Invoke-AzKeyVaultKeyOperation
Performs operation like "Encrypt", "Decrypt", "Wrap" or "Unwrap" using a specified key stored in a key vault or managed hsm.
Syntax
ByVaultName (Default)
Invoke-AzKeyVaultKeyOperation
[-Name] <String>
[-VaultName] <String>
-Operation <String>
-Algorithm <String>
-ByteArrayValue <Byte[]>
[-Version <String>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
ByHsmName
Invoke-AzKeyVaultKeyOperation
[-HsmName] <String>
[-Name] <String>
-Operation <String>
-Algorithm <String>
-ByteArrayValue <Byte[]>
[-Version <String>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Invoke-AzKeyVaultKeyOperation
[-InputObject] <PSKeyVaultKeyIdentityItem>
-Operation <String>
-Algorithm <String>
-ByteArrayValue <Byte[]>
[-Version <String>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Invoke-AzKeyVaultKeyOperation cmdlet supports
Encrypting an arbitrary sequence of bytes using an encryption key.
Decrypting a single block of encrypted data.
Wrapping a symmetric key using a specified key.
Unwrapping a symmetric key using the specified key that was initially used for wrapping that key.
Examples
Example 1: Encrypts byte array using an encryption key
$byteArray = [Byte[]]@(58, 219)
$encryptedData = Invoke-AzKeyVaultKeyOperation -Operation Encrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $byteArray
$encryptedData
KeyId : https://bez-kv.vault.azure.net/keys/bez-key/c96ce0fb18de446c9f4b911b686988af
RawResult : {21, 39, 82, 56…}
Algorithm : RSA1_5
Encrypts $byteArray using test-key stored in test-kv.
Example 2: Decrypts byte array using an encryption key
$encryptedData = [pscustomobject]@{ RawResult = [byte[]]@(58,219) }
$decryptedData = Invoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $encryptedData.RawResult
$decryptedData
KeyId : https://bez-kv.vault.azure.net/keys/bez-key/c96ce0fb18de446c9f4b911b686988af
RawResult : {58, 219}
Algorithm : RSA1_5
Decrypts $encryptedData.RawResult using test-key stored in test-kv. The $decryptedData.RawResult is same with $byteArray, which is original data.
Example 3: Encrypts plain text using an encryption key
$plainText = "test"
$byteArray = [system.Text.Encoding]::UTF8.GetBytes($plainText)
$encryptedData = Invoke-AzKeyVaultKeyOperation -Operation Encrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $byteArray
$encryptedData
KeyId : https://test-kv.vault.azure.net/keys/test-key/bd8b77352a2443d4983bd70e9f660bc6
RawResult : {58, 219, 6, 236…}
Algorithm : RSA1_5
Encrypts string "test" using test-key stored in test-kv. The RawResult is the encrypted result in byte array format.
Example 4: Decrypt encrypted data to plain text
$decryptedData = Invoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $encryptedData.RawResult
$plainText = [system.Text.Encoding]::UTF8.GetString($decryptedData.RawResult)
$plainText
test
Decrypts encrypted data that is encrypted using test-key stored in test-kv. The RawResult is the decrypted result in byte array format.
Example 5: Wraps a symmetric key using a specified key
$key = "ovQIlbB0DgWhZA7sgkPxbg9H-Ly-VlNGPSgGrrZvlIo"
$byteArray = [system.Text.Encoding]::UTF8.GetBytes($key)
$wrappedResult = Invoke-AzKeyVaultKeyOperation -Operation Wrap -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $byteArray
$wrappedResult | Format-List
KeyId : https://test-kv.vault.azure.net/keys/test-key/375cdf20252043b79c8ca0c57b6c7679
RawResult : {58, 219, 6, 236…}
Algorithm : RSA1_5
Wraps a symmetric key using key named test-key stored in test-kv. The RawResult is wrapped result in byte array format.
Example 6: Unwraps a symmetric key using a specified key
$wrappedResult = [pscustomobject]@{ RawResult = [byte[]]@(58,219) }
$unwrappedResult = Invoke-AzKeyVaultKeyOperation -Operation Unwrap -Algorithm RSA1_5 -VaultName test-kv -Name test-key -ByteArrayValue $wrappedResult.RawResult
$key = [system.Text.Encoding]::UTF8.GetString($unwrappedResult.RawResult)
$key
ovQIlbB0DgWhZA7sgkPxbg9H-Ly-VlNGPSgGrrZvlIo
Unwraps a symmetric key using a specified key test-key stored in test-kv. The RawResult is unwrapped result in byte array format.
Parameters
-Algorithm
Algorithm identifier
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: EncryptionAlgorithm, WrapAlgorithm
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ByteArrayValue
The value to be operated in byte array format.
Parameter properties
Type: Byte [ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Parameter properties
Type: IAzureContextContainer
Default value: None Supports wildcards: False DontShow: False Aliases: AzContext, AzureRmContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-HsmName
HSM name.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByHsmName
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Key object
ByKeyInputObject
Position: 0 Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
-Name
Key name.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: KeyName
Parameter sets
ByVaultName
Position: 1 Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ByHsmName
Position: 1 Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Operation
Algorithm identifier
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-VaultName
Vault name.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByVaultName
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Version
Key version.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: KeyVersion
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs
