HashiConf 2024 Now streaming live from Boston! Attend for free
Vault
Vault Home

transit import and transit import-version

The transit import and transit import-version commands import the specified key into Transit, via the Transit BYOK mechanism. The former imports this key as a new key, failing if it already exists, whereas the latter will only update an existing key in Transit to a new version of the key material.

This needs access to read the transit mount's wrapping key (at transit/wrapping_key) and the ability to write to either import endpoints (either transit/keys/:name/import or transit/keys/:name/import_version).

Examples

Imports a 2048-bit RSA key as a new key:

$ vault transit import transit/keys/test-key @test-key type=rsa-2048
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!

Imports a new version of an existing key:

$ vault transit import-version transit/keys/test-key @test-key-updated
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!

Usage

This command does not have any unique flags and respects core Vault CLI commands. See vault transit import -help for more information.

This command requires two positional arguments:

  1. PATH, the path to the transit key to import in the format of <mount>/keys/<key-name>, where <mount> is the path to the mount (using -namespace=<ns> to specify any namespaces), and <key-name> is the desired name of the key.
  2. KEY, the key material to import in Standard Base64 encoding (either of a raw key in the case of symmetric keys such as AES, or of the DER encoded format for asymmetric keys such as RSA). If the value for KEY begins with an @, the CLI argument is assumed to be a path to a file on disk to be read.
Edit this page on GitHub