CLI Reference - Encryption Keys

📘

NOTE

Looking for a specific command? Use the Table of Contents on the right. ===>

Encryption Keys

create-key

Create a new encryption key.

Usage
akeyless create-key -n <Path/to/Key> -a <algorithm>
Mandatory Parameters

Parameter

Description

-n, --name

Key name/path.

-a, --alg

Algorithm type [AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048]

Optional Parameters

Parameter

Description

-m, --metadata

Metadata about the key.

-t, --tag

List of the tags attached to this key. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2.

-s, --split-level

The number of fragments that the item will be split into (not including customer fragment). Default is 2.

-f, --customer-frg-id

The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment).

rotate-key

Rotates an existing key, creating a new version of it.

Usage
akeyless rotate-key -n <Path/to/key>
Mandatory Parameters

Parameter

Description

-n, --name

Key name/path.

Optional Parameters

Parameter

Description

--auto-rotate

Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation.

--rotation-interval

The number of days to wait between every automatic key rotation (7-365).

get-rsa-public

Obtain the public key from a specific RSA private key

Usage
akeyless get-rsa-public -n <RSA_private_Key_name>
Mandatory Parameters

Parameter

Description

-n, --name

Name of RSA key to extract the public key from.

upload-pkcs12

Upload a PKCS#12 key and certificates

Usage
akeyless upload-pkcs12 -n <Path/to/Key> --in <location/of/pkcs12>
Mandatory Parameters

Parameter

Description

-n, --name

Name of key to be created.

-i, --in

PKCS#12 input file (private key and certificate only).

-p, --passphrase

The passphrase to unlock the pkcs#12 bundle.

Optional Parameters

Parameter

Description

-m, --metadata

Metadata about the key.

-t, --tag

List of the tags attached to this key. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2.

-s, --split-level

The number of fragments that the item will be split into (not including customer fragment). Default is 2.

-f, --customer-frg-id

The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment).

-c, --cert

Path to a file that contains the certificate in a PEM format. If this parameter is not empty, the certificate will be taken from here and not from the PKCS#12 input file.

upload-rsa

Upload RSA key

Usage
akeyless upload-rsa -n <path/to/Key> -a <algorithm> -p <RSA\Private\Key\Path>
Mandatory Parameters

Parameter

Description

-n, --name

Name of key to be created.

-a, --alg

Key type. options: [RSA1024, RSA2048].

-p, --rsa-key-file-path

RSA private key file path.

Optional Parameters

Parameter

Description

--rsa-key-data

RSA private key data, base64 encoded

-m, --metadata

Metadata about the key.

-t, --tag

List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2.

-s, --split-level

The number of fragments that the item will be split into (not includes customer fragment). Default is 2.

-f, --customer-frg-id

The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment).

-c, --cert

Path to a file that contains the certificate in PEM format.

--cert-file-data

Certificate in a PEM format.

encrypt

Encrypts plaintext into ciphertext by using an AES key

Usage
akeyless encrypt -k < Path to Key> -p <Data to be encrypted>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the key to use in the encryption process.

-p, --plaintext

Data to be encrypted.

Optional Parameters

Parameter

Description

-X, --encryption-context

Name-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail.

encrypt-file

Encrypts a file by using an AES key

Usage
akeyless encrypt-file -k <Key Name> -i <Path/to/file>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the key to use in the encryption process.

-i, --in

Path to the file to be encrypted. If not provided, the content will be taken from stdin.

Optional Parameters

Parameter

Description

-o, --out

Path to the output file. If not provided, the output will be sent to stdout.

-X, --encryption-context

Name-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail.

encrypt-pkcs1

Encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5

Usage
akeyless encrypt-pkcs1 -k <key Name> -p <Data to encrypt>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the key to use in the encryption process.

-p, --plaintext

Data to be encrypted.

decrypt

Decrypts ciphertext into plaintext by using an AES key

Usage
akeyless decrypt -k <Key Name> -c <Ciphertext to be decrypt>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the key to use in the decryption process.

-c, --ciphertext

Ciphertext to be decrypted in base64 encoded format.

Optional Parameters

Parameter

Description

-X, --encryption-context

The encryption context. If this was specified in the encrypt command, it must be specified here or the decryption operation will fail.

decrypt-file

Decrypts a file by using an AES key

Usage
akeyless decrypt-file --key-name <key name> --in <file to decrypt>
Mandatory Parameters

Parameter

Description

--key-name

The name of the key to use in the decryption process.

--in

File to be decrypted.

decrypt-pkcs1

Decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5

Usage
akeyless decrypt-pkcs1 -k <RSA Key Name> -c <Ciphertxt to decrypt>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the RSA key to use in the decryption process.

-c, --ciphertext

Ciphertext to be decrypted in base64 encoded format.

sign-pkcs1

Calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5

Usage
akeyless sign-pkcs1 -k <RSA signing key name> -m <Message to sign>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the RSA key to use in the signing process.

-m, --message

The message to be signed.

verify-pkcs1

Verifies an RSA PKCS#1 v1.5 signature.

Usage
akeyless verify-pkcs1 -k <RSA Key> -m <message to verify> -s <message signature>
Mandatory Parameters

Parameter

Description

-k, --key-name

The name of the RSA key to use in the verification process.

-m, --message

The message to be verified.

-s, --signature

The message's signature.

gen-customer-fragment

Generates Customer Fragment.

Usage
akeyless gen-customer-fragment
Optional Parameters

Parameter

Description

--description

The Customer Fragment Description.

delete-item

Deletes any secret, key, certificate or role. See Commands for all items and objects for details.

Usage
akeyless delete-item -n <path/to/item>
Mandatory Parameters

Parameter

Description

-n, --name

Path to the item to be deleted

Optional Parameters

Parameter

Description

--version

The specific version you want to delete - 0=last version, -1=entire item with all versions (default).

--delete-in-days

The number of days to wait before deleting the item (relevant for keys only). By default 7 days.

--delete-immediately

When delete-in-days=-1, must be set, by default set to false.

set-item-state

Indicates whether the item should be enabled or disabled.

Usage
akeyless set-item-state -n <Item name> -s <Desired state>
Mandatory Parameters

Parameter

Description

-n, --name

Current item name.

-s, --desired-state

Indicate whether to enable or disable the item.

Optional Parameters

Parameter

Description

--version

The specific version you want to update: 0=item level state (default).


Did this page help you?