrypt>
Mandatory Parameters

Parameter

Description

--key-name

The name of the key to use in the decryption process.

--in

File to be decrypted.

decrypt-pkcs1

Decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5

Usage
akeyless decrypt-pkcs1 -k <RSA Key Name> -c <Ciphertxt to decrypt>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the RSA key to use in the decryption process.

-c, --ciphertext

Ciphertext to be decrypted in base64 encoded format.

sign-pkcs1

Calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5

Usage
akeyless sign-pkcs1 -k <RSA signing key name> -m <Message to sign>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the RSA key to use in the signing process.

-m, --message

The message to be signed.

verify-pkcs1

Verifies an RSA PKCS#1 v1.5 signature.

Usage
akeyless verify-pkcs1 -k <RSA Key> -m <message to verify> -s <message signature>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the RSA key to use in the verification process.

-m, --message

The message to be verified.

-s, --signature

The message's signature.

gen-customer-fragment

Generates Customer Fragment.

Usage
akeyless gen-customer-fragment
Optional Parameters

Parameter

Description

--description

The Customer Fragment Description.

delete-item

Deletes any secret, key, certificate or role. See Commands for all items and objects for details.

Usage
akeyless delete-item -n <path/to/item>
Mandatory Parameters

Parameter

Description

-n, --name

Path to the item to be deleted

Optional Parameters

Parameter

Description

--version

The specific version you want to delete - 0=last version, -1=entire item with all versions (default).

--delete-in-days

The number of days to wait before deleting the item (relevant for keys only). By default 7 days.

--delete-immediately

When delete-in-days=-1, must be set, by default set to false.

set-item-state

Indicates whether the item should be enabled or disabled.

Usage
akeyless set-item-state -n <Item name> -s <Desired state>
Mandatory Parameters

Parameter

Description

-n, --name

Current item name.

-s, --desired-state

Indicate whether to enable or disable the item.

Optional Parameters

Parameter

Description

--version

The specific version you want to update: 0=item level state (default).

Tokenization

create-tokenizer

Creates a tokenizer.

Usage
akeyless create-tokenizer \
--name <Tokenizer name> \
--tokenizer-type <vaultless> \
--template-type <SSN, CreditCard, USPhoneNumber> \
--tweak-type <Supplied, Generated, Internal, Masking>
akeyless create-tokenizer \
--name <Tokenizer name> \
--tokenizer-type <vaultless> \
--template-type <Custom> \
--tweak-type <Supplied, Generated, Internal, Masking> \
--alphabet <Symbols to use for tokenization> \
--pattern <A regexp pattern to extract tokenized parts> \
--encoding-template <An expression to alter the template of the encryption output> \
--decoding-template <An expression to alter the template of the decryption output>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

A unique name of the tokenizer. The name can include the path to the virtual folder where you want to create the new tokenizer, using slash / separators. If the folder does not exist, it will be created together with the tokenizer.

-y, --tokenizer-type[=vaultless]

**Y**

Currently, Akeyless vault platform supports only vaultless tokenization. So, the default value of this parameter is vaultless.

-T, --template-type

**Y**

The format of the tokenized secret. The following templates are available: SSN, CreditCard, USPhoneNumber, and Custom.

--tweak-type

**Y**

The tweak type to use in tokenization. The following tweak types are available: Supplied, Generated, Internal, and Masking.

  • Supplied tweak is provided by the customer for each encrypt/decrypt operation.
  • Generated tweak is created by Akeyless for each encryption operation and returned to the customer. The customer must provide it when decrypting.
  • Internal tweak is generated by Akeyless when creating a tokenizer and saved with the tokenizer data. Thus the same tweak is used when encrypting or decrypting all tokens of this tokenizer.
  • Masking tweak is created by Akeyless for each encryption operation, but it is not returned to the customer. Thus encryption with a Masking tweak is a one-way operation (i.e., the data cannot be decrypted).

--encryption-key-name

Encrypt the tokenizer with the provided AES encryption key.

--alphabet

A string of allowed symbols for Custom tokenization.

--pattern

A regexp pattern that is used to extract the parts which should be tokenized during Custom tokenization. It can use named and non-named capture groups (e.g., (?P<first>\d{3})-(?P<last>\d{3}) or (\d{3})-(\d{3}) ).

--encoding-template

An expression to alter the template of the encryption output for Custom tokenization (e.g., $1-$2-$groupname, where $1 or $2 are non-named capture groups, and $groupname is a named capture group).

--decoding-template

An expression to alter the template of the decryption output for Custom tokenization.

-m, --metadata

Tokenizer description.

--tag

List of the tags attached to this tokenizer. To specify multiple tags, use the parameter multiple times: --tag Tag1 --tag Tag2

--delete-protection

Protection from accidental deletion of this item, Possible values: true, false.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

tokenize

Allows to tokenize a secret.

Usage
akeyless tokenize \
--tokenizer-name <Tokenizer name> \
--plaintext <Data to be encrypted> \
--tweak <Base64-encoded tweak value
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

The name of the tokenizer to use in the encryption process.

-p, --plaintext

**Y**

Data to be encrypted.

--tweak

Base64-encoded tweak.

detokenize

Allows to detokenize a tokenized secret.

Usage
akeyless detokenize \
--tokenizer-name <Tokenizer name> \
--ciphertext <Data to be decrypted> \
--tweak <Base64-encoded tweak value that was used for encryption>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

The name of the tokenizer to use in the decryption process.

-p, --plaintext

**Y**

Data to be decrypted.

--tweak

<Base64-encoded tweak value that was used for encryption.


Did this page help you?