otdfctl policy kas-registry key import
import - Import Key
Synopsis
otdfctl policy kas-registry key import [flags]Description
Imports an existing cryptographic key into a specified Key Access Server (KAS).
[!IMPORTANT] Use this command when migrating keys from KAS over to the platform. All keys created with import will be of key_mode=KEY_MODE_CONFIG_ROOT_KEY
Examples
Import a key
otdfctl policy kas-registry key import --key-id "imported-key" --algorithm "rsa:2048" \
--kas 891cfe85-b381-4f85-9699-5f7dbfe2a9ab \
--wrapping-key-id "my-wrapping-key" \
--wrapping-key "a8c4824daafcfa38ed0d13002e92b08720e6c4fcee67d52e954c1a6e045907d1" \
--public-key-pem <base64 encoded public key pem> \
--private-key-pem <base64 encoded private key pem> \
-
The
"algorithm"specifies the key algorithm:Key Algorithm rsa:2048rsa:4096ec:secp256r1ec:secp384r1ec:secp521r1
Options
-
--key-id <key-id> - A unique, often human-readable, identifier for the key being imported. (required:
true)
-a,--algorithm <algorithm>- Algorithm for the key being imported (see table below for options). (required:
true)
-
--kas <kas> - Specify the Key Access Server (KAS) where the key will be imported. The KAS can be identified by its ID, URI, or Name. (required:
true)
-
--wrapping-key-id <wrapping-key-id> - Identifier related to the wrapping key. (required:
true)
-w,--wrapping-key <wrapping-key>- The symmetric key material (AES cipher, hex encoded) used to wrap the imported private key. (required:
true)
-
--private-key-pem <private-key-pem> - The base64 encoded private key PEM to import (required:
true)
-e,--public-key-pem <public-key-pem>- The base64 encoded public key PEM to import (required:
true)
-l,--label <label>- Comma-separated key=value pairs for metadata labels to associate with the imported key (e.g., "owner=team-a,env=production"). (required:
false)
Aliases
i