Reputation: 3091
az keyvault key create error when creating symmetric key
I created an azure key vault (not a managed HSM service) and gave myself necessary permissions in azure portal to create and view keys. I wanted to create an AES-256 bit symmetric wrapping key (also known as key encryption key or KEK) with following azure CLI command:
az keyvault key create --name mywrappingkey --vault-name raghu-keyvault-wrap-exp --kty oct --size 256 --ops wrapKey --protection software
It fails with following error:
(BadParameter) Invalid kty value: oct
Code: BadParameter
Message: Invalid kty value: oct
Inner error: {
"code": "KeyTypeNotSupported"
}
The following documentation says it should work: https://learn.microsoft.com/en-us/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-create
I also tried using command (i.e. changed the --protection value to hsm):
az keyvault key create --name mywrappingkey --vault-name raghu-keyvault-wrap-exp --kty oct --size 256 --ops wrapKey --protection hsm
This time, it erred with following:
(BadParameter) Property has invalid value
Code: BadParameter
Message: Property has invalid value
Not sure what I am doing wrong here. Any ideas?
Upvotes: 0
Views: 108
Answers (1)
Reputation: 16064
Note: Azure Key Vault does not support creating symmetric
octkeys forwrapKeyordecryptoperations directly via CLI.
- You can create symmetric keys for encryption and decryption with
az keyvault key createusing theocttype, but if you need key wrapping (KEK), you must use RSA or EC keys. For AES-256 keys, consider using Azure Key Vault Secrets to store the key. Refer this MsDoc
I got the same errors when creating symmetric key like below:
az keyvault key create --name mywrappingkey --vault-name KvName --kty oct --size 256 --ops wrapKey --protection software
az keyvault key create --name mywrappingkey --vault-name KvName --kty oct --size 256 --ops wrapKey --protection hsm
- You cannot store any symmetric key in the
az keyvault key create. The only option is storing them as secrets. - For symmetric keys, oct can be used for encryption and decryption operations, but key wrapping operations (such as wrapKey) are only supported for RSA and EC keys, not for symmetric oct keys.
Note: Azure Key Vault does not support symmetric (oct) keys for key wrapping operations. Only RSA or EC keys can be used for key wrapping (wrapKey), as AES symmetric KEKs cannot be created directly in Azure Key Vault.
- If you're specifically looking to create a KEK (key encryption key) for wrapping, you must use RSA or EC keys. For symmetric AES-256 keys, you may want to use Azure Key Vault Secrets instead of keys, as Key Vault Secrets can be used to store the symmetric key securely.
- Only RSA is allowed for key wrapping.
Reference:
About keys - Azure Key Vault | Microsoft
Upvotes: 0
Related Questions
- Permission Denied Error in Databricks Key Vault
- 401 Unauthorised while retrieving keys from Key vault in API
- How can I permanently purge an entire azure keyvault that's been created with soft delete enabled?
- Azure key vault creation error: VaultAlreadyExists - I can't find the existing vault
- How to create a Symmetric Key object with "Azuere.Security.KeyVaults.Keys" package .net 4.7 application?
- Get RSA256 private and public key using azure keyvault service
- How to bulk create and update Azure Key Vault secrets using scripts?
- Can't access KeyVault when running in Visual Studio
- azure login with service principal using certificate from keyvault
- Python3 : Azure Key Vault Keys, creating RAS key : TypeError