Encrypt/decrypt local file with key vault

[jakub-zieba]

Is your feature request related to a problem? Please describe. No, it is not.

Describe the solution you'd like I would like to be able to encrypt sensitive files with Azure Key Vault keys same way as for example google cloud cli does:

gcloud kms encrypt \
  --location=[LOCATION]  \
  --keyring=[KEY_RING] \
  --key=[KEY] \
  --plaintext-file=[FILEPATH_AND_FILENAME_TO_ENCRYPT] \
  --ciphertext-file=[FILEPATH_AND_FILENAME].enc

It would be very convinient and useful in daily work.

Example expected functionality behaviour:

az keyvault encrypt/decrypt
    --key-id
    --plaintext-file
    --ciphertext-file

Describe alternatives you've considered Google kms, hashicorp vault, ansible vault. I would like to have such feature in azure cli so my organization can be fully integrated with your services.

Additional context There is such a behaviour in your service API covered: https://docs.microsoft.com/en-us/rest/api/keyvault/encrypt

[yonzhan]

@jiasli add to S162.

[bim-msft]

Start to implement this. Will be delivered as az keyvault key encrypt/decrypt

[bim-msft]

Support single string/based64-encoded bytes encryption and decryption in #13916 Encryption and decryption for local files are still being developed.

[BrandonE]

Shouldn't this be closed with the merger of that PR?

[bim-msft]

Shouldn't this be closed with the merger of that PR?

Hi @BrandonE actually we have not implemented all things in that PR. Currently, we only support single string/bytes encryption and decryption with limited length. Files encryption/decryption is not supported yet. It may depend on some service side work. So we just put this issue to our Backlog to mark it as a long-term work.

[BrandonE]

Got it. Yes, I think it will require some service side work. I was surprised to learn that the Azure Key Vault does not currently support symmetrical encryption.

[bim-msft]

Got it. Yes, I think it will require some service side work. I was surprised to learn that the Azure Key Vault does not currently support symmetrical encryption.

Hi @BrandonE I think the symmetric key was added support, the article you mentioned is a little bit outdated: Create a symmetric key: az keyvault key create --key otc

[BrandonE]

I tried this on the latest version of the Azure CLI (2.10.1) and got the following:

az: error: unrecognized arguments: --key otc

[bim-msft]

I tried this on the latest version of the Azure CLI (2.10.1) and got the following:

az: error: unrecognized arguments: --key otc

@BrandonE Sorry, it's a typo. Please use --kty.

[BrandonE]

az keyvault key create: 'otc' is not a valid value for '--kty'. See 'az keyvault key create --help'.

[--kty {EC,EC-HSM,RSA,RSA-HSM,oct}]

Did you mean oct? With that, I get an error as well:

az keyvault key create --kty oct --vault-name VAULT_NAME --name symmetric
Invalid kty value: oct

[bim-msft]

@BrandonE My bad, I misremembered something. oct is not supported on normal Vault now, it can be only used on HSM, which will be introduced in the mid-Sept version.

[BrandonE]

Thanks for the clarification, @bim-msft. Will this be possible to use with an HSM-backed Key Vault key, or will customers need to use a Dedicated HSM instance.

[bim-msft]

@BrandonE It works well on Dedicated HSM instances, for HSM-backed Vault it has not been supported yet.

[naimadswdn]

Hi, Any progress with encryption/decryption of local files using KV key? Actually I am extremely surprised that Azure CLI do not support it yet!