CLI Reference - Encryption Keys

Encryption Keys

create-key

Creates a new key - Deprecated: Use command create-dfc-key

Please note: mandatory values for this command: -n, --name, -a, --alg

Usage
akeyless create-key --name <Key name> \
--alg <Key type> \
--delete-protection <Protection from accidental deletion of this item, [true/false]> \
--description <Key description> \
--split-level <The number of fragments that the item will be split into (Deafult = 2> \
--delete-protection <Protection from accidental deletion of this item, [true/false]>
Parameters
ParameterDescription
-n, --name(Mandatory) Key name/path.
-a, --alg(Mandatory) Key type [AES128GCM, AES256GCM, AES128SIV, AES256SIV, AES128CBC, AES256CBC, RSA1024, RSA2048, RSA3072, RSA4096]
--descriptionKey description
-t, --tag List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=2]The number of fragments that the item will be split into (not includes customer fragment)
-f, --customer-frg-idThe customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-classic-key

Creates a new Classic Key

Please note: mandatory values for this command: -n, --name, -a, --alg

Usage
akeyless create-classic-key --name <Key Name> \
--alg <Key type> \
--gateway-url <API Gateway URL:8000> \
--key-file-path <Path to file with the classic key value provided by user> \
--key-data <Base64-encoded classic key value provided by user> \
--cert <Path to a file that contain the certificate in a PEM format> \
--cert-file-data <PEM Certificate in a Base64 format> \
--delete-protection <Protection from accidental deletion of this item, [true/false]>
Parameters
ParameterDescription
-n, --name(Mandatory) Classic key name/path.
-a, --alg (Mandatory) Key type; options: [AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048, RSA3072, RSA4096, EC256, EC384, GPG]
--gpg-algRelevant only if GPG key type selected; options: [RSA1024, RSA2048, RSA3072, RSA4096, Ed25519]
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-p, --key-file-path Path to file with the classic key value provided by user
--key-dataBase64-encoded classic key value provided by user
-c, --certPath to a file that contain the certificate in a PEM format.
--cert-file-dataPEM Certificate in a Base64 format.
--descriptionClassic key description
--generate-self-signed-certificate[=false]Whether to generate a self signed certificate with the key. If set, --certificate-ttl must be provided.
--certificate-ttlTTL in days for the generated certificate. Required only for generate-self-signed-certificate.
--certificate-common-nameCommon name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-organizationOrganization name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-countryCountry name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-localityLocality for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-provinceProvince name for the generated certificate. Relevant only for generate-self-signed-certificate.
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-k, --protection-key-nameThe name of the key that protects the classic key value (if empty, the account default key will be used)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

export-classic-key

Returns the Classic Key material

Please note: mandatory values for this command: -n, --name

Usage
akeyless export-classic-key --name <Key name> \
--gateway-url <API Gateway URL:8000> \

Parameters

ParameterDescribrion
-n, --name(Mandatory) Classic key name
-v, --versionClassic key version
--export-public-key[=false]Export only the public key
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--ignore-cache[=false]Retrieve the Secret value without checking the Gateway's cache. This flag is only relevant when using the RestAPI
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-dfc-key

Creates a new DFC key

Please note: mandatory values for this command: -n, --name, -a, --alg

Usage
akeyless create-dfc-key --name <Key name> \
 --alg <Key type> \
 --description <DFC key description> \
 --split-level <The number of fragments that the item will be split into [Default = 2]> \
 --delete-protection <Protection from accidental deletion of this item, [true/false]>
Parameters
ParameterDescription
-n, --name(Mandatory) DFCKey name
-a, --alg(Mandatory) DFCKey type; options: [AES128GCM, AES256GCM, AES128SIV, AES256SIV, AES128CBC, AES256CBC, RSA1024, RSA2048, RSA3072, RSA4096]
--descriptionDFC key description
--generate-self-signed-certificate[=false]Whether to generate a self signed certificate with the key. If set, --certificate-ttl must be provided.
--certificate-ttlTTL in days for the generated certificate. Required only for generate-self-signed-certificate.
--certificate-common-nameCommon name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-organizationOrganization name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-countryCountry name for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-localityLocality for the generated certificate. Relevant only for generate-self-signed-certificate.
--certificate-provinceProvince name for the generated certificate. Relevant only for generate-self-signed-certificate.
-t, --tagList of the tags attached to this DFC key. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=2]The number of fragments that the item will be split into (not including customer fragment)
-f, --customer-frg-idThe customer fragment ID that will be used to create the DFC key (if empty, the key will be created independently of a customer fragment)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

rotate-key

Rotates an existing key, by creating a new version of the key.

Usage
akeyless rotate-key -n <Key name> \
--gateway-url <API Gateway URL:8000> \ 
--new-key-data <The new value of the key, base64 encoded>
Parameters
ParameterDescription
-n, --name(Mandatory) Key name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port). Relevant only for Classic Key.
--new-key-dataThe new value of the key, base64 encoded. Relevant only for Classic Key provided by the user (BYOK).
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

refresh-key

Refresh a key

Please note: mandatory values for this command: -n, --name

Usage
akeyless refresh-key --name <Key name>

Parameters

ParameterDescription
-n, --name(Mandatory) Key name
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

assoc-target-item

Create an association between a Target and a Classic Key for External KMS Integration

Please note: mandatory values for this command: -t, --target-name, -n, --name

Usage
akeyless assoc-target-item --target-name <The target to associate> \
--name <The item to associate> \
--vault-name <Name of the vault used> \
--key-operations <A list of allowed operations for the key>
--project-id <Project id of the GCP KMS> \
--location-id <Location id of the GCP KMS> \
--keyring-name <Keyring name of the GCP KMS> \
--purpose <Purpose if the key in GCP KMS>

Parameters

ParameterDescription
-t, --target-name(Mandatory) The target to associate
-n, --name(Mandatory) The item to associate
--vault-nameName of the vault used. (Relevant only for Classic Key and target association. Required for azure targets)
--key-operationsA list of allowed operations for the key. (Relevant only for Classic Key and target association. Required for azure targets)
--project-idProject id of the GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--location-idLocation id of the GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--keyring-nameKeyring name of the GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--purposePurpose if the key in GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--kms-algorithmAlgorithm of the key in GCP KMS. (Relevant only for Classic Key and target association, Required for gcp targets)
--tenant-secret-typeSet to 'true' to create a multi-region managed key. (Relevant only for Classic Key AWS targets)
--multi-region[=false]The list of regions in which to create a copy of the key. (Relevant only for Classic Key AWS targets). To specify multiple regions use argument multiple times: --regions us-east-1 --regions us-west-1
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

get-rsa-public

Obtain the public key from a specific RSA private key

Please note: mandatory values for this command: -n, --name

Usage
akeyless get-rsa-public --name <RSA_private_Key_name>
Parameters
ParameterDescription
-n, --name(Mandatory) Name of RSA key to extract the public key from
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

upload-pkcs12

Upload a PKCS#12 key and certificates

Please note: mandatory values for this command: -n, --name, -i, --in, -p, --passphrase

Usage
akeyless upload-pkcs12 --name <Key name> \
--in <PKCS#12 input file (private key and certificate only>  \
--passphrase <Passphrase to unlock the pkcs#12 bundle> \
--description <Key description> \ 
--customer-frg-id <Customer fragment ID that will be used to split the key) \
--cert <Path to a file that contain the certificate in a PEM format> \
--delete-protection <Protection from accidental deletion of this item, [true/false]>
Parameters
ParameterDescription
-n, --name(Mandatory) Name of key to be created
-i, --in(Mandatory) PKCS#12 input file (private key and certificate only)
-p, --passphrase(Mandatory) Passphrase to unlock the pkcs#12 bundle
--descriptionKey description
-t, --tagList of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=2]The number of fragments that the item will be split into
-f, --customer-frg-idThe customer fragment ID that will be used to split the key (if empty, the key will be created independently of a customer fragment)
-c, --certPath to a file that contain the certificate in a PEM format. If this parameter is not empty, the certificate will be taken from here and not from the PKCS#12 input file
--delete-protection[=false]Protection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

upload-rsa

Upload RSA key

Please note: mandatory values for this command: -n, --name, -a, --alg

Usage
akeyless upload-rsa --name <Name of key to be created> \
--alg <Key type> \
--rsa-key-file-path <RSA private key file path> \
--rsa-key-data <RSA private key data, base64 encoded> \
--cert <Path to a file that contain the certificate in a PEM format> \
--cert-file-data <PEM Certificate in a Base64 format>
Parameters
ParameterDescription
-n, --name(Mandatory) Name of key to be created
-a, --alg(Mandatory) Key type. options: [RSA1024, RSA2048, RSA3072, RSA4096]
-p, --rsa-key-file-pathRSA private key file path.
--rsa-key-dataRSA private key data, base64 encoded
-c, --certPath to a file that contain the certificate in a PEM format
--cert-file-dataPEM Certificate in a Base64 format
--descriptionKey description
-t, --tagList of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=2]The number of fragments that the item will be split into
-f, --customer-frg-idThe customer fragment ID that will be used to split the key (if empty, the key will be created independently of a customer fragment)
--overwrite[=false]When the overwrite flag is set, this command will only update an existing key. [true, false]
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-rotation-settings

Updates rotation settings of an existing key.

Please note: mandatory values for this command: -n, --name, -r, --auto-rotate

Usage
akeyless update-rotation-settings --name <Key name> \
--auto-rotate=<True/False> \
--rotation-interval <The number of days to wait between every automatic key rotation (7-365)>

Parameters

ParameterDescription
-n, --name(Mandatory) Key name
-r, --auto-rotate[=false](Mandatory) [true/false] Sets automatic rotation to be enabled or disabled, if enabled rotation will be triggered periodically based on --rotation-interval
--rotation-intervalThe number of days to wait between every automatic key rotation (7-365)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

encrypt

Encrypts plaintext into ciphertext by using an AES key

Usage
akeyless encrypt -k <Key name> \
--display-id <Display id of the key to use in the encryption process \
--item-id <Item id of the key to use in the encryption process> \
--in <Path to the file to be encrypted in base64 format> \
Parameters
ParameterDescription
-k, --key-nameThe name of the key to use in the encryption process
-d, --display-idThe display id of the key to use in the encryption process
-I, --item-idThe item id of the key to use in the encryption process
-i, --inPath to the file to be encrypted in base64 format
-o, --outPath to the output file. If not provided, the output will be printed as base64
-p, --plaintextData to be encrypted, if a file was not provided
-X, --encryption-contextname-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail
-F, --input-formatIf specified, the plaintext input is assumed to be formatted accordingly. Current supported options: [base64]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

encrypt-file

Encrypts a file by using an AES key

Usage
akeyless encrypt-file --key-name <Key Name> \
--in <Path/to/file> \ 
--display-id <Display id of the key to use in the encryption process> \
--item-id <The item id of the key to use in the encryption process>
Parameters
ParameterDescription
-k, --key-nameThe name of the key to use in the encryption process
-d, --display-idThe display id of the key to use in the encryption process
-I, --item-idThe item id of the key to use in the encryption process
-i, --in(Mandatory) Path to the file to be encrypted. If not provided, the content will be taken from stdin
-o, --outPath to the output file. If not provided, the output will be sent to stdout
-F, --output-format[=base64]The output will be formatted accordingly. options: [base64, raw]
-X, --encryption-contextname-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

encrypt-pkcs1

Encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5

Please note: mandatory values for this command: -p, --plaintext

Usage
akeyless encrypt-pkcs1 -k <key Name> \
--plaintext <Data to encrypt> \
--display-id <Display id of the key to use in the encryption process> \
--item-id <Item id of the key to use in the encryption process>
Parameters
ParameterDescription
-k, --key-nameThe name of the key to use in the encryption process
-d, --display-idThe display id of the key to use in the encryption process
-I, --item-idThe item id of the key to use in the encryption process
-p, --plaintext(Mandatory) Data to be encrypted
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

encrypt GPG

Encrypts the given message with GPG using an RSA key

Usage
akeyless encrypt-gpg -k <Key name> \
--display-id <Display id of the key to use in the encryption process \
--item-id <Item id of the key to use in the encryption process> \
--in <Path to the file to be encrypted in base64 format> \
Parameters
ParameterDescription
-k, --key-nameThe name of the key to use in the encryption process
-d, --display-idThe display id of the key to use in the encryption process
-I, --item-idThe item id of the key to use in the encryption process
-i, --inPath to the file to be encrypted in base64 format
-o, --outPath to the output file. If not provided, the output will be printed as base64
-p, --plaintextData to be encrypted, if a file was not provided
-F, --input-formatIf specified, the plaintext input is assumed to be formatted accordingly. Current supported options: [base64]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

decrypt

Decrypts ciphertext into plaintext by using an AES key

Usage
akeyless decrypt --key-name <Key Name> \
--ciphertext <Ciphertext to be decrypt in base64 encoded format> \
--display-id <Display id of the key to use in the encryption process> \
--item-id <Item id of the key to use in the encryption process>
Parameters
ParameterDescription
-k, --key-nameThe name of the key to use in the decryption process.
-d, --display-idThe display id of the key to use in the decryption process
-I, --item-idThe item id of the key to use in the decryption process
-i, --inPath to the file to be decrypted (base64 encoded)
-o, --outPath to the output file. If not provided, the output will be printed as text.
-c, --ciphertextCiphertext to be decrypted in base64 encoded format, if a file was not provided
-X, --encryption-contextThe encryption context. If this was specified in the encrypt command, it must be specified here or the decryption operation will fail
-F, --output-formatIf specified, the output will be formatted accordingly. options: [base64]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

decrypt-file

Decrypts a file by using an AES key

Please note: mandatory values for this command: -i, --in

Usage
akeyless decrypt-file --key-name <key name> \
--in <file to decrypt> \
--display-id <Display id of the key to use in the decryption process> \ 
--item-id <Item id of the key to use in the encryption process>
Parameters
ParameterDescription
--key-nameThe name of the key to use in the decryption process
-d, --display-idThe display id of the key to use in the decryption process
-I, --item-idThe item id of the key to use in the decryption process
-i, --in(Mandatory) Path to the file to be decrypted. If not provided, the content will be taken from stdin
-o, --outPath to the output file. If not provided, the output will be sent to stdout
-F, --output-format[=base64]The output will be formatted accordingly. options: [base64, raw]
-X, --encryption-contextThe encryption context. If this was specified in the encrypt command, it must be specified here or the decryption operation will fail
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

decrypt-pkcs1

Decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5

Please note: mandatory values for this command: -c, --ciphertext

Usage
akeyless decrypt-pkcs1 --key-name <RSA Key Name> \
--ciphertext <Ciphertxt to decrypt> \
--display-id <Display id of the key to use in the decryption process> \ 
--item-id <Item id of the key to use in the encryption process>
Parameters
ParameterDescription
-k, --key-nameThe name of the key to use in the decryption process
-d, --display-idThe display id of the key to use in the decryption process
-I, --item-idThe item id of the key to use in the decryption process
-c, --ciphertext(Mandatory) Ciphertext to be decrypted in base64 encoded format
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

decrypt GPG

Decrypts ciphertext into plaintext by using an AES key

Usage
akeyless decrypt-gpg --key-name <Key Name> \
--ciphertext <Ciphertext to be decrypt in base64 encoded format> \
--display-id <Display id of the key to use in the encryption process> \
--item-id <Item id of the key to use in the encryption process>
Parameters
ParameterDescription
-k, --key-nameThe name of the key to use in the decryption process.
-d, --display-idThe display id of the key to use in the decryption process
-I, --item-idThe item id of the key to use in the decryption process
-i, --inPath to the file to be decrypted (base64 encoded)
-o, --outPath to the output file. If not provided, the output will be printed as text.
-c, --ciphertextCiphertext to be decrypted in base64 encoded format, if a file was not provided
-p, --passphrasePassphrase to decrypt the message
-F, --output-formatIf specified, the output will be formatted accordingly. options: [base64]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

sign-pkcs1

Calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5

Please note: mandatory values for this command: -m, --message

Usage
akeyless sign-pkcs1 --key-name <RSA signing key name> \
--message <Message to sign> \
--display-id <Display id of the key to use in the decryption process> \
--item-id <Item id of the key to use in the encryption process>
Parameters
ParameterDescription
-k, --key-nameThe name of the RSA key to use in the signing process
-d, --display-idThe display id of the key to use in the signing process
-I, --item-idThe item id of the key to use in the signing process
-m, --message(Mandatory) The message to be signed
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

verify-pkcs1

Verifies an RSA PKCS#1 v1.5 signature

Please note: mandatory values for this command: -m, --message, -s, --signature

Usage
akeyless verify-pkcs1 --key-name <RSA Key> \
--message <message to verify> \
--signature <message signature> \ 
--display-id <Display id of the key to use in the decryption process> \ 
--item-id <Item id of the key to use in the encryption process>
Parameters
ParameterDescription
-k, --key-nameThe name of the RSA key to use in the verification process
-d, --display-idThe display id of the key to use in the verification process
-I, --item-idThe item id of the key to use in the verification process
-m, --message(Mandatory) The message to be verified.
-s, --signature(Mandatory) The message's signature.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

sign GPG

Calculates the signature of a message using GPG from an RSA key

Please note: mandatory values for this command: -m, --message

Usage
akeyless sign-gpg --key-name <RSA signing key name> \
--message <Message to sign> \
--display-id <Display id of the key to use in the decryption process> \
--item-id <Item id of the key to use in the encryption process>
Parameters
ParameterDescription
-k, --key-nameThe name of the RSA key to use in the signing process
-d, --display-idThe display id of the key to use in the signing process
-I, --item-idThe item id of the key to use in the signing process
-m, --message(Mandatory) The message to be signed
-p, --passphrasePassphrase to decrypt the message
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

verify GPG

Verifies a GPG based on RSA signature

Please note: mandatory values for this command: -m, --message, -s, --signature

Usage
akeyless verify-gpg --key-name <RSA Key> \
--message <message to verify> \
--signature <message signature> \ 
--display-id <Display id of the key to use in the decryption process> \ 
--item-id <Item id of the key to use in the encryption process>
Parameters
ParameterDescription
-k, --key-nameThe name of the RSA key to use in the verification process
-d, --display-idThe display id of the key to use in the verification process
-I, --item-idThe item id of the key to use in the verification process
-m, --message(Mandatory) The message to be verified.
-s, --signature(Mandatory) The message's signature.
-p, --passphrasePassphrase to decrypt the message
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

hmac

Generates a hash-based message authentication code (HMAC) for a message, using an HMAC algorithm

Usage
akeyless hmac -p <plaintext> -f <hash function>
Parameters
ParameterDescription
-k, --key-nameThe name of the key to use in the encryption process
-d, --display-idThe display id of the key to use in the encryption process
-I, --item-idThe item id of the key to use in the encryption process
-i, --inPath to the input file
-o, --outPath to the output file. If not provided, the output will be printed as base64
-p, --plaintextData to perform hmac on, if a file was not provided
-f, --hash-function[=sha-256]Hash function [sha-256,sha-512]
-F, --input-formatSelect the default assumed format for any plaintext input. Currently supported options: [base64]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

gen-customer-fragment

Generates Customer Fragment

Usage
akeyless gen-customer-fragment --description <Customer Fragment Description>

gateway-download-customer-fragments

Download gateway customer fragments

Usage
akeyless gateway-download-customer-fragments -f <path to download to> -u <gateway URL>

set-item-state

Set an item's state (Enabled, Disabled)

Please note: mandatory values for this command: -n, --name, -s, --desired-state

Usage
akeyless set-item-state --name <Item name> \
--desired-state <Desired state>
Parameters
ParameterDescription
-n, --name(Mandatory) Current item name.
-s, --desired-state(Mandatory) Desired item state [Enabled, Disabled]
--version[=0]The specific version you want to update: 0=item level state (default)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

Tokenization

create-tokenizer

Creates a new tokenizer.

Please note: mandatory values for this command: -n, --name, -y, --tokenizer-type[=vaultless], -T, --template-type

Usage
akeyless create-tokenizer \
--name <Tokenizer name> \
--tokenizer-type <vaultless> \
--template-type <SSN, CreditCard, USPhoneNumber> \
--tweak-type <Supplied, Generated, Internal, Masking>
akeyless create-tokenizer \
--name <Tokenizer name> \
--tokenizer-type <vaultless> \
--template-type <Custom> \
--tweak-type <Supplied, Generated, Internal, Masking> \
--alphabet <Symbols to use for tokenization> \
--pattern <A regexp pattern to extract tokenized parts> \
--encoding-template <An expression to alter the template of the encryption output> \
--decoding-template <An expression to alter the template of the decryption output>
Parameters
ParameterDescription
-n, --name(Mandatory) Tokenizer name
-y, --tokenizer-type[=vaultless](Mandatory) Tokenizer type(vaultless)
-T, --template-type(Mandatory) Which template type this tokenizer is used for [SSN,CreditCard,USPhoneNumber,Custom]
--encryption-key-nameAES key name to use in vaultless tokenization
--tweak-typeThe tweak type to use in vaultless tokenization [Supplied, Generated, Internal, Masking]
--alphabetAlphabet to use in custom vaultless tokenization, such as '0123456789' for credit cards.
--patternPattern to use in custom vaultless tokenization
--encoding-templateThe Encoding output template to use in custom vaultless tokenization
--decoding-templateThe Decoding output template to use in custom vaultless tokenization
--descriptionTokenizer description
--tagList of the tags attached to this key. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

tokenize

Encrypts text with a tokenizer.

Please note: mandatory values for this command: -n, --tokenizer-name , -p, --plaintext

Usage
akeyless tokenize \
--tokenizer-name <Tokenizer name> \
--plaintext <Data to be encrypted> \
--tweak <Base64-encoded tweak value
Parameters
ParameterDescription
-n, --tokenizer-name (Mandatory) The name of the tokenizer to use in the encryption process
-p, --plaintext(Mandatory) Data to be encrypted
--tweakBase64 encoded tweak for vaultless encryption
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

detokenize

Decrypts text with a tokenizer

Please note: mandatory values for this command: -n, --tokenizer-name, -c, --ciphertext

Usage
akeyless detokenize \
--tokenizer-name <Tokenizer name> \
--ciphertext <Data to be decrypted> \
--tweak <Base64-encoded tweak value that was used for encryption>
Parameters
ParameterDescription
-n, --tokenizer-name(Mandatory) The name of the tokenizer to use in the decryption process
-c, --ciphertext(Mandatory) Data to be decrypted
--tweakBase64 encoded tweak for vaultless encryption
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication