diff --git a/src/KeyVault/KeyVault.Test/KeyVault.Test.csproj b/src/KeyVault/KeyVault.Test/KeyVault.Test.csproj
index 4bbae8e7cc75..105bd56f5245 100644
--- a/src/KeyVault/KeyVault.Test/KeyVault.Test.csproj
+++ b/src/KeyVault/KeyVault.Test/KeyVault.Test.csproj
@@ -26,5 +26,9 @@
+
+
+
+
diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1
new file mode 100644
index 000000000000..098f3d04daa2
--- /dev/null
+++ b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1
@@ -0,0 +1,9 @@
+$here = Split-Path -Parent $MyInvocation.MyCommand.Path
+$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.Tests\.', '.'
+. "$here\$sut"
+
+Describe "ManagedHsmDatePlaneTests" {
+ It "does something useful" {
+ $true | Should Be $false
+ }
+}
diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1
new file mode 100644
index 000000000000..86b7fbebb88f
--- /dev/null
+++ b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1
@@ -0,0 +1,22 @@
+function Test-AddAzManagedHsmKey {
+ Param(
+ [parameter(Mandatory=$true)]
+ [String]
+ $hsmName,
+ [parameter(Mandatory=$true)]
+ [String]
+ $keyName,
+ [parameter(Mandatory=$true)]
+ [String]
+ $keyType,
+ [parameter(Mandatory=$false)]
+ [String]
+ $curveName
+ )
+ if($keyType -eq "EC" || $keyType -eq "EC-HSM"){
+ Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -CurveName $curveName
+ }
+ else {
+ Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType
+ }
+}
diff --git a/src/KeyVault/KeyVault/Az.KeyVault.psd1 b/src/KeyVault/KeyVault/Az.KeyVault.psd1
index e3a3a5ef57c1..3832e2b35e85 100644
--- a/src/KeyVault/KeyVault/Az.KeyVault.psd1
+++ b/src/KeyVault/KeyVault/Az.KeyVault.psd1
@@ -77,7 +77,10 @@ NestedModules = @('Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll')
FunctionsToExport = @()
# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
-CmdletsToExport = 'Add-AzKeyVaultCertificate', 'Update-AzKeyVaultCertificate',
+CmdletsToExport = 'Add-AzManagedHsmKey', 'Get-AzManagedHsmKey', 'Remove-AzManagedHsmKey',
+ 'Undo-AzManagedHsmKeyRemoval', 'Update-AzManagedHsmKey',
+ 'Backup-AzManagedHsmKey', 'Restore-AzManagedHsmKey',
+ 'Add-AzKeyVaultCertificate', 'Update-AzKeyVaultCertificate',
'Stop-AzKeyVaultCertificateOperation',
'Get-AzKeyVaultCertificateOperation',
'Import-AzKeyVaultCertificate', 'Add-AzKeyVaultCertificateContact',
@@ -126,7 +129,8 @@ CmdletsToExport = 'Add-AzKeyVaultCertificate', 'Update-AzKeyVaultCertificate',
# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
AliasesToExport = 'Set-AzKeyVaultKey', 'Set-AzKeyVaultSecretAttribute',
- 'Set-AzKeyVaultKeyAttribute', 'Set-AzKeyVaultCertificateAttribute'
+ 'Set-AzKeyVaultKeyAttribute', 'Set-AzKeyVaultCertificateAttribute',
+ 'Set-AzManagedHsmKey', 'Set-AzManagedHsmKeyAttribute'
# DSC resources to export from this module
# DscResourcesToExport = @()
diff --git a/src/KeyVault/KeyVault/ChangeLog.md b/src/KeyVault/KeyVault/ChangeLog.md
index c2951ba399eb..de98936d679c 100644
--- a/src/KeyVault/KeyVault/ChangeLog.md
+++ b/src/KeyVault/KeyVault/ChangeLog.md
@@ -18,6 +18,7 @@
- Additional information about change #1
-->
## Upcoming Release
+* Supported creating, removing, updating, getting, restoring, backup and undoing removal key inside managed HSM
* Enabled Managed HSM Management via *-AzKeyVault
## Version 2.0.0
diff --git a/src/KeyVault/KeyVault/Commands/AddAzureKeyVaultKey.cs b/src/KeyVault/KeyVault/Commands/AddAzureKeyVaultKey.cs
index d31dd9c92edd..b001b0da9c2b 100644
--- a/src/KeyVault/KeyVault/Commands/AddAzureKeyVaultKey.cs
+++ b/src/KeyVault/KeyVault/Commands/AddAzureKeyVaultKey.cs
@@ -232,10 +232,6 @@ public override void ExecuteCmdlet()
if (ShouldProcess(Name, Properties.Resources.AddKey))
{
PSKeyVaultKey keyBundle;
- if (InputObject != null)
- {
- VaultName = InputObject.VaultName.ToString();
- }
if (string.IsNullOrEmpty(KeyFilePath))
{
diff --git a/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs b/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs
new file mode 100644
index 000000000000..e67e2a516100
--- /dev/null
+++ b/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs
@@ -0,0 +1,256 @@
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using System;
+using System.Collections;
+using System.IO;
+using System.Linq;
+using System.Management.Automation;
+using System.Security;
+using Track2Sdk = Azure.Security.KeyVault.Keys;
+
+namespace Microsoft.Azure.Commands.KeyVault.Commands
+{ ///
+ /// Create a new key in managed HSM. This cmdlet supports the following types of key creation.
+ /// 1. Create a key with default key attributes
+ /// 2. Create a key with given key attributes
+ /// 3. Create a key from a .pfx file by importing key material
+ ///
+ [Cmdlet("Add", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", SupportsShouldProcess = true, DefaultParameterSetName = InteractiveCreateParameterSet)]
+ [OutputType(typeof(PSManagedHsm))]
+ public class AddAzureManagedHsmKey : KeyVaultCmdletBase
+ {
+ #region Parameter Set Names
+
+ private const string InteractiveCreateParameterSet = "InteractiveCreate";
+ private const string InputObjectCreateParameterSet = "InputObjectCreate";
+ private const string ResourceIdCreateParameterSet = "ResourceIdCreate";
+ private const string InteractiveImportParameterSet = "InteractiveImport";
+ private const string InputObjectImportParameterSet = "InputObjectImport";
+ private const string ResourceIdImportParameterSet = "ResourceIdImport";
+
+ #endregion
+
+ #region Input Parameter Definitions
+
+ ///
+ /// HSM name
+ ///
+ [Parameter(Mandatory = true,
+ ParameterSetName = InteractiveCreateParameterSet,
+ Position = 0,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = InteractiveImportParameterSet,
+ Position = 0,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [ResourceNameCompleter("Microsoft.KeyVault/managedHSMs", "FakeResourceGroupName")]
+ [ValidateNotNullOrEmpty]
+ public string HsmName { get; set; }
+
+ [Parameter(Mandatory = true,
+ ParameterSetName = InputObjectCreateParameterSet,
+ Position = 0,
+ ValueFromPipeline = true,
+ HelpMessage = "HSM object.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = InputObjectImportParameterSet,
+ Position = 0,
+ ValueFromPipeline = true,
+ HelpMessage = "HSM object.")]
+ [ValidateNotNullOrEmpty]
+ public PSManagedHsm InputObject { get; set; }
+
+ [Parameter(Mandatory = true,
+ ParameterSetName = ResourceIdCreateParameterSet,
+ Position = 0,
+ ValueFromPipelineByPropertyName = true,
+ HelpMessage = "HSM Resource Id.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = ResourceIdImportParameterSet,
+ Position = 0,
+ ValueFromPipelineByPropertyName = true,
+ HelpMessage = "HSM Resource Id.")]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ ///
+ /// key name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.")]
+ [ValidateNotNullOrEmpty]
+ [Alias(Constants.KeyName)]
+ public string Name { get; set; }
+
+ ///
+ /// Path to the local file containing to-be-imported key material.
+ /// The supported suffix are:
+ /// 1. byok
+ /// 2. pfx
+ ///
+ [Parameter(Mandatory = true,
+ ParameterSetName = InteractiveImportParameterSet,
+ HelpMessage = "Path to the local file containing the key material to be imported.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = InputObjectImportParameterSet,
+ HelpMessage = "Path to the local file containing the key material to be imported.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = ResourceIdImportParameterSet,
+ HelpMessage = "Path to the local file containing the key material to be imported.")]
+ [ValidateNotNullOrEmpty]
+ public string KeyFilePath { get; set; }
+
+ ///
+ /// Password of the imported file.
+ /// Required for pfx file
+ ///
+ [Parameter(Mandatory = false,
+ ParameterSetName = InteractiveImportParameterSet,
+ HelpMessage = "Password of the local file containing the key material to be imported.")]
+ [Parameter(Mandatory = false,
+ ParameterSetName = InputObjectImportParameterSet,
+ HelpMessage = "Password of the local file containing the key material to be imported.")]
+ [Parameter(Mandatory = false,
+ ParameterSetName = ResourceIdImportParameterSet,
+ HelpMessage = "Password of the local file containing the key material to be imported.")]
+ [ValidateNotNullOrEmpty]
+ public SecureString KeyFilePassword { get; set; }
+
+ ///
+ /// key type
+ ///
+ [Parameter(Mandatory = true,
+ HelpMessage = "Specifies the key type of this key.")]
+ [PSArgumentCompleter("RSA", "EC", "oct")]
+ public string KeyType { get; set; }
+
+ ///
+ /// curve name
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "Specifies the curve name of elliptic curve cryptography, this value is valid when KeyType is EC.")]
+ [PSArgumentCompleter("P-256", "P-256K", "P-384", "P-521")]
+ public string CurveName { get; set; }
+
+ ///
+ /// Set key in disabled state if present
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "Indicates that the key you are adding is set to an initial state of disabled. Any attempt to use the key will fail. Use this parameter if you are preloading keys that you intend to enable later.")]
+ public SwitchParameter Disable { get; set; }
+
+ ///
+ /// Key operations
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "The operations that can be performed with the key. If not present, all operations can be performed.")]
+ public string[] KeyOps { get; set; }
+
+ ///
+ /// Key expires time in UTC time
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "Specifies the expiration time of the key in UTC. If not specified, key will not expire.")]
+ public DateTime? Expires { get; set; }
+
+ ///
+ /// The UTC time before which key can't be used
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "The UTC time before which the key can't be used. If not specified, there is no limitation.")]
+ public DateTime? NotBefore { get; set; }
+
+ ///
+ /// Key tags
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "A hashtable representing key tags.")]
+ [Alias(Constants.TagsAlias)]
+ public Hashtable Tag { get; set; }
+
+
+ [Parameter(Mandatory = false,
+ ParameterSetName = InputObjectCreateParameterSet,
+ HelpMessage = "RSA key size, in bits. If not specified, the service will provide a safe default.")]
+ [Parameter(Mandatory = false,
+ ParameterSetName = InteractiveCreateParameterSet,
+ HelpMessage = "RSA key size, in bits. If not specified, the service will provide a safe default.")]
+ [Parameter(Mandatory = false,
+ ParameterSetName = ResourceIdCreateParameterSet,
+ HelpMessage = "RSA key size, in bits. If not specified, the service will provide a safe default.")]
+ public int? Size { get; set; }
+ #endregion
+
+ public override void ExecuteCmdlet()
+ {
+ if (InputObject != null)
+ {
+ HsmName = InputObject.VaultName;
+ }
+ else if (ResourceId != null)
+ {
+ var resourceIdentifier = new ResourceIdentifier(ResourceId);
+ HsmName = resourceIdentifier.ResourceName;
+ }
+
+ ValidateKeyExchangeKey();
+
+ if (ShouldProcess(Name, Properties.Resources.AddKey))
+ {
+ PSKeyVaultKey keyBundle;
+
+ if (string.IsNullOrEmpty(KeyFilePath))
+ {
+ keyBundle = this.Track2DataClient.CreateManagedHsmKey(
+ HsmName,
+ Name,
+ CreateKeyAttributes(),
+ Size,
+ CurveName);
+ this.WriteObject(keyBundle);
+ }
+ else
+ {
+ keyBundle = this.Track2DataClient.ImportManagedHsmKey(
+ HsmName, Name,
+ CreateWebKeyFromFile());
+ }
+
+ }
+ }
+ private void ValidateKeyExchangeKey()
+ {
+ if (KeyOps != null && KeyOps.Contains(Constants.KeyOpsImport))
+ {
+ // "import" is exclusive, it cannot be combined with any other value(s).
+ if (KeyOps.Length > 1) { throw new ArgumentException(Resources.KeyOpsImportIsExclusive); }
+ }
+ }
+
+ internal PSKeyVaultKeyAttributes CreateKeyAttributes()
+ {
+ return new Models.PSKeyVaultKeyAttributes(
+ !Disable.IsPresent,
+ Expires,
+ NotBefore,
+ KeyType,
+ KeyOps,
+ Tag);
+ }
+
+ internal Track2Sdk.JsonWebKey CreateWebKeyFromFile()
+ {
+ FileInfo keyFile = new FileInfo(this.GetUnresolvedProviderPathFromPSPath(this.KeyFilePath));
+ if (!keyFile.Exists)
+ {
+ throw new FileNotFoundException(string.Format(Resources.KeyFileNotFound, this.KeyFilePath));
+ }
+
+ var converterChain = WebKeyConverterFactory.CreateConverterChain();
+ return converterChain.ConvertToTrack2SdkKeyFromFile(keyFile, KeyFilePassword);
+ }
+ }
+}
diff --git a/src/KeyVault/KeyVault/Commands/BackupAzureManagedHsmKey.cs b/src/KeyVault/KeyVault/Commands/BackupAzureManagedHsmKey.cs
new file mode 100644
index 000000000000..bc67c0997fd5
--- /dev/null
+++ b/src/KeyVault/KeyVault/Commands/BackupAzureManagedHsmKey.cs
@@ -0,0 +1,114 @@
+using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault
+{
+ ///
+ /// Requests that a backup of the specified key be downloaded and stored to a file
+ ///
+ ///
+ /// The cmdlet returns the path of the newly created backup file.
+ ///
+ [Cmdlet("Backup", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", SupportsShouldProcess = true, DefaultParameterSetName = ByKeyNameParameterSet)]
+ [OutputType(typeof(String))]
+ public class BackupAzureManagedHsmKey : KeyVaultCmdletBase
+ {
+ #region parameter sets
+
+ private const string ByKeyNameParameterSet = "ByKeyName";
+ private const string ByKeyObjectParameterSet = "ByKey";
+
+ #endregion
+
+ #region Input Parameter Definitions
+
+ ///
+ /// HSM name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = ByKeyNameParameterSet,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [ResourceNameCompleter("Microsoft.KeyVault/managedHSMs", "FakeResourceGroupName")]
+ [ValidateNotNullOrEmpty]
+ public string HsmName { get; set; }
+
+ ///
+ /// Key name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 1,
+ ParameterSetName = ByKeyNameParameterSet,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.")]
+ [ValidateNotNullOrEmpty]
+ [Alias(Constants.KeyName)]
+ public string Name { get; set; }
+
+ ///
+ /// KeyBundle object to be backed up.
+ ///
+ ///
+ /// Note that the backup applies to the entire family of a key (current and all its versions);
+ /// since a key bundle represents a single version, the intent of this parameter is to allow pipelining.
+ /// The backup cmdlet will use the Name and VaultName properties of the KeyBundle parameter.
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ValueFromPipeline = true,
+ ParameterSetName = ByKeyObjectParameterSet,
+ HelpMessage = "Key bundle to back up, pipelined in from the output of a retrieval call.")]
+ [ValidateNotNullOrEmpty]
+ [Alias("Key")]
+ public PSKeyVaultKeyIdentityItem InputObject { get; set; }
+
+ ///
+ /// The output file in which the backup blob is to be stored
+ ///
+ [Parameter(Mandatory = false,
+ Position = 2,
+ HelpMessage = "Output file. The output file to store the backed up key blob in. If not present, a default filename is chosen.")]
+ [ValidateNotNullOrEmpty]
+ public string OutputFile { get; set; }
+
+ ///
+ /// Instructs the cmdlet to overwrite the destination file, if it exists.
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "Overwrite the given file if it exists")]
+ public SwitchParameter Force { get; set; }
+
+ #endregion Input Parameter Definition
+
+ public override void ExecuteCmdlet()
+ {
+ if (InputObject != null)
+ {
+ Name = InputObject.Name;
+ HsmName = InputObject.VaultName;
+ }
+
+ if (ShouldProcess(Name, Properties.Resources.BackupKey))
+ {
+ if (string.IsNullOrEmpty(OutputFile))
+ {
+ OutputFile = GetDefaultFileForOperation("backup", HsmName, Name);
+ }
+
+ var filePath = this.GetUnresolvedProviderPathFromPSPath(OutputFile);
+
+ // deny request if the file exists and overwrite is not authorized
+ if (!AzureSession.Instance.DataStore.FileExists(filePath)
+ || Force.IsPresent
+ || ShouldContinue(string.Format(Resources.FileOverwriteMessage, filePath), Resources.FileOverwriteCaption))
+ {
+ var backupBlobPath = this.Track2DataClient.BackupManagedHsmKey(HsmName, Name, filePath);
+ this.WriteObject(backupBlobPath);
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/Commands/GetAzureKeyVaultKey.cs b/src/KeyVault/KeyVault/Commands/GetAzureKeyVaultKey.cs
index 750b12221055..558766f89d81 100644
--- a/src/KeyVault/KeyVault/Commands/GetAzureKeyVaultKey.cs
+++ b/src/KeyVault/KeyVault/Commands/GetAzureKeyVaultKey.cs
@@ -206,7 +206,7 @@ public override void ExecuteCmdlet()
if (InputObject != null)
{
- VaultName = InputObject.VaultName.ToString();
+ VaultName = InputObject.VaultName;
}
else if (!string.IsNullOrEmpty(ResourceId))
{
diff --git a/src/KeyVault/KeyVault/Commands/GetAzureManagedHsmKey.cs b/src/KeyVault/KeyVault/Commands/GetAzureManagedHsmKey.cs
new file mode 100644
index 000000000000..087aec66b7a4
--- /dev/null
+++ b/src/KeyVault/KeyVault/Commands/GetAzureManagedHsmKey.cs
@@ -0,0 +1,263 @@
+using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Commands.KeyVault.Helpers;
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.KeyVault.WebKey;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault
+{
+ [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", DefaultParameterSetName = SpecifyHsmByHsmName + GetKeyWithoutConstraint)]
+ [OutputType(typeof(PSKeyVaultKeyIdentityItem), typeof(PSKeyVaultKey), typeof(PSDeletedKeyVaultKeyIdentityItem), typeof(PSDeletedKeyVaultKey))]
+ public class GetAzureManagedHsmKey : KeyVaultCmdletBase
+ {
+
+ #region Parameter Set Names
+
+ private const string SpecifyHsmByHsmName = "SpecifyHsmByHsmName";
+ private const string SpecifyHsmByInputObject = "SpecifyHsmByInputObject";
+ private const string SpecifyHsmByResourceId = "SpecifyHsmByResourceId";
+
+ private const string GetKeyWithoutConstraint = "GetKeyWithoutConstraint";
+ private const string GetKeyWithSpecifiedVersion = "GetKeyWithSpecifiedVersion";
+ private const string GetKeyIncludeAllVersions = "GetKeyIncludeAllVersions";
+
+ private readonly string[] _supportedTypesForDownload = new string[] { Constants.RSA, Constants.RSAHSM };
+
+ #endregion
+
+ #region Input Parameter Definitions
+
+ ///
+ /// HSM name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = SpecifyHsmByHsmName + GetKeyWithoutConstraint,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = SpecifyHsmByHsmName + GetKeyWithSpecifiedVersion,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = SpecifyHsmByHsmName + GetKeyIncludeAllVersions,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [ResourceNameCompleter("Microsoft.KeyVault/managedHSMs", "FakeResourceGroupName")]
+ [ValidateNotNullOrEmpty]
+ public string HsmName { get; set; }
+
+ ///
+ /// HSM object
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ValueFromPipeline = true,
+ ParameterSetName = SpecifyHsmByInputObject + GetKeyWithoutConstraint,
+ HelpMessage = "HSM object.")]
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ValueFromPipeline = true,
+ ParameterSetName = SpecifyHsmByInputObject + GetKeyWithSpecifiedVersion,
+ HelpMessage = "HSM object.")]
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ValueFromPipeline = true,
+ ParameterSetName = SpecifyHsmByInputObject + GetKeyIncludeAllVersions,
+ HelpMessage = "HSM object.")]
+ [ValidateNotNullOrEmpty]
+ public PSManagedHsm InputObject { get; set; }
+
+ ///
+ /// HSM resource id
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ValueFromPipelineByPropertyName = true,
+ ParameterSetName = SpecifyHsmByResourceId + GetKeyWithoutConstraint,
+ HelpMessage = "HSM Resource Id.")]
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ValueFromPipelineByPropertyName = true,
+ ParameterSetName = SpecifyHsmByResourceId + GetKeyWithSpecifiedVersion,
+ HelpMessage = "HSM Resource Id.")]
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ValueFromPipelineByPropertyName = true,
+ ParameterSetName = SpecifyHsmByResourceId + GetKeyIncludeAllVersions,
+ HelpMessage = "HSM ResourceId.")]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ ///
+ /// Key name.
+ ///
+ [Parameter(Mandatory = false,
+ ParameterSetName = SpecifyHsmByHsmName + GetKeyWithoutConstraint,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [Parameter(Mandatory = false,
+ ParameterSetName = SpecifyHsmByInputObject + GetKeyWithoutConstraint,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [Parameter(Mandatory = false,
+ ParameterSetName = SpecifyHsmByResourceId + GetKeyWithoutConstraint,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByHsmName + GetKeyWithSpecifiedVersion,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByInputObject + GetKeyWithSpecifiedVersion,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByResourceId + GetKeyWithSpecifiedVersion,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByHsmName + GetKeyIncludeAllVersions,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByInputObject + GetKeyIncludeAllVersions,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByResourceId + GetKeyIncludeAllVersions,
+ Position = 1,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [ValidateNotNullOrEmpty]
+ [Alias(Constants.KeyName)]
+ [SupportsWildcards]
+ public string Name { get; set; }
+
+ ///
+ /// Key version.
+ ///
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByHsmName + GetKeyWithSpecifiedVersion,
+ Position = 2,
+ HelpMessage = "Key version. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment, key name and key version.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByInputObject + GetKeyWithSpecifiedVersion,
+ Position = 2,
+ HelpMessage = "Key version. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment, key name and key version.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByResourceId + GetKeyWithSpecifiedVersion,
+ Position = 2,
+ HelpMessage = "Key version. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment, key name and key version.")]
+ [Alias("KeyVersion")]
+ public string Version { get; set; }
+
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByHsmName + GetKeyIncludeAllVersions,
+ HelpMessage = "Specifies whether to include the versions of the key in the output.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByInputObject + GetKeyIncludeAllVersions,
+ HelpMessage = "Specifies whether to include the versions of the key in the output.")]
+ [Parameter(Mandatory = true,
+ ParameterSetName = SpecifyHsmByResourceId + GetKeyIncludeAllVersions,
+ HelpMessage = "Specifies whether to include the versions of the key in the output.")]
+ public SwitchParameter IncludeVersions { get; set; }
+
+ [Parameter(Mandatory = false,
+ ParameterSetName = SpecifyHsmByHsmName + GetKeyWithoutConstraint,
+ HelpMessage = "Specifies whether to show the previously deleted keys in the output.")]
+ [Parameter(Mandatory = false,
+ ParameterSetName = SpecifyHsmByInputObject + GetKeyWithoutConstraint,
+ HelpMessage = "Specifies whether to show the previously deleted keys in the output.")]
+ [Parameter(Mandatory = false,
+ ParameterSetName = SpecifyHsmByResourceId + GetKeyWithoutConstraint,
+ HelpMessage = "Specifies whether to show the previously deleted keys in the output.")]
+ public SwitchParameter InRemovedState { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = "Specifies the output file for which this cmdlet saves the key. The public key is saved in PEM format by default.")]
+ [ValidateNotNullOrEmpty]
+ public string OutFile { get; set; }
+
+ #endregion
+
+ public override void ExecuteCmdlet()
+ {
+ PSKeyVaultKey keyBundle = null;
+
+ if (InputObject != null)
+ {
+ HsmName = InputObject.VaultName;
+ }
+ else if (!string.IsNullOrEmpty(ResourceId))
+ {
+ var parsedResourceId = new ResourceIdentifier(ResourceId);
+ HsmName = parsedResourceId.ResourceName;
+ }
+
+ if (!string.IsNullOrEmpty(Version))
+ {
+ keyBundle = this.Track2DataClient.GetManagedHsmKey(HsmName, Name, Version);
+ WriteObject(keyBundle);
+ }
+ else if (IncludeVersions.IsPresent)
+ {
+ WriteObject(this.Track2DataClient.GetManagedHsmKeyAllVersions(HsmName, Name), true);
+ }
+ else if (InRemovedState.IsPresent)
+ {
+ if (string.IsNullOrEmpty(Name) || WildcardPattern.ContainsWildcardCharacters(Name))
+ {
+ WriteObject(KVSubResourceWildcardFilter(
+ Name, this.Track2DataClient.GetManagedHsmDeletedKeys(HsmName)),
+ true);
+ }
+ else
+ {
+ PSDeletedKeyVaultKey deletedKeyBundle = this.Track2DataClient.GetManagedHsmDeletedKey(HsmName, Name);
+ WriteObject(deletedKeyBundle);
+ }
+ }
+ else
+ {
+ if (string.IsNullOrEmpty(Name) || WildcardPattern.ContainsWildcardCharacters(Name))
+ {
+ WriteObject(KVSubResourceWildcardFilter(
+ Name, this.Track2DataClient.GetManagedHsmKeys(HsmName)),
+ true);
+ }
+ else
+ {
+ keyBundle = this.Track2DataClient.GetManagedHsmKey(HsmName, Name, string.Empty);
+ WriteObject(keyBundle);
+ }
+ }
+
+ if (!string.IsNullOrEmpty(OutFile) && keyBundle != null)
+ {
+ DownloadKey(keyBundle.Key, OutFile);
+ }
+ }
+
+ private void DownloadKey(JsonWebKey jwk, string path)
+ {
+ if (CanDownloadKey(jwk, out string reason))
+ {
+ var pem = JwkHelper.ExportPublicKeyToPem(jwk);
+ AzureSession.Instance.DataStore.WriteFile(path, pem);
+ WriteDebug(string.Format(Resources.PublicKeySavedAt, path));
+ }
+ else
+ {
+ WriteWarning(reason);
+ }
+ }
+
+ private bool CanDownloadKey(JsonWebKey jwk, out string reason)
+ {
+ reason = string.Format(Resources.DownloadNotSupported, jwk.Kty);
+ return _supportedTypesForDownload.Contains(jwk.Kty);
+ }
+ }
+}
diff --git a/src/KeyVault/KeyVault/Commands/RemoveAzureManagedHsmKey.cs b/src/KeyVault/KeyVault/Commands/RemoveAzureManagedHsmKey.cs
new file mode 100644
index 000000000000..a441f4dcff97
--- /dev/null
+++ b/src/KeyVault/KeyVault/Commands/RemoveAzureManagedHsmKey.cs
@@ -0,0 +1,133 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.KeyVault.Models;
+using System.Globalization;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+
+namespace Microsoft.Azure.Commands.KeyVault
+{
+ [Cmdlet("Remove", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", SupportsShouldProcess = true, DefaultParameterSetName = RemoveByKeyNameParameterSet)]
+ [OutputType(typeof(PSDeletedKeyVaultKey))]
+ public class RemoveAzureManagedHsmKey : KeyVaultCmdletBase
+ {
+ #region Parameter Set Names
+
+ private const string RemoveByKeyNameParameterSet = "RemoveByKeyNameParameterSet";
+ private const string RemoveByInputObjectParameterSet = "RemoveByInputObjectParameterSet";
+
+ #endregion
+
+ #region Input Parameter Definitions
+
+ ///
+ /// HSM name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = RemoveByKeyNameParameterSet,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [ResourceNameCompleter("Microsoft.KeyVault/managedHSMs", "FakeResourceGroupName")]
+ [ValidateNotNullOrEmpty]
+ public string HsmName { get; set; }
+
+ ///
+ /// key name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 1,
+ ParameterSetName = RemoveByKeyNameParameterSet,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.")]
+ [ValidateNotNullOrEmpty]
+ [Alias(Constants.KeyName)]
+ public string Name { get; set; }
+
+ ///
+ /// Key object
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ValueFromPipeline = true,
+ ParameterSetName = RemoveByInputObjectParameterSet,
+ HelpMessage = "Key Object")]
+ [ValidateNotNullOrEmpty]
+ public PSKeyVaultKeyIdentityItem InputObject { get; set; }
+
+ ///
+ /// If present, do not ask for confirmation
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "Do not ask for confirmation.")]
+ public SwitchParameter Force { get; set; }
+
+ [Parameter(Mandatory = false,
+ HelpMessage = "Cmdlet does not return an object by default. If this switch is specified, the cmdlet returns the key object that was deleted.")]
+ public SwitchParameter PassThru { get; set; }
+
+ ///
+ /// If present, operate on the deleted key entity.
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "Remove the previously deleted key permanently.")]
+ public SwitchParameter InRemovedState { get; set; }
+
+ #endregion
+ public override void ExecuteCmdlet()
+ {
+ if (InputObject != null)
+ {
+ HsmName = InputObject.VaultName;
+ Name = InputObject.Name;
+ }
+
+ if (InRemovedState.IsPresent)
+ {
+ ConfirmAction(
+ Force.IsPresent,
+ string.Format(
+ CultureInfo.InvariantCulture,
+ Resources.RemoveDeletedKeyWarning,
+ Name),
+ string.Format(
+ CultureInfo.InvariantCulture,
+ Resources.RemoveDeletedKeyWhatIfMessage,
+ Name),
+ Name,
+ () => { this.Track2DataClient.PurgeManagedHsmKey(HsmName, Name); });
+ return;
+ }
+
+ PSDeletedKeyVaultKey deletedKeyBundle = null;
+ ConfirmAction(
+ Force.IsPresent,
+ string.Format(
+ CultureInfo.InvariantCulture,
+ Resources.RemoveKeyWarning,
+ Name),
+ string.Format(
+ CultureInfo.InvariantCulture,
+ Resources.RemoveKeyWhatIfMessage,
+ Name),
+ Name,
+ () => { deletedKeyBundle = this.Track2DataClient.DeleteManagedHsmKey(HsmName, Name); });
+
+ if (PassThru)
+ {
+ WriteObject(deletedKeyBundle);
+ }
+ }
+ }
+}
diff --git a/src/KeyVault/KeyVault/Commands/RestoreAzureManagedHsmKey.cs b/src/KeyVault/KeyVault/Commands/RestoreAzureManagedHsmKey.cs
new file mode 100644
index 000000000000..0b22602ea77f
--- /dev/null
+++ b/src/KeyVault/KeyVault/Commands/RestoreAzureManagedHsmKey.cs
@@ -0,0 +1,103 @@
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using System.IO;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault
+{
+ ///
+ /// Restores the backup key into a vault
+ ///
+ [Cmdlet("Restore", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", SupportsShouldProcess = true, DefaultParameterSetName = ByHsmNameParameterSet)]
+ [OutputType(typeof(PSKeyVaultKey))]
+ public class RestoreAzureManagedHsmKey : KeyVaultCmdletBase
+ {
+ #region Parameter Set Names
+
+ private const string ByHsmNameParameterSet = "ByHsmName";
+ private const string ByInputObjectParameterSet = "ByInputObject";
+ private const string ByResourceIdParameterSet = "ByResourceId";
+
+ #endregion
+
+ #region Input Parameter Definitions
+
+ ///
+ /// HSM name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = ByHsmNameParameterSet,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [ResourceNameCompleter("Microsoft.KeyVault/managedHSMs", "FakeResourceGroupName")]
+ [ValidateNotNullOrEmpty]
+ public string HsmName { get; set; }
+
+ ///
+ /// HSM object
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = ByInputObjectParameterSet,
+ ValueFromPipeline = true,
+ HelpMessage = "Hsm object")]
+ [ValidateNotNullOrEmpty]
+ public PSManagedHsm InputObject { get; set; }
+
+ ///
+ /// HSM ResourceId
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = ByResourceIdParameterSet,
+ ValueFromPipelineByPropertyName = true,
+ HelpMessage = "Hsm Resource Id")]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ ///
+ /// The input file in which the backup blob is stored
+ ///
+ [Parameter(Mandatory = true,
+ Position = 1,
+ HelpMessage = "Input file. The input file containing the backed-up blob")]
+ [ValidateNotNullOrEmpty]
+ public string InputFile { get; set; }
+
+ #endregion Input Parameter Definitions
+
+ public override void ExecuteCmdlet()
+ {
+ if (InputObject != null)
+ {
+ HsmName = InputObject.VaultName;
+ }
+ else if (ResourceId != null)
+ {
+ var resourceIdentifier = new ResourceIdentifier(ResourceId);
+ HsmName = resourceIdentifier.ResourceName;
+ }
+
+ if (ShouldProcess(HsmName, Properties.Resources.RestoreKey))
+ {
+ var filePath = ResolveKeyPath(InputFile);
+
+ var restoredKeyBundle = this.Track2DataClient.RestoreManagedHsmKey(HsmName, filePath);
+
+ this.WriteObject(restoredKeyBundle);
+ }
+ }
+
+ private string ResolveKeyPath(string filePath)
+ {
+ FileInfo keyFile = new FileInfo(this.ResolveUserPath(filePath));
+ if (!keyFile.Exists)
+ {
+ throw new FileNotFoundException(string.Format(Resources.BackupKeyFileNotFound, filePath));
+ }
+ return keyFile.FullName;
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/Commands/UndoAzureKeyVaultKeyRemoval.cs b/src/KeyVault/KeyVault/Commands/UndoAzureKeyVaultKeyRemoval.cs
index 7b7dc3d612d8..48db2cd68523 100644
--- a/src/KeyVault/KeyVault/Commands/UndoAzureKeyVaultKeyRemoval.cs
+++ b/src/KeyVault/KeyVault/Commands/UndoAzureKeyVaultKeyRemoval.cs
@@ -43,7 +43,7 @@ public class UndoAzureKeyVaultKeyRemoval : KeyVaultCmdletBase
public string VaultName { get; set; }
///
- /// Secret name
+ /// Key name
///
[Parameter(Mandatory = true,
Position = 1,
diff --git a/src/KeyVault/KeyVault/Commands/UndoAzureManagedHsmKeyRemoval.cs b/src/KeyVault/KeyVault/Commands/UndoAzureManagedHsmKeyRemoval.cs
new file mode 100644
index 000000000000..df12b92bb3c1
--- /dev/null
+++ b/src/KeyVault/KeyVault/Commands/UndoAzureManagedHsmKeyRemoval.cs
@@ -0,0 +1,71 @@
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault.Commands
+{
+ [Cmdlet("Undo", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKeyRemoval", SupportsShouldProcess = true, DefaultParameterSetName = DefaultParameterSet)]
+ [OutputType(typeof(PSKeyVaultKey))]
+ public class UndoAzureManagedHsmKeyRemoval : KeyVaultCmdletBase
+ {
+ #region Parameter Set Names
+
+ private const string DefaultParameterSet = "Default";
+ private const string InputObjectParameterSet = "InputObject";
+
+ #endregion
+
+ #region Input Parameter Definitions
+
+ ///
+ /// HSM name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = DefaultParameterSet,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [ResourceNameCompleter("Microsoft.KeyVault/managedHSMs", "FakeResourceGroupName")]
+ [ValidateNotNullOrEmpty]
+ public string HsmName { get; set; }
+
+ ///
+ /// Key name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 1,
+ ParameterSetName = DefaultParameterSet,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from HSM name, currently selected environment and key name.")]
+ [ValidateNotNullOrEmpty]
+ [Alias(Constants.KeyName)]
+ public string Name { get; set; }
+
+ ///
+ /// Key object
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = InputObjectParameterSet,
+ ValueFromPipeline = true,
+ HelpMessage = "Deleted key object")]
+ [ValidateNotNullOrEmpty]
+ public PSDeletedKeyVaultKeyIdentityItem InputObject { get; set; }
+
+ #endregion
+
+ public override void ExecuteCmdlet()
+ {
+ if (InputObject != null)
+ {
+ HsmName = InputObject.VaultName;
+ Name = InputObject.Name;
+ }
+
+ if (ShouldProcess(Name, Properties.Resources.RecoverKey))
+ {
+ PSKeyVaultKey recoveredKey = this.Track2DataClient.RecoverManagedHsmKey(HsmName, Name);
+
+ WriteObject(recoveredKey);
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/Commands/UpdateAzureManagedHsmKey.cs b/src/KeyVault/KeyVault/Commands/UpdateAzureManagedHsmKey.cs
new file mode 100644
index 000000000000..c298cc06acab
--- /dev/null
+++ b/src/KeyVault/KeyVault/Commands/UpdateAzureManagedHsmKey.cs
@@ -0,0 +1,146 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System;
+using System.Collections;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault
+{
+ ///
+ /// Update attribute of a managed HSM key.
+ ///
+ [Alias("Set-" + ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", "Set-" + ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKeyAttribute")]
+ [Cmdlet("Update", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", SupportsShouldProcess = true, DefaultParameterSetName = DefaultParameterSet)]
+ [OutputType(typeof(PSKeyVaultKey))]
+ public class UpdateAzureManagedHsmKey : KeyVaultCmdletBase
+ {
+ #region Parameter Set Names
+
+ private const string DefaultParameterSet = "Default";
+ private const string InputObjectParameterSet = "InputObject";
+
+ #endregion
+
+ #region Input Parameter Definitions
+
+ ///
+ /// HSM name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = DefaultParameterSet,
+ HelpMessage = "HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.")]
+ [ResourceNameCompleter("Microsoft.KeyVault/managedHSMs", "FakeResourceGroupName")]
+ [ValidateNotNullOrEmpty]
+ public string HsmName { get; set; }
+
+ ///
+ /// key name
+ ///
+ [Parameter(Mandatory = true,
+ Position = 1,
+ ParameterSetName = DefaultParameterSet,
+ HelpMessage = "Key name. Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.")]
+ [ValidateNotNullOrEmpty]
+ [Alias(Constants.KeyName)]
+ public string Name { get; set; }
+
+ ///
+ /// key object
+ ///
+ [Parameter(Mandatory = true,
+ Position = 0,
+ ParameterSetName = InputObjectParameterSet,
+ ValueFromPipeline = true,
+ HelpMessage = "Key object")]
+ [ValidateNotNullOrEmpty]
+ public PSKeyVaultKeyIdentityItem InputObject { get; set; }
+
+ ///
+ /// Key version.
+ ///
+ [Parameter(Mandatory = false,
+ Position = 2,
+ HelpMessage = "Key version. Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment, key name and key version.")]
+ [Alias("KeyVersion")]
+ public string Version { get; set; }
+
+ ///
+ /// If present, enable a key if value is true.
+ /// Disable a key if value is false.
+ /// If not present, no change on current key enabled/disabled state.
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "Value of true enables the key and a value of false disabless the key. If not specified, the existing enabled/disabled state remains unchanged.")]
+ public bool? Enable { get; set; }
+
+ ///
+ /// Key expires time in UTC time
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "The expiration time of a key in UTC time. If not specified, the existing expiration time of the key remains unchanged.")]
+ public DateTime? Expires { get; set; }
+
+ ///
+ /// The UTC time before which key can't be used
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "The UTC time before which key can't be used. If not specified, the existing NotBefore attribute of the key remains unchanged.")]
+ public DateTime? NotBefore { get; set; }
+
+ ///
+ /// Key operations
+ ///
+ [Parameter(Mandatory = false,
+ HelpMessage = "The operations that can be performed with the key. If not specified, the existing key operations of the key remain unchanged.")]
+ public string[] KeyOps { get; set; }
+
+ [Parameter(Mandatory = false,
+ HelpMessage = "A hashtable represents key tags. If not specified, the existings tags of the key remain unchanged.")]
+ [Alias(Constants.TagsAlias)]
+ public Hashtable Tag { get; set; }
+
+ [Parameter(Mandatory = false,
+ HelpMessage = "Cmdlet does not return an object by default. If this switch is specified, returns the updated key bundle object.")]
+ public SwitchParameter PassThru { get; set; }
+
+ #endregion
+
+ public override void ExecuteCmdlet()
+ {
+ if (InputObject != null)
+ {
+ HsmName = InputObject.VaultName;
+ Name = InputObject.Name;
+ }
+
+ if (ShouldProcess(Name, Properties.Resources.SetKeyAttribute))
+ {
+ var keyBundle = this.Track2DataClient.UpdateManagedHsmKey(
+ HsmName,
+ Name,
+ Version ?? string.Empty,
+ new PSKeyVaultKeyAttributes(Enable, Expires, NotBefore, null, KeyOps, Tag));
+
+ if (PassThru)
+ {
+ WriteObject(keyBundle);
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/KeyVault.format.ps1xml b/src/KeyVault/KeyVault/KeyVault.format.ps1xml
index 3ffc2848e14f..11c30da9e561 100644
--- a/src/KeyVault/KeyVault/KeyVault.format.ps1xml
+++ b/src/KeyVault/KeyVault/KeyVault.format.ps1xml
@@ -11,7 +11,7 @@
-
+
VaultName
@@ -69,7 +69,7 @@
-
+
VaultName
diff --git a/src/KeyVault/KeyVault/Models/ByokWebKeyConverter.cs b/src/KeyVault/KeyVault/Models/ByokWebKeyConverter.cs
index c5ec5fd35084..5994f62039a3 100644
--- a/src/KeyVault/KeyVault/Models/ByokWebKeyConverter.cs
+++ b/src/KeyVault/KeyVault/Models/ByokWebKeyConverter.cs
@@ -12,11 +12,13 @@
// limitations under the License.
// ----------------------------------------------------------------------------------
-using Microsoft.Azure.KeyVault.WebKey;
using System;
using System.IO;
using System.Security;
using KeyVaultProperties = Microsoft.Azure.Commands.KeyVault.Properties;
+using Track2Sdk = Azure.Security.KeyVault.Keys;
+using Track1Sdk = Microsoft.Azure.KeyVault.WebKey;
+using System.Security.Cryptography;
namespace Microsoft.Azure.Commands.KeyVault.Models
{
@@ -30,7 +32,7 @@ public ByokWebKeyConverter(IWebKeyConverter next = null)
this.next = next;
}
- public JsonWebKey ConvertKeyFromFile(FileInfo fileInfo, SecureString password)
+ public Track1Sdk.JsonWebKey ConvertKeyFromFile(FileInfo fileInfo, SecureString password)
{
if (CanProcess(fileInfo))
return Convert(fileInfo.FullName);
@@ -40,6 +42,16 @@ public JsonWebKey ConvertKeyFromFile(FileInfo fileInfo, SecureString password)
throw new ArgumentException(string.Format(KeyVaultProperties.Resources.UnsupportedFileFormat, fileInfo.Name));
}
+ public Track2Sdk.JsonWebKey ConvertToTrack2SdkKeyFromFile(FileInfo fileInfo, SecureString password)
+ {
+ if (CanProcess(fileInfo))
+ return ConvertToTrack2SdkJsonWebKey(fileInfo.FullName);
+ else if (next != null)
+ return next.ConvertToTrack2SdkKeyFromFile(fileInfo, password);
+ else
+ throw new ArgumentException(string.Format(KeyVaultProperties.Resources.UnsupportedFileFormat, fileInfo.Name));
+ }
+
private bool CanProcess(FileInfo fileInfo)
{
if (fileInfo == null || string.IsNullOrEmpty(fileInfo.Extension))
@@ -48,18 +60,32 @@ private bool CanProcess(FileInfo fileInfo)
return ByokFileExtension.Equals(fileInfo.Extension, StringComparison.OrdinalIgnoreCase);
}
- private JsonWebKey Convert(string byokFileName)
+ private Track1Sdk.JsonWebKey Convert(string byokFileName)
{
byte[] byokBlob = File.ReadAllBytes(byokFileName);
if (byokBlob == null || byokBlob.Length == 0)
throw new ArgumentException(string.Format(KeyVaultProperties.Resources.InvalidKeyBlob, "BYOK"));
- return new JsonWebKey()
+ return new Track1Sdk.JsonWebKey()
{
- Kty = JsonWebKeyType.RsaHsm,
+ Kty = Track1Sdk.JsonWebKeyType.RsaHsm,
T = byokBlob,
};
}
+
+ private Track2Sdk.JsonWebKey ConvertToTrack2SdkJsonWebKey(string byokFileName)
+ {
+ byte[] byokBlob = File.ReadAllBytes(byokFileName);
+
+ if (byokBlob == null || byokBlob.Length == 0)
+ throw new ArgumentException(string.Format(KeyVaultProperties.Resources.InvalidKeyBlob, "BYOK"));
+
+ return new Track2Sdk.JsonWebKey(new RSACryptoServiceProvider())
+ {
+ KeyType = Track2Sdk.KeyType.RsaHsm,
+ T = byokBlob,
+ };
+ }
private IWebKeyConverter next;
private const string ByokFileExtension = ".byok";
diff --git a/src/KeyVault/KeyVault/Models/IKeyVaultDataServiceClient.cs b/src/KeyVault/KeyVault/Models/IKeyVaultDataServiceClient.cs
index 9999e00c5bdc..19cb8881b8e8 100644
--- a/src/KeyVault/KeyVault/Models/IKeyVaultDataServiceClient.cs
+++ b/src/KeyVault/KeyVault/Models/IKeyVaultDataServiceClient.cs
@@ -19,6 +19,7 @@
using System.Security.Cryptography.X509Certificates;
using Microsoft.Azure.KeyVault.Models;
using Microsoft.Azure.KeyVault.WebKey;
+using Track2Sdk = Azure.Security.KeyVault.Keys;
namespace Microsoft.Azure.Commands.KeyVault.Models
{
@@ -30,24 +31,44 @@ public interface IKeyVaultDataServiceClient
PSKeyVaultKey ImportKey(string vaultName, string keyName, PSKeyVaultKeyAttributes keyAttributes, JsonWebKey webKey, bool? importToHsm);
+ PSKeyVaultKey ImportManagedHsmKey(string managedHsmName, string keyName, Track2Sdk.JsonWebKey webKey);
+
PSKeyVaultKey UpdateKey(string vaultName, string keyName, string keyVersion, PSKeyVaultKeyAttributes keyAttributes);
+ PSKeyVaultKey UpdateManagedHsmKey(string managedHsmName, string keyName, string keyVersion, PSKeyVaultKeyAttributes keyAttributes);
+
PSKeyVaultKey GetKey(string vaultName, string keyName, string keyVersion);
- PSDeletedKeyVaultKey GetDeletedKey(string vaultName, string name);
+ PSKeyVaultKey GetManagedHsmKey(string managedHsmName, string keyName, string keyVersion);
+
+ PSDeletedKeyVaultKey GetDeletedKey(string managedHsmName, string keyName);
+
+ PSDeletedKeyVaultKey GetManagedHsmDeletedKey(string managedHsmName, string keyName);
IEnumerable GetKeys(KeyVaultObjectFilterOptions options);
+ IEnumerable GetManagedHsmKeys(string managedHsmName);
+
IEnumerable GetKeyVersions(KeyVaultObjectFilterOptions options);
+ IEnumerable GetManagedHsmKeyAllVersions(string managedHsmName, string keyName);
+
IEnumerable GetDeletedKeys(KeyVaultObjectFilterOptions options);
+ IEnumerable GetManagedHsmDeletedKeys(string managedHsmName);
+
PSDeletedKeyVaultKey DeleteKey(string vaultName, string keyName);
+ PSDeletedKeyVaultKey DeleteManagedHsmKey(string ManagedHsm, string keyName);
+
void PurgeKey(string vaultName, string name);
+ void PurgeManagedHsmKey(string managedHsmName, string keyName);
+
PSKeyVaultKey RecoverKey(string vaultName, string keyName);
+ PSKeyVaultKey RecoverManagedHsmKey(string managedHsmName, string keyName);
+
PSKeyVaultSecret SetSecret(string vaultName, string secretName, SecureString secretValue, PSKeyVaultSecretAttributes secretAttributes);
PSKeyVaultSecret UpdateSecret(string vaultName, string secretName, string secretVersion, PSKeyVaultSecretAttributes secretAttributes);
@@ -70,8 +91,12 @@ public interface IKeyVaultDataServiceClient
string BackupKey(string vaultName, string keyName, string outputBlobPath);
+ string BackupManagedHsmKey(string managedHsmName, string keyName, string outputBlobPath);
+
PSKeyVaultKey RestoreKey(string vaultName, string inputBlobPath);
+ PSKeyVaultKey RestoreManagedHsmKey(string managedHsmName, string inputBlobPath);
+
string BackupSecret(string vaultName, string secretName, string outputBlobPath);
PSKeyVaultSecret RestoreSecret(string vaultName, string inputBlobPath);
@@ -169,6 +194,7 @@ public interface IKeyVaultDataServiceClient
string BackupManagedStorageAccount(string vaultName, string managedStorageAccountName, string outputBlobPath);
PSKeyVaultManagedStorageAccount RestoreManagedStorageAccount(string vaultName, string inputBlobPath);
+
#endregion
}
}
diff --git a/src/KeyVault/KeyVault/Models/IWebKeyConverter.cs b/src/KeyVault/KeyVault/Models/IWebKeyConverter.cs
index f46962cb92f0..37abcd1c6b93 100644
--- a/src/KeyVault/KeyVault/Models/IWebKeyConverter.cs
+++ b/src/KeyVault/KeyVault/Models/IWebKeyConverter.cs
@@ -12,15 +12,19 @@
// limitations under the License.
// ----------------------------------------------------------------------------------
-using Microsoft.Azure.KeyVault.WebKey;
using System.IO;
using System.Security;
-using Microsoft.Azure.KeyVault.Models;
+using Track2Sdk = Azure.Security.KeyVault.Keys;
+using Track1Sdk = Microsoft.Azure.KeyVault.WebKey;
namespace Microsoft.Azure.Commands.KeyVault.Models
{
internal interface IWebKeyConverter
{
- JsonWebKey ConvertKeyFromFile(FileInfo fileInfo, SecureString password);
+ Track1Sdk.JsonWebKey ConvertKeyFromFile(FileInfo fileInfo, SecureString password);
+
+ Track2Sdk.JsonWebKey ConvertToTrack2SdkKeyFromFile(FileInfo fileInfo, SecureString password);
}
+
+
}
diff --git a/src/KeyVault/KeyVault/Models/KeyVaultCmdletBase.cs b/src/KeyVault/KeyVault/Models/KeyVaultCmdletBase.cs
index c12a7b0a0874..fb9d8afddef6 100644
--- a/src/KeyVault/KeyVault/Models/KeyVaultCmdletBase.cs
+++ b/src/KeyVault/KeyVault/Models/KeyVaultCmdletBase.cs
@@ -14,8 +14,10 @@
using System;
using System.Collections.Generic;
+using System.Diagnostics.Tracing;
using System.Linq;
using System.Management.Automation;
+using Azure.Core.Diagnostics;
using Microsoft.Azure.Commands.Common.Authentication;
using Microsoft.Azure.Commands.KeyVault.Track2Models;
using Microsoft.Azure.Commands.ResourceManager.Common;
@@ -25,6 +27,7 @@ namespace Microsoft.Azure.Commands.KeyVault.Models
public class KeyVaultCmdletBase : AzureRMCmdlet
{
public static readonly DateTime EpochDate = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
+ private AzureEventSourceListener _azureEventSourceListener;
internal IKeyVaultDataServiceClient DataServiceClient
{
@@ -55,6 +58,7 @@ internal IKeyVaultDataServiceClient Track2DataClient
_track2DataServiceClient = new Track2KeyVaultDataServiceClient(
AzureSession.Instance.AuthenticationFactory,
DefaultContext);
+ _azureEventSourceListener = AzureEventSourceListener.CreateTraceLogger(EventLevel.Verbose);
}
return _track2DataServiceClient;
@@ -125,5 +129,15 @@ private object GetPropertyValue(T resource, string property)
return null;
}
+
+ protected override void Dispose(bool disposing)
+ {
+ base.Dispose(disposing);
+ if (disposing && _azureEventSourceListener != null)
+ {
+ _azureEventSourceListener.Dispose();
+ _azureEventSourceListener = null;
+ }
+ }
}
}
diff --git a/src/KeyVault/KeyVault/Models/KeyVaultDataServiceClient.cs b/src/KeyVault/KeyVault/Models/KeyVaultDataServiceClient.cs
index 0b2b8fdf319a..9aabaea0c8f0 100644
--- a/src/KeyVault/KeyVault/Models/KeyVaultDataServiceClient.cs
+++ b/src/KeyVault/KeyVault/Models/KeyVaultDataServiceClient.cs
@@ -27,6 +27,7 @@
using Microsoft.Azure.KeyVault.WebKey;
using Microsoft.Rest.Azure;
using KeyVaultProperties = Microsoft.Azure.Commands.KeyVault.Properties;
+using Track2Sdk = Azure.Security.KeyVault.Keys;
namespace Microsoft.Azure.Commands.KeyVault.Models
{
@@ -902,7 +903,7 @@ public PSKeyVaultKey RestoreKey(string vaultName, string inputBlobPath)
return new PSKeyVaultKey(keyBundle, this.vaultUriHelper);
}
-
+
public string BackupSecret( string vaultName, string secretName, string outputBlobPath )
{
if ( string.IsNullOrEmpty( vaultName ) )
@@ -2002,11 +2003,70 @@ public PSKeyVaultManagedStorageAccount RestoreManagedStorageAccount(string vault
return new PSKeyVaultManagedStorageAccount(storageAccountBundle, this.vaultUriHelper);
}
+ public string BackupManagedHsmKey(string managedHsmName, string keyName, string outputBlobPath)
+ {
+ throw new NotImplementedException("Backing up a key on managed HSM is only possible in track 2 SDK.");
+ }
+
+ public PSKeyVaultKey RestoreManagedHsmKey(string managedHsmName, string inputBlobPath)
+ {
+ throw new NotImplementedException("Restoring a key on managed HSM is only possible in track 2 SDK.");
+ }
+
public PSKeyVaultKey CreateManagedHsmKey(string managedHsmName, string keyName, PSKeyVaultKeyAttributes keyAttributes, int? size, string curveName)
{
throw new NotImplementedException("Creating keys on managed HSM is only possible in track 2 SDK.");
}
+ public PSDeletedKeyVaultKey DeleteManagedHsmKey(string managedHsmName, string keyName)
+ {
+ throw new NotImplementedException("Removing keys on managed HSM is only possible in track 2 SDK.");
+ }
+
+ public PSKeyVaultKey ImportManagedHsmKey(string managedHsmName, string keyName, Track2Sdk.JsonWebKey webKey)
+ {
+ throw new NotImplementedException("Importing keys on managed HSM is only possible in track 2 SDK.");
+ }
+
+ public PSKeyVaultKey UpdateManagedHsmKey(string managedHsmName, string keyName, string keyVersion, PSKeyVaultKeyAttributes keyAttributes)
+ {
+ throw new NotImplementedException("Updating keys on managed HSM is only possible in track 2 SDK.");
+ }
+ public PSKeyVaultKey RecoverManagedHsmKey(string managedHsmName, string keyName)
+ {
+ throw new NotImplementedException("Recovering keys on managed HSM is only possible in track 2 SDK.");
+ }
+
+ public PSKeyVaultKey GetManagedHsmKey(string managedHsmName, string keyName, string keyVersion)
+ {
+ throw new NotImplementedException("Getting keys on managed HSM is only possible in track 2 SDK.");
+ }
+
+ public IEnumerable GetManagedHsmKeyAllVersions(string managedHsmName, string keyName)
+ {
+ throw new NotImplementedException("Getting key versions on managed HSM is only possible in track 2 SDK.");
+ }
+
+ public IEnumerable GetManagedHsmKeys(string managedHsmName)
+ {
+ throw new NotImplementedException("Getting keys on managed HSM is only possible in track 2 SDK.");
+ }
+
+ public PSDeletedKeyVaultKey GetManagedHsmDeletedKey(string managedHsmName, string keyName)
+ {
+ throw new NotImplementedException("Getting deleted keys on managed HSM is only possible in track 2 SDK.");
+ }
+
+ public IEnumerable GetManagedHsmDeletedKeys(string managedHsmNam)
+ {
+ throw new NotImplementedException("Getting deleted keys on managed HSM is only possible in track 2 SDK.");
+ }
+
+ public void PurgeManagedHsmKey(string managedHsmName, string keyName)
+ {
+ throw new NotImplementedException("Purging deleted keys on managed HSM is only possible in track 2 SDK.");
+ }
+
private VaultUriHelper vaultUriHelper;
private KeyVaultClient keyVaultClient;
}
diff --git a/src/KeyVault/KeyVault/Models/PSDeletedKeyVaultKey.cs b/src/KeyVault/KeyVault/Models/PSDeletedKeyVaultKey.cs
index 3d65078fd62a..58b949b38c4c 100644
--- a/src/KeyVault/KeyVault/Models/PSDeletedKeyVaultKey.cs
+++ b/src/KeyVault/KeyVault/Models/PSDeletedKeyVaultKey.cs
@@ -16,6 +16,8 @@
using Microsoft.Azure.KeyVault.WebKey;
using System;
using System.Linq;
+using Azure.Security.KeyVault.Keys;
+using JsonWebKey = Microsoft.Azure.KeyVault.WebKey.JsonWebKey;
namespace Microsoft.Azure.Commands.KeyVault.Models
{
@@ -59,6 +61,40 @@ internal PSDeletedKeyVaultKey(Azure.KeyVault.Models.DeletedKeyBundle deletedKeyB
DeletedDate = deletedKeyBundle.DeletedDate;
}
+ internal PSDeletedKeyVaultKey(DeletedKey deletedKey, VaultUriHelper vaultUriHelper)
+ {
+ if (deletedKey == null)
+ throw new ArgumentNullException("deletedKey");
+ if (deletedKey.Key == null || deletedKey.Properties == null)
+ throw new ArgumentException(Resources.InvalidKeyBundle);
+
+ SetObjectIdentifier(vaultUriHelper, new Microsoft.Azure.KeyVault.KeyIdentifier(deletedKey.Id.ToString()));
+
+ Key = deletedKey.Key.ToTrack1JsonWebKey();
+ Attributes = new PSKeyVaultKeyAttributes(
+ deletedKey.Properties.Enabled,
+ /// see https://docs.microsoft.com/en-us/dotnet/standard/datetime/converting-between-datetime-and-offset#conversions-from-datetimeoffset-to-datetime
+ deletedKey.Properties.ExpiresOn?.UtcDateTime, // time returned by key vault are UTC
+ deletedKey.Properties.NotBefore?.UtcDateTime,
+ deletedKey.KeyType.ToString(),
+ deletedKey.KeyOperations.Select(op => op.ToString()).ToArray(),
+ deletedKey.Properties.CreatedOn?.UtcDateTime,
+ deletedKey.Properties.UpdatedOn?.UtcDateTime,
+ deletedKey.Properties.RecoveryLevel,
+ deletedKey.Properties.Tags
+ );
+
+ Enabled = deletedKey.Properties.Enabled;
+ Expires = deletedKey.Properties.ExpiresOn?.UtcDateTime;
+ NotBefore = deletedKey.Properties.NotBefore?.UtcDateTime;
+ Created = deletedKey.Properties.CreatedOn?.UtcDateTime;
+ Updated = deletedKey.Properties.UpdatedOn?.UtcDateTime;
+ RecoveryLevel = deletedKey.Properties.RecoveryLevel;
+ Tags = deletedKey.Properties.Tags.ConvertToHashtable();
+ ScheduledPurgeDate = deletedKey.ScheduledPurgeDate?.UtcDateTime;
+ DeletedDate = deletedKey.DeletedOn?.UtcDateTime;
+ }
+
public PSKeyVaultKeyAttributes Attributes { get; set; }
public JsonWebKey Key { get; set; }
diff --git a/src/KeyVault/KeyVault/Models/PSDeletedKeyVaultKeyIdentityItem.cs b/src/KeyVault/KeyVault/Models/PSDeletedKeyVaultKeyIdentityItem.cs
index dd7f54fc49da..0e75d5da5218 100644
--- a/src/KeyVault/KeyVault/Models/PSDeletedKeyVaultKeyIdentityItem.cs
+++ b/src/KeyVault/KeyVault/Models/PSDeletedKeyVaultKeyIdentityItem.cs
@@ -13,6 +13,7 @@
// ----------------------------------------------------------------------------------
using System;
+using Track2Sdk = Azure.Security.KeyVault.Keys;
namespace Microsoft.Azure.Commands.KeyVault.Models
{
@@ -26,6 +27,11 @@ internal PSDeletedKeyVaultKeyIdentityItem(Azure.KeyVault.Models.DeletedKeyItem k
ScheduledPurgeDate = keyItem.ScheduledPurgeDate;
DeletedDate = keyItem.DeletedDate;
}
+ internal PSDeletedKeyVaultKeyIdentityItem(Track2Sdk.DeletedKey deletedKey, VaultUriHelper vaultUriHelper): base(deletedKey.Properties, vaultUriHelper)
+ {
+ ScheduledPurgeDate = deletedKey.ScheduledPurgeDate?.UtcDateTime;
+ DeletedDate = deletedKey.DeletedOn?.UtcDateTime;
+ }
public DateTime? ScheduledPurgeDate { get; set; }
diff --git a/src/KeyVault/KeyVault/Models/PSKeyVaultKeyIdentityItem.cs b/src/KeyVault/KeyVault/Models/PSKeyVaultKeyIdentityItem.cs
index a61a2fc5a574..0c88ef3c9c1f 100644
--- a/src/KeyVault/KeyVault/Models/PSKeyVaultKeyIdentityItem.cs
+++ b/src/KeyVault/KeyVault/Models/PSKeyVaultKeyIdentityItem.cs
@@ -15,6 +15,7 @@
using System;
using System.Collections;
using KeyVaultProperties = Microsoft.Azure.Commands.KeyVault.Properties;
+using Track2Sdk = Azure.Security.KeyVault.Keys;
namespace Microsoft.Azure.Commands.KeyVault.Models
{
@@ -60,6 +61,23 @@ internal PSKeyVaultKeyIdentityItem(PSKeyVaultKey keyBundle)
RecoveryLevel = keyBundle.Attributes.RecoveryLevel;
Tags = keyBundle.Attributes.Tags;
}
+ internal PSKeyVaultKeyIdentityItem(Track2Sdk.KeyProperties keyProperties, VaultUriHelper vaultUriHelper)
+ {
+ if (keyProperties == null)
+ throw new ArgumentNullException("keyProperties");
+ if (keyProperties.Id == null || keyProperties.Name == null)
+ throw new ArgumentException(KeyVaultProperties.Resources.InvalidKeyProperties);
+
+ SetObjectIdentifier(vaultUriHelper, new Microsoft.Azure.KeyVault.KeyIdentifier(keyProperties.Id.ToString()));
+
+ Enabled = keyProperties.Enabled;
+ Expires = keyProperties.ExpiresOn?.UtcDateTime;
+ NotBefore = keyProperties.NotBefore?.UtcDateTime;
+ Created = keyProperties.CreatedOn?.UtcDateTime;
+ Updated = keyProperties.UpdatedOn?.UtcDateTime;
+ RecoveryLevel = keyProperties.RecoveryLevel;
+ Tags = keyProperties.Tags.ConvertToHashtable();
+ }
public bool? Enabled { get; set; }
diff --git a/src/KeyVault/KeyVault/Models/PfxWebKeyConverter.cs b/src/KeyVault/KeyVault/Models/PfxWebKeyConverter.cs
index 770f78d7b9ef..d4514d52f961 100644
--- a/src/KeyVault/KeyVault/Models/PfxWebKeyConverter.cs
+++ b/src/KeyVault/KeyVault/Models/PfxWebKeyConverter.cs
@@ -12,14 +12,15 @@
// limitations under the License.
// ----------------------------------------------------------------------------------
-using Microsoft.Azure.KeyVault.WebKey;
using System;
using System.IO;
using System.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using KeyVaultProperties = Microsoft.Azure.Commands.KeyVault.Properties;
-using Microsoft.Azure.KeyVault.Models;
+using Track2Sdk = Azure.Security.KeyVault.Keys;
+using Track1Sdk = Microsoft.Azure.KeyVault.WebKey;
+using Microsoft.Azure.KeyVault.WebKey;
namespace Microsoft.Azure.Commands.KeyVault.Models
{
@@ -30,7 +31,7 @@ public PfxWebKeyConverter(IWebKeyConverter next = null)
this.next = next;
}
- public JsonWebKey ConvertKeyFromFile(FileInfo fileInfo, SecureString password)
+ public Track1Sdk.JsonWebKey ConvertKeyFromFile(FileInfo fileInfo, SecureString password)
{
if (CanProcess(fileInfo))
return Convert(fileInfo.FullName, password);
@@ -39,6 +40,15 @@ public JsonWebKey ConvertKeyFromFile(FileInfo fileInfo, SecureString password)
throw new ArgumentException(string.Format(KeyVaultProperties.Resources.UnsupportedFileFormat, fileInfo.Name));
}
+ public Track2Sdk.JsonWebKey ConvertToTrack2SdkKeyFromFile(FileInfo fileInfo, SecureString password)
+ {
+ if (CanProcess(fileInfo))
+ return ConvertToTrack2SdkJsonWebKey(fileInfo.FullName, password);
+ if (next != null)
+ return next.ConvertToTrack2SdkKeyFromFile(fileInfo, password);
+ throw new ArgumentException(string.Format(KeyVaultProperties.Resources.UnsupportedFileFormat, fileInfo.Name));
+ }
+
private bool CanProcess(FileInfo fileInfo)
{
if (fileInfo == null ||
@@ -50,7 +60,7 @@ private bool CanProcess(FileInfo fileInfo)
return PfxFileExtension.Equals(fileInfo.Extension, StringComparison.OrdinalIgnoreCase);
}
- private JsonWebKey Convert(string pfxFileName, SecureString pfxPassword)
+ private Track1Sdk.JsonWebKey Convert(string pfxFileName, SecureString pfxPassword)
{
X509Certificate2 certificate;
@@ -69,15 +79,41 @@ private JsonWebKey Convert(string pfxFileName, SecureString pfxPassword)
return CreateJWK(key);
}
+
+ private Track2Sdk.JsonWebKey ConvertToTrack2SdkJsonWebKey(string pfxFileName, SecureString pfxPassword)
+ {
+ X509Certificate2 certificate;
- private static JsonWebKey CreateJWK(RSA rsa)
+ if (pfxPassword != null)
+ certificate = new X509Certificate2(pfxFileName, pfxPassword, X509KeyStorageFlags.Exportable);
+ else
+ certificate = new X509Certificate2(pfxFileName);
+
+ if (!certificate.HasPrivateKey)
+ throw new ArgumentException(string.Format(KeyVaultProperties.Resources.InvalidKeyBlob, "pfx"));
+
+ var rsaKey = certificate.PrivateKey as RSA;
+ if (rsaKey != null)
+ return CreateTrack2SdkJWK(rsaKey);
+
+ var ecKey = certificate.PrivateKey as ECDsa;
+ if(ecKey != null)
+ return CreateTrack2SdkJWK(ecKey);
+
+ // to do: support converting oct to jsonwebKey
+
+ throw new ArgumentException(string.Format(KeyVaultProperties.Resources.ImportNotSupported, "oct-HSM"));
+
+ }
+
+ private static Track1Sdk.JsonWebKey CreateJWK(RSA rsa)
{
if (rsa == null)
throw new ArgumentNullException("rsa");
RSAParameters rsaParameters = rsa.ExportParameters(true);
- var webKey = new JsonWebKey()
+ var webKey = new Track1Sdk.JsonWebKey()
{
- Kty = JsonWebKeyType.Rsa,
+ Kty = Track1Sdk.JsonWebKeyType.Rsa,
E = rsaParameters.Exponent,
N = rsaParameters.Modulus,
D = rsaParameters.D,
@@ -91,6 +127,55 @@ private static JsonWebKey CreateJWK(RSA rsa)
return webKey;
}
+ private static Track2Sdk.JsonWebKey CreateTrack2SdkJWK(RSA rsa)
+ {
+ if (rsa == null)
+ throw new ArgumentNullException("rsa");
+ RSAParameters rsaParameters = rsa.ExportParameters(true);
+ var webKey = new Track2Sdk.JsonWebKey(rsa)
+ {
+ // note: Keyvault need distinguish RSA and RSA-HSM
+ KeyType = Track2Sdk.KeyType.RsaHsm,
+ N = rsaParameters.Modulus,
+ E = rsaParameters.Exponent,
+ DP = rsaParameters.DP,
+ DQ = rsaParameters.DQ,
+ QI = rsaParameters.InverseQ,
+ Q = rsaParameters.Q,
+ D = rsaParameters.D,
+ P = rsaParameters.P
+ };
+
+ return webKey;
+ }
+
+ private static Track2Sdk.JsonWebKey CreateTrack2SdkJWK(ECDsa ecdSa)
+ {
+ if (ecdSa == null)
+ {
+ throw new ArgumentNullException("ecdSa");
+ }
+
+ System.Security.Cryptography.ECParameters ecParameters = ecdSa.ExportParameters(true);
+ var webKey = new Track2Sdk.JsonWebKey(ecdSa)
+ {
+ // note: Keyvault need distinguish EC and EC-HSM
+ KeyType = Track2Sdk.KeyType.EcHsm,
+ CurveName = ecParameters.Curve.CurveType.ToString(),
+ D = ecParameters.D,
+ X = ecParameters.Q.X,
+ Y = ecParameters.Q.Y
+ };
+
+ return webKey;
+
+ }
+
+ private static Track2Sdk.JsonWebKey CreateTrack2SdkJWK(Aes aes)
+ {
+ throw new NotImplementedException();
+ }
+
private IWebKeyConverter next;
private const string PfxFileExtension = ".pfx";
}
diff --git a/src/KeyVault/KeyVault/Properties/Resources.Designer.cs b/src/KeyVault/KeyVault/Properties/Resources.Designer.cs
index 2767fff28a1f..4f3b2d950697 100644
--- a/src/KeyVault/KeyVault/Properties/Resources.Designer.cs
+++ b/src/KeyVault/KeyVault/Properties/Resources.Designer.cs
@@ -378,6 +378,15 @@ internal static string ImportCertificate {
}
}
+ ///
+ /// Looks up a localized string similar to Key type '{0}' is not supported for importing. (Supported types: RSA-HSM).
+ ///
+ internal static string ImportNotSupported {
+ get {
+ return ResourceManager.GetString("ImportNotSupported", resourceCulture);
+ }
+ }
+
///
/// Looks up a localized string similar to Invalid application Id..
///
@@ -405,6 +414,15 @@ internal static string InvalidCurrentSubscription {
}
}
+ ///
+ /// Looks up a localized string similar to Invalid HSM name..
+ ///
+ internal static string InvalidHsmName {
+ get {
+ return ResourceManager.GetString("InvalidHsmName", resourceCulture);
+ }
+ }
+
///
/// Looks up a localized string similar to Invalid key attributes.
///
@@ -459,6 +477,15 @@ internal static string InvalidKeyName {
}
}
+ ///
+ /// Looks up a localized string similar to Invalid key properties.
+ ///
+ internal static string InvalidKeyProperties {
+ get {
+ return ResourceManager.GetString("InvalidKeyProperties", resourceCulture);
+ }
+ }
+
///
/// Looks up a localized string similar to Invalid key uri '{0}'..
///
diff --git a/src/KeyVault/KeyVault/Properties/Resources.resx b/src/KeyVault/KeyVault/Properties/Resources.resx
index 11ce63688439..36550644bb9b 100644
--- a/src/KeyVault/KeyVault/Properties/Resources.resx
+++ b/src/KeyVault/KeyVault/Properties/Resources.resx
@@ -501,6 +501,15 @@ You can find the object ID using Azure Active Directory Module for Windows Power
The "import" operation is exclusive, it cannot be combined with any other value(s).
+
+ Invalid key properties
+
+
+ Invalid HSM name.
+
+
+ Key type '{0}' is not supported for importing. (Supported types: RSA-HSM)
+
Cannot find HSM '{0}' in resource group '{1}'.
diff --git a/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs
index 8658143e3ee0..b50caf16c210 100644
--- a/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs
+++ b/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs
@@ -1,8 +1,16 @@
-using Azure.Security.KeyVault.Keys;
+using Azure;
+using Azure.Security.KeyVault.Keys;
using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.KeyVault.Models;
using System;
using System.Collections;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Net;
+using KeyProperties = Azure.Security.KeyVault.Keys.KeyProperties;
+using KeyVaultProperties = Microsoft.Azure.Commands.KeyVault.Properties;
namespace Microsoft.Azure.Commands.KeyVault.Track2Models
{
@@ -18,6 +26,66 @@ public Track2HsmClient(IAuthenticationFactory authFactory, IAzureContext context
_uriHelper = new VaultUriHelper(context.Environment.GetEndpoint(AzureEnvironment.ExtendedEndpoint.ManagedHsmServiceEndpointSuffix));
}
+ internal string BackupKey(string managedHsmName, string keyName, string outputBlobPath)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentNullException(nameof(managedHsmName));
+ if (string.IsNullOrEmpty(keyName))
+ throw new ArgumentNullException(nameof(keyName));
+ if (string.IsNullOrEmpty(outputBlobPath))
+ throw new ArgumentNullException(nameof(outputBlobPath));
+
+ var client = CreateKeyClient(managedHsmName);
+
+ return BackupKey(client, keyName, outputBlobPath);
+ }
+
+ private string BackupKey(KeyClient client, string keyName, string outputBlobPath)
+ {
+ BackupKeyResult backupKeyResult;
+ try
+ {
+ backupKeyResult = new BackupKeyResult(client.BackupKeyAsync(keyName).GetAwaiter().GetResult());
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+
+ File.WriteAllBytes(outputBlobPath, backupKeyResult.Value);
+
+ return outputBlobPath;
+ }
+
+ internal PSKeyVaultKey RestoreKey(string managedHsmName, string inputBlobPath)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentNullException(nameof(managedHsmName));
+ if (string.IsNullOrEmpty(inputBlobPath))
+ throw new ArgumentNullException(nameof(inputBlobPath));
+
+ var client = CreateKeyClient(managedHsmName);
+
+ return RestoreKey(client, inputBlobPath);
+ }
+
+ private PSKeyVaultKey RestoreKey(KeyClient client, string inputBlobPath)
+ {
+ var backupBlob = File.ReadAllBytes(inputBlobPath);
+
+ KeyVaultKey keyBundle;
+ try
+ {
+ keyBundle = client.RestoreKeyBackupAsync(backupBlob).GetAwaiter().GetResult();
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+
+ return new PSKeyVaultKey(keyBundle, this._uriHelper);
+ }
+
internal PSKeyVaultKey CreateKey(string managedHsmName, string keyName, PSKeyVaultKeyAttributes keyAttributes, int? size, string curveName)
{
var client = CreateKeyClient(managedHsmName);
@@ -36,7 +104,15 @@ private PSKeyVaultKey CreateKey(KeyClient client, string keyName, PSKeyVaultKeyA
}
else if (keyAttributes.KeyType == KeyType.Ec || keyAttributes.KeyType == KeyType.EcHsm)
{
- options = new CreateEcKeyOptions(keyName, isHsm) { CurveName = string.IsNullOrEmpty(curveName) ? null : new KeyCurveName(curveName) };
+ options = new CreateEcKeyOptions(keyName, isHsm);
+ if (string.IsNullOrEmpty(curveName))
+ {
+ (options as CreateEcKeyOptions).CurveName = null;
+ }
+ else
+ {
+ (options as CreateEcKeyOptions).CurveName = new KeyCurveName(curveName);
+ }
}
else
{
@@ -77,5 +153,284 @@ private PSKeyVaultKey CreateKey(KeyClient client, string keyName, PSKeyVaultKeyA
throw new NotSupportedException($"{keyAttributes.KeyType} is not supported");
}
}
+
+ internal PSDeletedKeyVaultKey DeleteKey(string managedHsmName, string keyName)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentNullException(nameof(managedHsmName));
+ if (string.IsNullOrEmpty(keyName))
+ throw new ArgumentNullException(nameof(keyName));
+
+ var client = CreateKeyClient(managedHsmName);
+
+ return DeleteKey(client, keyName);
+ }
+
+ private PSDeletedKeyVaultKey DeleteKey(KeyClient client, string keyName)
+ {
+ DeletedKey deletedKey;
+ try
+ {
+ deletedKey = client.StartDeleteKeyAsync(keyName).ConfigureAwait(false).GetAwaiter().GetResult()
+ .WaitForCompletionAsync().ConfigureAwait(false).GetAwaiter().GetResult();
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+
+ return new PSDeletedKeyVaultKey(deletedKey, this._uriHelper);
+ }
+
+ internal PSKeyVaultKey RecoverKey(string managedHsmName, string keyName)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentNullException("managedHsmName");
+ if (string.IsNullOrEmpty(keyName))
+ throw new ArgumentNullException("keyName");
+
+ var client = CreateKeyClient(managedHsmName);
+
+ return RecoverKey(client, keyName);
+ }
+
+ private PSKeyVaultKey RecoverKey(KeyClient client, string keyName)
+ {
+ KeyVaultKey recoveredKey;
+ try
+ {
+ recoveredKey = client.StartRecoverDeletedKeyAsync(keyName).GetAwaiter().GetResult()
+ .WaitForCompletionAsync().GetAwaiter().GetResult().Value;
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+
+ return new PSKeyVaultKey(recoveredKey, this._uriHelper);
+ }
+
+ internal PSKeyVaultKey UpdateKey(string managedHsmName, string keyName, string keyVersion, PSKeyVaultKeyAttributes keyAttributes)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentNullException(nameof(managedHsmName));
+ if (string.IsNullOrEmpty(keyName))
+ throw new ArgumentNullException(nameof(keyName));
+ if (keyAttributes == null)
+ throw new ArgumentNullException(nameof(keyAttributes));
+
+ var client = CreateKeyClient(managedHsmName);
+
+ return UpdateKey(client, keyName, keyVersion, keyAttributes);
+ }
+
+ private PSKeyVaultKey UpdateKey(KeyClient client, string keyName, string keyVersion, PSKeyVaultKeyAttributes keyAttributes)
+ {
+ KeyVaultKey keyBundle = client.GetKeyAsync(keyName, keyVersion).GetAwaiter().GetResult();
+ KeyProperties keyProperties = keyBundle.Properties;
+ keyProperties.Enabled = keyAttributes.Enabled;
+ keyProperties.ExpiresOn = keyAttributes.Expires;
+ keyProperties.NotBefore = keyAttributes.NotBefore;
+
+ if (keyAttributes.Tags != null)
+ {
+ keyProperties.Tags.Clear();
+ foreach (KeyValuePair entry in keyAttributes.TagsDirectionary)
+ {
+ keyProperties.Tags.Add(entry.Key, entry.Value);
+ }
+ }
+
+ try
+ {
+ keyBundle = client.UpdateKeyPropertiesAsync(keyProperties, keyAttributes.KeyOps?.Cast().ToList())
+ .GetAwaiter().GetResult();
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+
+ return new PSKeyVaultKey(keyBundle, this._uriHelper);
+ }
+
+ internal PSKeyVaultKey GetKey(string managedHsmName, string keyName, string keyVersion)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentNullException(nameof(managedHsmName));
+ if (string.IsNullOrEmpty(keyName))
+ throw new ArgumentNullException(nameof(keyName));
+
+ var client = CreateKeyClient(managedHsmName);
+ return GetKey(client, keyName, keyVersion);
+ }
+
+ private PSKeyVaultKey GetKey(KeyClient client, string keyName, string keyVersion)
+ {
+ KeyVaultKey keyBundle;
+ try
+ {
+ keyBundle = client.GetKeyAsync(keyName, keyVersion).GetAwaiter().GetResult();
+ }
+ catch (RequestFailedException ex)
+ {
+ if (ex.Status == (int)HttpStatusCode.NotFound)
+ return null;
+ else
+ throw;
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+
+ return new PSKeyVaultKey(keyBundle, this._uriHelper);
+ }
+
+ internal IEnumerable GetKeys(string managedHsmName)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentException(KeyVaultProperties.Resources.InvalidHsmName);
+
+ var client = CreateKeyClient(managedHsmName);
+
+ try
+ {
+ IEnumerable result = client.GetPropertiesOfKeys();
+
+ return (result == null) ? new List() :
+ result.Select((keyProperties) => new PSKeyVaultKeyIdentityItem(keyProperties, this._uriHelper));
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+ }
+
+ internal IEnumerable GetKeyAllVersions(string managedHsmName, string keyName)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentException(KeyVaultProperties.Resources.InvalidHsmName);
+
+ if (string.IsNullOrEmpty(keyName))
+ throw new ArgumentException(KeyVaultProperties.Resources.InvalidKeyName);
+
+ var client = CreateKeyClient(managedHsmName);
+ return GetAllVersionKeys(client, keyName);
+ }
+
+ private IEnumerable GetAllVersionKeys(KeyClient client, string keyName)
+ {
+ try
+ {
+ IEnumerable result = client.GetPropertiesOfKeyVersions(keyName);
+ return (result == null) ? new List() :
+ result.Select((keyProperties) => new PSKeyVaultKeyIdentityItem(keyProperties, this._uriHelper));
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+ }
+
+ internal PSDeletedKeyVaultKey GetDeletedKey(string managedHsmName, string keyName)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentNullException(nameof(managedHsmName));
+ if (string.IsNullOrEmpty(keyName))
+ throw new ArgumentNullException(nameof(keyName));
+
+ var client = CreateKeyClient(managedHsmName);
+
+ return GetDeletedKey(client, keyName);
+ }
+
+ private PSDeletedKeyVaultKey GetDeletedKey(KeyClient client, string keyName)
+ {
+ DeletedKey deletedKeyBundle;
+ try
+ {
+ deletedKeyBundle = client.GetDeletedKeyAsync(keyName).GetAwaiter().GetResult();
+ }
+ catch (RequestFailedException ex)
+ {
+ if (ex.Status == (int)HttpStatusCode.NotFound)
+ return null;
+ else
+ throw;
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+
+ return new PSDeletedKeyVaultKey(deletedKeyBundle, _uriHelper);
+ }
+
+ internal IEnumerable GetDeletedKeys(string managedHsmName)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentException(KeyVaultProperties.Resources.InvalidVaultName);
+
+ var client = CreateKeyClient(managedHsmName);
+
+ try
+ {
+ IEnumerable result = client.GetDeletedKeys();
+
+ return (result == null) ? new List() :
+ result.Select((deletedKey) => new PSDeletedKeyVaultKeyIdentityItem(deletedKey, this._uriHelper));
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+ }
+
+ internal PSKeyVaultKey ImportKey(string managedHsmName, string keyName, JsonWebKey webKey)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentNullException(nameof(managedHsmName));
+ if (string.IsNullOrEmpty(keyName))
+ throw new ArgumentNullException(nameof(keyName));
+ if (webKey == null)
+ throw new ArgumentNullException(nameof(webKey));
+ var client = CreateKeyClient(managedHsmName);
+
+ try
+ {
+ var key = client.ImportKeyAsync(keyName, webKey).GetAwaiter().GetResult();
+ return new PSKeyVaultKey(key, this._uriHelper);
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+ }
+
+ internal void PurgeKey(string managedHsmName, string keyName)
+ {
+ if (string.IsNullOrEmpty(managedHsmName))
+ throw new ArgumentNullException("managedHsmName");
+ if (string.IsNullOrEmpty(keyName))
+ throw new ArgumentNullException("keyName");
+
+ var client = CreateKeyClient(managedHsmName);
+
+ try
+ {
+ client.PurgeDeletedKeyAsync(keyName).GetAwaiter().GetResult();
+ }
+ catch (Exception ex)
+ {
+ throw GetInnerException(ex);
+ }
+ }
+
+ private Exception GetInnerException(Exception exception)
+ {
+ while (exception.InnerException != null) exception = exception.InnerException;
+ return exception;
+ }
}
}
diff --git a/src/KeyVault/KeyVault/Track2Models/Track2KeyVaultDataServiceClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2KeyVaultDataServiceClient.cs
index 8414305ace41..84b5dc09ef8a 100644
--- a/src/KeyVault/KeyVault/Track2Models/Track2KeyVaultDataServiceClient.cs
+++ b/src/KeyVault/KeyVault/Track2Models/Track2KeyVaultDataServiceClient.cs
@@ -1,7 +1,6 @@
using Azure.Security.KeyVault.Keys;
using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
using Microsoft.Azure.Commands.KeyVault.Models;
-using Microsoft.Azure.Commands.KeyVault.Track2Models;
using Microsoft.Azure.KeyVault.Models;
using System;
using System.Collections;
@@ -36,7 +35,9 @@ public Track2KeyVaultDataServiceClient(IAuthenticationFactory authFactory, IAzur
private Track2VaultClient _vaultClient;
private Track2HsmClient _hsmClient;
-
+
+ #region KeyVault-related methods
+
public string BackupCertificate(string vaultName, string certificateName, string outputBlobPath)
{
throw new NotImplementedException();
@@ -67,11 +68,6 @@ public PSKeyVaultKey CreateKey(string vaultName, string keyName, PSKeyVaultKeyAt
return VaultClient.CreateKey(vaultName, keyName, keyAttributes, size, curveName);
}
- public PSKeyVaultKey CreateManagedHsmKey(string managedHsmName, string keyName, PSKeyVaultKeyAttributes keyAttributes, int? size, string curveName)
- {
- return HsmClient.CreateKey(managedHsmName, keyName, keyAttributes, size, curveName);
- }
-
public PSDeletedKeyVaultCertificate DeleteCertificate(string vaultName, string certName)
{
throw new NotImplementedException();
@@ -391,5 +387,75 @@ public PSKeyVaultSecret UpdateSecret(string vaultName, string secretName, string
{
throw new NotImplementedException();
}
+ #endregion
+
+ #region ManagedHsm-related methods
+
+ public string BackupManagedHsmKey(string managedHsmName, string keyName, string outputBlobPath)
+ {
+ return HsmClient.BackupKey(managedHsmName, keyName, outputBlobPath);
+ }
+ public PSKeyVaultKey RestoreManagedHsmKey(string managedHsmName, string inputBlobPath)
+ {
+ return HsmClient.RestoreKey(managedHsmName, inputBlobPath);
+ }
+
+ public PSKeyVaultKey CreateManagedHsmKey(string managedHsmName, string keyName, PSKeyVaultKeyAttributes keyAttributes, int? size, string curveName)
+ {
+ return HsmClient.CreateKey(managedHsmName, keyName, keyAttributes, size, curveName);
+ }
+
+ public PSDeletedKeyVaultKey DeleteManagedHsmKey(string managedHsmName, string keyName)
+ {
+ return HsmClient.DeleteKey(managedHsmName, keyName);
+ }
+
+ public PSKeyVaultKey UpdateManagedHsmKey(string managedHsmName, string keyName, string keyVersion, PSKeyVaultKeyAttributes keyAttributes)
+ {
+ return HsmClient.UpdateKey(managedHsmName, keyName, keyVersion, keyAttributes);
+ }
+
+ public PSKeyVaultKey RecoverManagedHsmKey(string managedHsmName, string keyName)
+ {
+ return HsmClient.RecoverKey(managedHsmName, keyName);
+ }
+
+ public PSDeletedKeyVaultKey GetManagedHsmDeletedKey(string managedHsmName, string keyName)
+ {
+ return HsmClient.GetDeletedKey(managedHsmName, keyName);
+ }
+
+ public IEnumerable GetManagedHsmDeletedKeys(string managedHsmName)
+ {
+ return HsmClient.GetDeletedKeys(managedHsmName);
+ }
+
+ public PSKeyVaultKey GetManagedHsmKey(string managedHsmName, string keyName, string keyVersion)
+ {
+ return HsmClient.GetKey(managedHsmName, keyName, keyVersion);
+ }
+
+ public IEnumerable GetManagedHsmKeys(string managedHsmName)
+ {
+ return HsmClient.GetKeys(managedHsmName);
+ }
+
+ public IEnumerable GetManagedHsmKeyAllVersions(string managedHsmName, string keyName)
+ {
+ return HsmClient.GetKeyAllVersions(managedHsmName, keyName);
+ }
+
+ public void PurgeManagedHsmKey(string managedHsmName, string keyName)
+ {
+ HsmClient.PurgeKey(managedHsmName, keyName);
+ }
+
+ public PSKeyVaultKey ImportManagedHsmKey(string managedHsmName, string keyName, JsonWebKey webKey)
+ {
+ return HsmClient.ImportKey(managedHsmName, keyName, webKey);
+ }
+
+ #endregion
+
}
}
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/Track2Models/Track2ModelConvertionExtensions.cs b/src/KeyVault/KeyVault/Track2Models/Track2ModelConvertionExtensions.cs
index 670cbc489bf7..4227bcdb4fde 100644
--- a/src/KeyVault/KeyVault/Track2Models/Track2ModelConvertionExtensions.cs
+++ b/src/KeyVault/KeyVault/Track2Models/Track2ModelConvertionExtensions.cs
@@ -4,6 +4,7 @@
using Track2Sdk = Azure.Security.KeyVault.Keys;
using Track1Sdk = Microsoft.Azure.KeyVault.WebKey;
using System.Security.Cryptography;
+using System.Linq;
namespace Microsoft.Azure.Commands.KeyVault
{
@@ -36,13 +37,8 @@ public static Track1Sdk.JsonWebKey ToTrack1JsonWebKey(this Track2Sdk.JsonWebKey
// SDK doesn't have a definition of OctHSM, so I need to use string comparison
else if (track2Key.KeyType == Track2Sdk.KeyType.Oct || track2Key.KeyType.ToString() == @"oct-HSM")
{
- // Track2 JsonWebKey.ToAes() requires key type to be oct only, but hsm always return the type as oct-HSM
- // so I manually take care of the conversion
- // however K is always null
- // todo: check with Ma Bin
- Aes aes = Aes.Create();
- aes.Key = track2Key.K;
- track1Key = new Track1Sdk.JsonWebKey(aes);
+ track1Key = new Track1Sdk.JsonWebKey();
+ track1Key.Kty = track2Key.KeyType.ToString();
}
else
{
diff --git a/src/KeyVault/KeyVault/help/Add-AzKeyVaultNetworkRule.md b/src/KeyVault/KeyVault/help/Add-AzKeyVaultNetworkRule.md
index 1e315bdaec09..6c1d7806c035 100644
--- a/src/KeyVault/KeyVault/help/Add-AzKeyVaultNetworkRule.md
+++ b/src/KeyVault/KeyVault/help/Add-AzKeyVaultNetworkRule.md
@@ -36,7 +36,7 @@ Add-AzKeyVaultNetworkRule [-ResourceId] [-IpAddressRange ]
## DESCRIPTION
The **Add-AzKeyVaultNetworkRule** cmdlet grants or restricts access to a key vault to a set of caller designated by their IP addresses or the virtual network to which they belong. The rule has the potential to restrict access for other users, applications, or security groups which have been granted permissions via the access policy.
-Please note that any IP range inside `10.0.0.0–10.255.255.255` (private IP addresses) cannot be used to add network rules.
+Please note that any IP range inside `10.0.0.0-10.255.255.255` (private IP addresses) cannot be used to add network rules.
## EXAMPLES
diff --git a/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md
new file mode 100644
index 000000000000..b7cd69fd6360
--- /dev/null
+++ b/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md
@@ -0,0 +1,440 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll-Help.xml
+Module Name: Az.KeyVault
+online version: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/add-azmanagedhsmkey
+schema: 2.0.0
+---
+
+# Add-AzManagedHsmKey
+
+## SYNOPSIS
+Creates a key in a managed HSM or imports a key into a managed HSM.
+
+## SYNTAX
+
+### InteractiveCreate (Default)
+```
+Add-AzManagedHsmKey [-HsmName] [-Name] -KeyType [-CurveName ] [-Disable]
+ [-KeyOps ] [-Expires ] [-NotBefore ] [-Tag ] [-Size ]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+### InteractiveImport
+```
+Add-AzManagedHsmKey [-HsmName] [-Name] -KeyFilePath
+ [-KeyFilePassword ] -KeyType [-CurveName ] [-Disable] [-KeyOps ]
+ [-Expires ] [-NotBefore ] [-Tag ] [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
+```
+
+### InputObjectCreate
+```
+Add-AzManagedHsmKey [-InputObject] [-Name] -KeyType [-CurveName ]
+ [-Disable] [-KeyOps ] [-Expires ] [-NotBefore ] [-Tag ]
+ [-Size ] [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+### InputObjectImport
+```
+Add-AzManagedHsmKey [-InputObject] [-Name] -KeyFilePath
+ [-KeyFilePassword ] -KeyType [-CurveName ] [-Disable] [-KeyOps ]
+ [-Expires ] [-NotBefore ] [-Tag ] [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
+```
+
+### ResourceIdCreate
+```
+Add-AzManagedHsmKey [-ResourceId] [-Name] -KeyType [-CurveName ] [-Disable]
+ [-KeyOps ] [-Expires ] [-NotBefore ] [-Tag ] [-Size ]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+### ResourceIdImport
+```
+Add-AzManagedHsmKey [-ResourceId] [-Name] -KeyFilePath
+ [-KeyFilePassword ] -KeyType [-CurveName ] [-Disable] [-KeyOps ]
+ [-Expires ] [-NotBefore ] [-Tag ] [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
+```
+
+## DESCRIPTION
+The **Add-AzManagedHsmKey** cmdlet creates a key in a managed HSM in Azure Managed Hsm or imports a key into a managed HSM.
+Use this cmdlet to add keys by using any of the following methods:
+- Create a key with default key attributes
+- Create a key with given key attributes
+- Import a key from a .pfx file on your computer.
+For any of these operations, you can provide key attributes or accept default settings.
+If you create or import a key that has the same name as an existing key in your managed HSM, the
+original key is updated with the values that you specify for the new key. You can access the
+previous values by using the version-specific URI for that version of the key. To learn about key
+versions and the URI structure, see [About Keys and Secrets](http://go.microsoft.com/fwlink/?linkid=518560)
+in the Managed HSM REST API documentation.
+
+## EXAMPLES
+
+### Example 1: Create a RSA-HSM key
+```powershell
+PS C:\> Add-AzManagedHsmKey -HsmName testmhsm -Name testkey -KeyType RSA
+
+Vault/HSM Name : testmhsm
+Name : testkey
+Version : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+Id : https://bezmhsm.managedhsm.azure.net:443/keys/testkey/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+Enabled : True
+Expires :
+Not Before :
+Created : 10/14/2020 7:55:43 AM
+Updated : 10/14/2020 7:55:43 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+```
+
+This command creates a RSA-HSM key named testkey in the managed HSM testkey named testmhsm.
+
+### Example 2: Create a EC-HSM key
+```powershell
+PS C:\> Add-AzManagedHsmKey -HsmName testmhsm -Name testkey -KeyType EC -CurveName P-256
+
+Vault/HSM Name : testmhsm
+Name : testkey
+Version : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+Id : https://bezmhsm.managedhsm.azure.net:443/keys/testkey/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+Enabled : True
+Expires :
+Not Before :
+Created : 10/14/2020 8:06:26 AM
+Updated : 10/14/2020 8:06:26 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+```
+
+This command creates a EC-HSM key named testkey using P-256 curve in the managed HSM testkey named testmhsm.
+
+### Example 3: Create a key with non-default values
+```powershell
+PS C:\> $KeyOperations = 'decrypt', 'verify'
+PS C:\> $Expires = (Get-Date).AddYears(2).ToUniversalTime()
+PS C:\> $NotBefore = (Get-Date).ToUniversalTime()
+PS C:\> $Tags = @{'Severity' = 'high'; 'Accounting' = "true"}
+PS C:\> Add-AzManagedHsmKey -HsmName testmhsm -Name testkey -KeyType oct -Expires $Expires -NotBefore $NotBefore -KeyOps $KeyOperations -Disable -Tag $Tags
+
+Vault/HSM Name : testmhsm
+Name : testkey
+Version : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+Id : https://bezmhsm.managedhsm.azure.net:443/keys/testkey/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+Enabled : False
+Expires : 10/14/2022 8:13:29 AM
+Not Before : 10/14/2020 8:13:33 AM
+Created : 10/14/2020 8:14:01 AM
+Updated : 10/14/2020 8:14:01 AM
+Recovery Level : Recoverable+Purgeable
+Tags : Name Value
+ Severity high
+ Accounting true
+```
+
+The first command stores the values decrypt and verify in the $KeyOperations variable.
+The second command creates a **DateTime** object, defined in UTC, by using the **Get-Date** cmdlet.
+That object specifies a time two years in the future. The command stores that date in the $Expires
+variable. For more information, type `Get-Help Get-Date`.
+The third command creates a **DateTime** object by using the **Get-Date** cmdlet. That object
+specifies current UTC time. The command stores that date in the $NotBefore variable.
+The final command creates a key named testkey that is an oct-HSM key. The command specifies
+values for allowed key operations stored $KeyOperations. The command specifies times for
+the *Expires* and *NotBefore* parameters created in the previous commands, and tags for high
+severity and IT. The new key is disabled. You can enable it by using the **Update-AzManagedHsmKey**
+cmdlet.
+
+## PARAMETERS
+
+### -CurveName
+Specifies the curve name of elliptic curve cryptography, this value is valid when KeyType is EC.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Disable
+Indicates that the key you are adding is set to an initial state of disabled.
+Any attempt to use the key will fail.
+Use this parameter if you are preloading keys that you intend to enable later.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Expires
+Specifies the expiration time of the key in UTC.
+If not specified, key will not expire.
+
+```yaml
+Type: System.Nullable`1[System.DateTime]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -HsmName
+HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.
+
+```yaml
+Type: System.String
+Parameter Sets: InteractiveCreate, InteractiveImport
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+HSM object.
+
+```yaml
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSManagedHsm
+Parameter Sets: InputObjectCreate, InputObjectImport
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -KeyFilePassword
+Password of the local file containing the key material to be imported.
+
+```yaml
+Type: System.Security.SecureString
+Parameter Sets: InteractiveImport, InputObjectImport, ResourceIdImport
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -KeyFilePath
+Path to the local file containing the key material to be imported.
+
+```yaml
+Type: System.String
+Parameter Sets: InteractiveImport, InputObjectImport, ResourceIdImport
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -KeyOps
+The operations that can be performed with the key.
+If not present, all operations can be performed.
+
+```yaml
+Type: System.String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -KeyType
+Specifies the key type of this key.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Name
+Key name.
+Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases: KeyName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -NotBefore
+The UTC time before which the key can't be used.
+If not specified, there is no limitation.
+
+```yaml
+Type: System.Nullable`1[System.DateTime]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceId
+HSM Resource Id.
+
+```yaml
+Type: System.String
+Parameter Sets: ResourceIdCreate, ResourceIdImport
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -Size
+RSA key size, in bits.
+If not specified, the service will provide a safe default.
+
+```yaml
+Type: System.Nullable`1[System.Int32]
+Parameter Sets: InteractiveCreate, InputObjectCreate, ResourceIdCreate
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tag
+A hashtable representing key tags.
+
+```yaml
+Type: System.Collections.Hashtable
+Parameter Sets: (All)
+Aliases: Tags
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSManagedHsm
+
+### System.String
+
+## OUTPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSManagedHsm
+
+## NOTES
+
+## RELATED LINKS
+
+[Backup-AzManagedHsmKey](./Backup-AzManagedHsmKey.md)
+
+[Get-AzManagedHsmKey](./Get-AzManagedHsmKey.md)
+
+[Remove-AzManagedHsmKey](./Remove-AzManagedHsmKey.md)
+
+[Undo-AzManagedHsmKeyRemoval](./Undo-AzManagedHsmKeyRemoval.md)
+
+[Update-AzManagedHsmKey](./Update-AzManagedHsmKey.md)
+
+[Restore-AzManagedHsmKey](./Restore-AzManagedHsmKey.md)
diff --git a/src/KeyVault/KeyVault/help/Az.KeyVault.md b/src/KeyVault/KeyVault/help/Az.KeyVault.md
index c2e5eaf06ef3..37332c13328c 100644
--- a/src/KeyVault/KeyVault/help/Az.KeyVault.md
+++ b/src/KeyVault/KeyVault/help/Az.KeyVault.md
@@ -26,6 +26,9 @@ Adds an existing Azure Storage Account to the specified key vault for its keys t
### [Add-AzKeyVaultNetworkRule](Add-AzKeyVaultNetworkRule.md)
Adds a rule meant to restrict access to a key vault based on the client's internet address.
+### [Add-AzManagedHsmKey](Add-AzManagedHsmKey.md)
+Creates a key in a managed HSM or imports a key into a managed HSM.
+
### [Backup-AzKeyVaultCertificate](Backup-AzKeyVaultCertificate.md)
Backs up a certificate in a key vault.
@@ -38,6 +41,9 @@ Backs up a KeyVault-managed storage account.
### [Backup-AzKeyVaultSecret](Backup-AzKeyVaultSecret.md)
Backs up a secret in a key vault.
+### [Backup-AzManagedHsmKey](Backup-AzManagedHsmKey.md)
+Backs up a key in a managed HSM.
+
### [Get-AzKeyVault](Get-AzKeyVault.md)
Gets key vaults.
@@ -68,6 +74,12 @@ Gets Key Vault managed Storage SAS Definitions.
### [Get-AzKeyVaultSecret](Get-AzKeyVaultSecret.md)
Gets the secrets in a key vault.
+### [Get-AzManagedHsm](Get-AzManagedHsm.md)
+Get managed HSMs.
+
+### [Get-AzManagedHsmKey](Get-AzManagedHsmKey.md)
+Gets Managed Hsm keys.
+
### [Import-AzKeyVaultCertificate](Import-AzKeyVaultCertificate.md)
Imports a certificate to a key vault.
@@ -86,6 +98,9 @@ Creates an in-memory certificate policy object.
### [New-AzKeyVaultNetworkRuleSetObject](New-AzKeyVaultNetworkRuleSetObject.md)
Create an object representing the network rule settings.
+### [New-AzManagedHsm](New-AzManagedHsm.md)
+Creates a managed HSM.
+
### [Remove-AzKeyVault](Remove-AzKeyVault.md)
Deletes a key vault.
@@ -119,6 +134,12 @@ Removes a network rule from a key vault.
### [Remove-AzKeyVaultSecret](Remove-AzKeyVaultSecret.md)
Deletes a secret in a key vault.
+### [Remove-AzManagedHsm](Remove-AzManagedHsm.md)
+Deletes a managed HSM.
+
+### [Remove-AzManagedHsmKey](Remove-AzManagedHsmKey.md)
+Deletes a key in a managed HSM.
+
### [Restore-AzKeyVaultCertificate](Restore-AzKeyVaultCertificate.md)
Restores a certificate in a key vault from a backup file.
@@ -131,6 +152,9 @@ Restores a managed storage account in a key vault from a backup file.
### [Restore-AzKeyVaultSecret](Restore-AzKeyVaultSecret.md)
Creates a secret in a key vault from a backed-up secret.
+### [Restore-AzManagedHsmKey](Restore-AzManagedHsmKey.md)
+Creates a key in a managed HSM from a backed-up key.
+
### [Set-AzKeyVaultAccessPolicy](Set-AzKeyVaultAccessPolicy.md)
Grants or modifies existing permissions for a user, application, or security group to perform operations with a key vault.
@@ -167,6 +191,9 @@ Recovers a deleted key vault into an active state.
### [Undo-AzKeyVaultSecretRemoval](Undo-AzKeyVaultSecretRemoval.md)
Recovers a deleted secret in a key vault into an active state.
+### [Undo-AzManagedHsmKeyRemoval](Undo-AzManagedHsmKeyRemoval.md)
+Recovers a deleted key in a managed HSM into an active state.
+
### [Update-AzKeyVault](Update-AzKeyVault.md)
Update the state of an Azure key vault.
@@ -188,3 +215,9 @@ Updates the network rule set on a key vault.
### [Update-AzKeyVaultSecret](Update-AzKeyVaultSecret.md)
Updates attributes of a secret in a key vault.
+### [Update-AzManagedHsm](Update-AzManagedHsm.md)
+Update the state of an Azure managed HSM.
+
+### [Update-AzManagedHsmKey](Update-AzManagedHsmKey.md)
+Updates the attributes of a key in a managed HSM.
+
diff --git a/src/KeyVault/KeyVault/help/Backup-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Backup-AzManagedHsmKey.md
new file mode 100644
index 000000000000..f524a47576de
--- /dev/null
+++ b/src/KeyVault/KeyVault/help/Backup-AzManagedHsmKey.md
@@ -0,0 +1,200 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll-Help.xml
+Module Name: Az.KeyVault
+online version: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/backup-azmanagedhsmkey
+schema: 2.0.0
+---
+
+# Backup-AzManagedHsmKey
+
+## SYNOPSIS
+Backs up a key in a managed HSM.
+
+## SYNTAX
+
+### ByKeyName (Default)
+```
+Backup-AzManagedHsmKey [-HsmName] [-Name] [[-OutputFile] ] [-Force]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+### ByKey
+```
+Backup-AzManagedHsmKey [-InputObject] [[-OutputFile] ] [-Force]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+## DESCRIPTION
+The **Backup-AzManagedHsmKey** cmdlet backs up a specified key in a managed HSM by downloading it and storing it in a file.
+If there are multiple versions of the key, all versions are included in the backup.
+Because the downloaded content is encrypted, it cannot be used outside of Azure Managed HSM.
+You can restore a backed-up key to any managed HSM in the subscription that it was backed up from.
+Typical reasons to use this cmdlet are:
+- You want to escrow a copy of your key, so that you have an offline copy in case you accidentally delete your key in your managed HSM.
+
+- You created a key using Managed HSM and now want to clone the key into a different Azure region, so that you can use it from all instances of your distributed application.
+Use the **Backup-AzManagedHsmKey** cmdlet to retrieve the key in encrypted format and then use the Restore-AzManagedHsmKey cmdlet and specify a managed HSM in the second region.
+
+## EXAMPLES
+
+### Example 1: Back up a key with an automatically generated file name
+```powershell
+PS C:\Users\username\> Backup-AzManagedHsmKey -HsmName testmhsm -Name testkey
+
+C:\Users\username\testmhsm-testkey-1602664728.7106073
+```
+
+This command retrieves the key named testkey from the managed HSM named testmhsm and saves a backup of that key to a file that is automatically named for you, and displays the file name.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Overwrite the given file if it exists
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -HsmName
+HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.
+
+```yaml
+Type: System.String
+Parameter Sets: ByKeyName
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Key bundle to back up, pipelined in from the output of a retrieval call.
+
+```yaml
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+Parameter Sets: ByKey
+Aliases: Key
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Name
+Key name.
+Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.
+
+```yaml
+Type: System.String
+Parameter Sets: ByKeyName
+Aliases: KeyName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OutputFile
+Output file.
+The output file to store the backed up key blob in.
+If not present, a default filename is chosen.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+
+## OUTPUTS
+
+### System.String
+
+## NOTES
+
+## RELATED LINKS
+
+[Add-AzManagedHsmKey](./Add-AzManagedHsmKey.md)
+
+[Get-AzManagedHsmKey](./Get-AzManagedHsmKey.md)
+
+[Remove-AzManagedHsmKey](./Remove-AzManagedHsmKey.md)
+
+[Undo-AzManagedHsmKeyRemoval](./Undo-AzManagedHsmKeyRemoval.md)
+
+[Update-AzManagedHsmKey](./Update-AzManagedHsmKey.md)
+
+[Restore-AzManagedHsmKey](./Restore-AzManagedHsmKey.md)
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/help/Get-AzKeyVaultKey.md b/src/KeyVault/KeyVault/help/Get-AzKeyVaultKey.md
index 4695f049439c..d5d1314fb56f 100644
--- a/src/KeyVault/KeyVault/help/Get-AzKeyVaultKey.md
+++ b/src/KeyVault/KeyVault/help/Get-AzKeyVaultKey.md
@@ -152,7 +152,7 @@ Purge Disabled : False
Tags :
```
-This command gets all versions the key named ITPfx in the key vaultnamed Contoso.
+This command gets all versions the key named ITPfx in the key vault named Contoso.
### Example 4: Get a specific version of a key
```powershell
@@ -174,7 +174,7 @@ Tags :
This command gets a specific version of the key named test1 in the key vault named Contoso.
After running this command, you can inspect various properties of the key by navigating the $Key object.
-### Example 5: Get all the keys that have been deleted but not purged for this key vault.
+### Example 5: Get all the keys that have been deleted but not purged for this key vault
```powershell
PS C:\> Get-AzKeyVaultKey -VaultName 'contoso' -InRemovedState
diff --git a/src/KeyVault/KeyVault/help/Get-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Get-AzManagedHsmKey.md
new file mode 100644
index 000000000000..a33abac37f70
--- /dev/null
+++ b/src/KeyVault/KeyVault/help/Get-AzManagedHsmKey.md
@@ -0,0 +1,451 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll-Help.xml
+Module Name: Az.KeyVault
+online version: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/get-azmanagedhsmkey
+schema: 2.0.0
+---
+
+# Get-AzManagedHsmKey
+
+## SYNOPSIS
+Gets Managed Hsm keys.
+
+## SYNTAX
+
+### SpecifyHsmByHsmNameGetKeyWithoutConstraint (Default)
+```
+Get-AzManagedHsmKey [-HsmName] [[-Name] ] [-InRemovedState] [-OutFile ]
+ [-DefaultProfile ] []
+```
+
+### SpecifyHsmByHsmNameGetKeyWithSpecifiedVersion
+```
+Get-AzManagedHsmKey [-HsmName] [-Name] [-Version] [-OutFile ]
+ [-DefaultProfile ] []
+```
+
+### SpecifyHsmByHsmNameGetKeyIncludeAllVersions
+```
+Get-AzManagedHsmKey [-HsmName] [-Name] [-IncludeVersions] [-OutFile ]
+ [-DefaultProfile ] []
+```
+
+### SpecifyHsmByInputObjectGetKeyWithoutConstraint
+```
+Get-AzManagedHsmKey [-InputObject] [[-Name] ] [-InRemovedState] [-OutFile ]
+ [-DefaultProfile ] []
+```
+
+### SpecifyHsmByInputObjectGetKeyWithSpecifiedVersion
+```
+Get-AzManagedHsmKey [-InputObject] [-Name] [-Version] [-OutFile ]
+ [-DefaultProfile ] []
+```
+
+### SpecifyHsmByInputObjectGetKeyIncludeAllVersions
+```
+Get-AzManagedHsmKey [-InputObject] [-Name] [-IncludeVersions] [-OutFile ]
+ [-DefaultProfile ] []
+```
+
+### SpecifyHsmByResourceIdGetKeyWithoutConstraint
+```
+Get-AzManagedHsmKey [-ResourceId] [[-Name] ] [-InRemovedState] [-OutFile ]
+ [-DefaultProfile ] []
+```
+
+### SpecifyHsmByResourceIdGetKeyWithSpecifiedVersion
+```
+Get-AzManagedHsmKey [-ResourceId] [-Name] [-Version] [-OutFile ]
+ [-DefaultProfile ] []
+```
+
+### SpecifyHsmByResourceIdGetKeyIncludeAllVersions
+```
+Get-AzManagedHsmKey [-ResourceId] [-Name] [-IncludeVersions] [-OutFile ]
+ [-DefaultProfile ] []
+```
+
+## DESCRIPTION
+The **Get-AzManagedHsmKey** cmdlet gets Azure Managed Hsm keys.
+This cmdlet gets a specific **Microsoft.Azure.Commands.KeyVault.Models.KeyBundle** or a list of all **KeyBundle** objects in a managed Hsm or by version.
+
+## EXAMPLES
+
+### Example 1: Get all the keys in a managed HSM
+```powershell
+PS C:\> Get-AzManagedHsmKey -HsmName testmhsm
+```
+
+Vault/HSM Name : testmhsm
+Name : testkey001
+Version :
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey001
+Enabled : True
+Expires :
+Not Before :
+Created : 10/14/2020 3:39:16 AM
+Updated : 10/14/2020 3:39:16 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+
+Vault/HSM Name : testmhsm
+Name : testkey002
+Version :
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey002
+Enabled : False
+Expires : 10/14/2022 8:13:29 AM
+Not Before : 10/14/2020 8:13:33 AM
+Created : 10/14/2020 8:14:01 AM
+Updated : 10/14/2020 8:14:01 AM
+Recovery Level : Recoverable+Purgeable
+Tags : Name Value
+ Severity high
+ Accounting true
+
+This command gets all the keys in the managed HSM named testmhsm.
+
+### Example 2: Get the current version of a key
+```powershell
+PS C:\>$hsm = Get-AzManagedHsmKey -HsmName testmhsm -KeyName testkey001
+PS C:\>$hsm
+
+Vault/HSM Name : testmhsm
+Name : testkey001
+Version : 9a9de2bcec540c3b160cd54cbae71339
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey/9a9de2bcec540c3b160cd54cbae71339
+Enabled : False
+Expires : 10/14/2022 8:13:29 AM
+Not Before : 10/14/2020 8:13:33 AM
+Created : 10/14/2020 8:14:01 AM
+Updated : 10/14/2020 8:14:01 AM
+Recovery Level : Recoverable+Purgeable
+Tags : Name Value
+ Severity high
+ Accounting true
+```
+
+This command gets the current version of the key named testkey001 in the managed HSM named testmhsm.
+Note: Hsm Name can be obtained by $hsm.VaultName
+
+### Example 3: Get all versions of a key
+```powershell
+PS C:\> Get-AzManagedHsmKey -HsmName testmhsm -KeyName testkey001 -IncludeVersions
+
+Vault/HSM Name : testmhsm
+Name : testkey001
+Version : 80fd43e31e8649873520053c91148418
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey001/80fd43e31e8649873520053c91148418
+Enabled : True
+Expires :
+Not Before :
+Created : 10/14/2020 8:06:26 AM
+Updated : 10/14/2020 8:06:26 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+
+Vault/HSM Name : testmhsm
+Name : testkey001
+Version : 9a9de2bcec540c3b160cd54cbae71339
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey001/9a9de2bcec540c3b160cd54cbae71339
+Enabled : False
+Expires : 10/14/2022 8:13:29 AM
+Not Before : 10/14/2020 8:13:33 AM
+Created : 10/14/2020 8:14:01 AM
+Updated : 10/14/2020 8:14:01 AM
+Recovery Level : Recoverable+Purgeable
+Tags : Name Value
+ Severity high
+ Accounting true
+```
+
+This command gets all versions the key named testkey001 in the managed HSM named testmhsm.
+
+### Example 4: Get a specific version of a key
+```powershell
+PS C:\> Get-AzManagedHsmKey -HsmName testmhsm -KeyName testkey -Version 80fd43e31e8649873520053c91148418
+
+Vault/HSM Name : testmhsm
+Name : testkey
+Version : 80fd43e31e8649873520053c91148418
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey/80fd43e31e8649873520053c91148418
+Enabled : True
+Expires :
+Not Before :
+Created : 10/14/2020 8:06:26 AM
+Updated : 10/14/2020 8:06:26 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+```
+
+This command gets a specific version of the key named testkey in the managed HSM named testmhsm.
+After running this command, you can inspect various properties of the key by navigating the $Key object.
+
+### Example 5: Get all the keys that have been deleted but not purged for this managed HSM
+```powershell
+PS C:\> Get-AzManagedHsmKey -HsmName testmhsm -InRemovedState
+
+Vault/HSM Name : testmhsm
+Name : testkey
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey
+Deleted Date : 10/14/2020 9:10:42 AM
+Scheduled Purge Date : 1/12/2021 9:10:42 AM
+Enabled : False
+Expires : 10/14/2022 8:13:29 AM
+Not Before : 10/14/2020 8:13:33 AM
+Created : 10/14/2020 8:14:01 AM
+Updated : 10/14/2020 8:14:01 AM
+Recovery Level : Recoverable+Purgeable
+Tags : Name Value
+ Severity high
+ Accounting true :
+```
+
+This command gets all the keys that have been previously deleted, but not purged, in the managed HSM named testmhsm.
+
+### Example 6: Gets the key testkey that has been deleted but not purged for this managed HSM
+```powershell
+PS C:\> Get-AzManagedHsmKey -HsmName testmhsm -Name testkey -InRemovedState
+
+Vault/HSM Name : testmhsm
+Name : testkey
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey/9a9de2bcec540c3b160cd54cbae71339
+Deleted Date : 10/14/2020 9:10:42 AM
+Scheduled Purge Date : 1/12/2021 9:10:42 AM
+Enabled : False
+Expires : 10/14/2022 8:13:29 AM
+Not Before : 10/14/2020 8:13:33 AM
+Created : 10/14/2020 8:14:01 AM
+Updated : 10/14/2020 8:14:01 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+```
+
+This command gets the key testkey that has been previously deleted, but not purged, in the managed HSM named testmhsm.
+This command will return metadata such as the deletion date, and the scheduled purging date of this deleted key.
+
+### Example 7: Get all the keys in a managed HSM using filtering
+```powershell
+PS C:\> Get-AzManagedHsmKey -HsmName testmhsm -KeyName "test*"
+
+Vault/HSM Name : testmhsm
+Name : testkey
+Version :
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey
+Enabled : False
+Expires : 10/14/2022 8:13:29 AM
+Not Before : 10/14/2020 8:13:33 AM
+Created : 10/14/2020 8:14:01 AM
+Updated : 10/14/2020 8:14:01 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+```
+
+This command gets all the keys in the managed HSM named testmhsm that start with "test".
+
+### Example 8: Download a public key as a .pem file
+
+```powershell
+PS C:\> Get-AzManagedHsmKey -HsmName bezmhsm -Name testkey -OutFile "C:\public.pem"
+
+Vault/HSM Name : testmhsm
+Name : testkey
+Version :
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey
+Enabled : False
+Expires : 10/14/2022 8:13:29 AM
+Not Before : 10/14/2020 8:13:33 AM
+Created : 10/14/2020 8:14:01 AM
+Updated : 10/14/2020 8:14:01 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+```
+
+You can download the public key of a RSA key by specifying the `-OutFile` parameter.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -HsmName
+HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.
+
+```yaml
+Type: System.String
+Parameter Sets: SpecifyHsmByHsmNameGetKeyWithoutConstraint, SpecifyHsmByHsmNameGetKeyWithSpecifiedVersion, SpecifyHsmByHsmNameGetKeyIncludeAllVersions
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -IncludeVersions
+Specifies whether to include the versions of the key in the output.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: SpecifyHsmByHsmNameGetKeyIncludeAllVersions, SpecifyHsmByInputObjectGetKeyIncludeAllVersions, SpecifyHsmByResourceIdGetKeyIncludeAllVersions
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+HSM object.
+
+```yaml
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSManagedHsm
+Parameter Sets: SpecifyHsmByInputObjectGetKeyWithoutConstraint, SpecifyHsmByInputObjectGetKeyWithSpecifiedVersion, SpecifyHsmByInputObjectGetKeyIncludeAllVersions
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -InRemovedState
+Specifies whether to show the previously deleted keys in the output.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: SpecifyHsmByHsmNameGetKeyWithoutConstraint, SpecifyHsmByInputObjectGetKeyWithoutConstraint, SpecifyHsmByResourceIdGetKeyWithoutConstraint
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Name
+Key name.
+Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.
+
+```yaml
+Type: System.String
+Parameter Sets: SpecifyHsmByHsmNameGetKeyWithoutConstraint, SpecifyHsmByInputObjectGetKeyWithoutConstraint, SpecifyHsmByResourceIdGetKeyWithoutConstraint
+Aliases: KeyName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+```yaml
+Type: System.String
+Parameter Sets: SpecifyHsmByHsmNameGetKeyWithSpecifiedVersion, SpecifyHsmByHsmNameGetKeyIncludeAllVersions, SpecifyHsmByInputObjectGetKeyWithSpecifiedVersion, SpecifyHsmByInputObjectGetKeyIncludeAllVersions, SpecifyHsmByResourceIdGetKeyWithSpecifiedVersion, SpecifyHsmByResourceIdGetKeyIncludeAllVersions
+Aliases: KeyName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OutFile
+Specifies the output file for which this cmdlet saves the key.
+The public key is saved in PEM format by default.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceId
+HSM Resource Id.
+
+```yaml
+Type: System.String
+Parameter Sets: SpecifyHsmByResourceIdGetKeyWithoutConstraint, SpecifyHsmByResourceIdGetKeyWithSpecifiedVersion, SpecifyHsmByResourceIdGetKeyIncludeAllVersions
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -Version
+Key version.
+Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment, key name and key version.
+
+```yaml
+Type: System.String
+Parameter Sets: SpecifyHsmByHsmNameGetKeyWithSpecifiedVersion, SpecifyHsmByInputObjectGetKeyWithSpecifiedVersion, SpecifyHsmByResourceIdGetKeyWithSpecifiedVersion
+Aliases: KeyVersion
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+
+### System.String
+
+## OUTPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKey
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSDeletedKeyVaultKeyIdentityItem
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSDeletedKeyVaultKey
+
+## NOTES
+
+## RELATED LINKS
+
+[Add-AzManagedHsmKey](./Add-AzManagedHsmKey.md)
+
+[Backup-AzManagedHsmKey](./Backup-AzManagedHsmKey.md)
+
+[Remove-AzManagedHsmKey](./Remove-AzManagedHsmKey.md)
+
+[Undo-AzManagedHsmKeyRemoval](./Undo-AzManagedHsmKeyRemoval.md)
+
+[Update-AzManagedHsmKey](./Update-AzManagedHsmKey.md)
+
+[Restore-AzManagedHsmKey](./Restore-AzManagedHsmKey.md)
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/help/New-AzKeyVault.md b/src/KeyVault/KeyVault/help/New-AzKeyVault.md
index e50ccf60924f..d563bc7e60d4 100644
--- a/src/KeyVault/KeyVault/help/New-AzKeyVault.md
+++ b/src/KeyVault/KeyVault/help/New-AzKeyVault.md
@@ -278,7 +278,6 @@ Specifies the SKU of the key vault instance. For information about which feature
Type: System.String
Parameter Sets: (All)
Aliases:
-Accepted values: Standard, Premium
Required: False
Position: Named
diff --git a/src/KeyVault/KeyVault/help/Remove-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Remove-AzManagedHsmKey.md
new file mode 100644
index 000000000000..6b0d63d973c7
--- /dev/null
+++ b/src/KeyVault/KeyVault/help/Remove-AzManagedHsmKey.md
@@ -0,0 +1,244 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll-Help.xml
+Module Name: Az.KeyVault
+online version: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/remove-azmanagedhsmkey
+schema: 2.0.0
+---
+
+# Remove-AzManagedHsmKey
+
+## SYNOPSIS
+Deletes a key in a managed HSM.
+
+## SYNTAX
+
+### RemoveByKeyNameParameterSet (Default)
+```
+Remove-AzManagedHsmKey [-HsmName] [-Name] [-Force] [-PassThru] [-InRemovedState]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+### RemoveByInputObjectParameterSet
+```
+Remove-AzManagedHsmKey [-InputObject] [-Force] [-PassThru] [-InRemovedState]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+## DESCRIPTION
+The Remove-AzManagedHsmKey cmdlet deletes a key in a managed HSM.
+If the key was accidentally deleted the key can be recovered using Undo-AzManagedHsmKeyRemoval by a user with special 'recover' permissions.
+This cmdlet has a value of high for the **ConfirmImpact** property.
+
+## EXAMPLES
+
+### Example 1: Remove a key from a managed HSM
+```powershell
+PS C:\> Remove-AzManagedHsmKey -HsmName testmhsm -Name testkey -PassThru
+
+Vault/HSM Name : testmhsm
+Name : testkey
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey/9a9de2bcec540c3b160cd54cbae71339
+Deleted Date : 10/14/2020 9:35:06 AM
+Scheduled Purge Date : 1/12/2021 9:35:06 AM
+Enabled : False
+Expires : 10/14/2022 8:13:29 AM
+Not Before : 10/14/2020 8:13:33 AM
+Created : 10/14/2020 8:14:01 AM
+Updated : 10/14/2020 8:14:01 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+```
+
+This command removes the key named testkey from the managed HSM named testmhsm.
+
+### Example 2: Remove a key without user confirmation
+```powershell
+PS C:\> Remove-AzManagedHsmKey -HsmName testmhsm -Name testkey -Force
+```
+
+This command removes the key named testkey from the managed HSM named testmhsm.
+The command specifies the *Force* parameter, and, therefore, the cmdlet does not prompt you for confirmation.
+
+### Example 3: Purge a deleted key from the managed HSM permanently
+```powershell
+PS C:\> Remove-AzManagedHsmKey -HsmName testmhsm -Name testkey -InRemovedState
+```
+
+This command removes the key named testkey from the managed HSM named testmhsm permanently.
+Executing this cmdlet requires the 'purge' permission, which must have been previously and explicitly granted to the user for this managed HSM.
+
+### Example 4: Remove keys by using the pipeline operator
+```powershell
+PS C:\> Get-AzManagedHsmKey -HsmName testmhsm | Where-Object {$_.Attributes.Enabled -eq $False} | Remove-AzManagedHsmKey
+```
+
+This command gets all the keys in the managed HSM named testmhsm and passes them to the **Where-Object** cmdlet by using the pipeline operator.
+That cmdlet passes the keys that have a value of $False for the **Enabled** attribute to the current cmdlet.
+That cmdlet removes those keys.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Do not ask for confirmation.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -HsmName
+HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.
+
+```yaml
+Type: System.String
+Parameter Sets: RemoveByKeyNameParameterSet
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Key Object
+
+```yaml
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+Parameter Sets: RemoveByInputObjectParameterSet
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -InRemovedState
+Remove the previously deleted key permanently.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Name
+Key name.
+Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.
+
+```yaml
+Type: System.String
+Parameter Sets: RemoveByKeyNameParameterSet
+Aliases: KeyName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PassThru
+Cmdlet does not return an object by default.
+If this switch is specified, the cmdlet returns the key object that was deleted.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+
+## OUTPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSDeletedKeyVaultKey
+
+## NOTES
+
+## RELATED LINKS
+
+[Add-AzManagedHsmKey](./Add-AzManagedHsmKey.md)
+
+[Backup-AzManagedHsmKey](./Backup-AzManagedHsmKey.md)
+
+[Get-AzManagedHsmKey](./Get-AzManagedHsmKey.md)
+
+[Undo-AzManagedHsmKeyRemoval](./Undo-AzManagedHsmKeyRemoval.md)
+
+[Update-AzManagedHsmKey](./Update-AzManagedHsmKey.md)
+
+[Restore-AzManagedHsmKey](./Restore-AzManagedHsmKey.md)
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/help/Restore-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Restore-AzManagedHsmKey.md
new file mode 100644
index 000000000000..cde27cda638f
--- /dev/null
+++ b/src/KeyVault/KeyVault/help/Restore-AzManagedHsmKey.md
@@ -0,0 +1,199 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll-Help.xml
+Module Name: Az.KeyVault
+online version: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/restore-azmanagedhsmkey
+schema: 2.0.0
+---
+
+# Restore-AzManagedHsmKey
+
+## SYNOPSIS
+Creates a key in a managed HSM from a backed-up key.
+
+## SYNTAX
+
+### ByHsmName (Default)
+```
+Restore-AzManagedHsmKey [-HsmName] [-InputFile] [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
+```
+
+### ByInputObject
+```
+Restore-AzManagedHsmKey [-InputObject] [-InputFile]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+### ByResourceId
+```
+Restore-AzManagedHsmKey [-ResourceId] [-InputFile] [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
+```
+
+## DESCRIPTION
+The **Restore-AzManagedHsmKey** cmdlet creates a key in the specified managed HSM.
+This key is a replica of the backed-up key in the input file and has the same name as the original key.
+If the managed HSM already has a key by the same name, this cmdlet fails instead of overwriting the original key.
+If the backup contains multiple versions of a key, all versions are restored.
+The managed HSM that you restore the key into can be different from the managed HSM that you backed up the key from.
+However, the managed HSM must use the same subscription and be in an Azure region in the same geography (for example, North America).
+See the Microsoft Azure Trust Center (https://azure.microsoft.com/support/trust-center/) for the mapping of Azure regions to geographies.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> Restore-AzManagedHsmKey -HsmName testmhsm -InputFile "C:\Backup.blob"
+
+Vault/HSM Name : testmhsm
+Name : testkey001
+Version : 7cff8510da04433b98144a3e33ad2bae
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey001/7cff8510da04433b98144a3e33ad2bae
+Enabled : True
+Expires :
+Not Before :
+Created : 10/14/2020 10:13:03 AM
+Updated : 10/14/2020 10:13:03 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+```
+
+This command restores a key, including all of its versions, from the backup file named Backup.blob into the managed HSM named testmhsm.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -HsmName
+HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.
+
+```yaml
+Type: System.String
+Parameter Sets: ByHsmName
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputFile
+Input file.
+The input file containing the backed-up blob
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+HSM object
+
+```yaml
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSManagedHsm
+Parameter Sets: ByInputObject
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -ResourceId
+HSM Resource Id
+
+```yaml
+Type: System.String
+Parameter Sets: ByResourceId
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+
+### System.String
+
+## OUTPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKey
+
+## NOTES
+
+## RELATED LINKS
+
+[Add-AzManagedHsmKey](./Add-AzManagedHsmKey.md)
+
+[Backup-AzManagedHsmKey](./Backup-AzManagedHsmKey.md)
+
+[Remove-AzManagedHsmKey](./Remove-AzManagedHsmKey.md)
+
+[Undo-AzManagedHsmKeyRemoval](./Undo-AzManagedHsmKeyRemoval.md)
+
+[Get-AzManagedHsmKey](./Get-AzManagedHsmKey.md)
+
+[Update-AzManagedHsmKey](./Update-AzManagedHsmKey.md)
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/help/Undo-AzManagedHsmKeyRemoval.md b/src/KeyVault/KeyVault/help/Undo-AzManagedHsmKeyRemoval.md
new file mode 100644
index 000000000000..14343e0e574e
--- /dev/null
+++ b/src/KeyVault/KeyVault/help/Undo-AzManagedHsmKeyRemoval.md
@@ -0,0 +1,172 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll-Help.xml
+Module Name: Az.KeyVault
+online version: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/undo-azmanagedhsmkeyremoval
+schema: 2.0.0
+---
+
+# Undo-AzManagedHsmKeyRemoval
+
+## SYNOPSIS
+Recovers a deleted key in a managed HSM into an active state.
+
+## SYNTAX
+
+### Default (Default)
+```
+Undo-AzManagedHsmKeyRemoval [-HsmName] [-Name] [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
+```
+
+### InputObject
+```
+Undo-AzManagedHsmKeyRemoval [-InputObject]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+## DESCRIPTION
+The **Undo-AzManagedHsmKeyRemoval** cmdlet will recover a previously deleted key.
+The recovered key will be active and can be used for all normal key operations.
+Caller needs to have 'recover' permission in order to perform this operation.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> Undo-AzManagedHsmKeyRemoval -HsmName testmhsm -Name testkey001
+
+Vault/HSM Name : testmhsm
+Name : testkey001
+Version : 7cff8510da04433b98144a3e33ad2bae
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey001/7cff8510da04433b98144a3e33ad2bae
+Enabled : True
+Expires :
+Not Before :
+Created : 10/14/2020 10:13:03 AM
+Updated : 10/14/2020 10:13:03 AM
+Recovery Level : Recoverable+Purgeable
+Tags :
+```
+
+This command will recover the key 'testkey001' that was previously deleted, into an active and usable state.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -HsmName
+HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.
+
+```yaml
+Type: System.String
+Parameter Sets: Default
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Deleted key object
+
+```yaml
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSDeletedKeyVaultKeyIdentityItem
+Parameter Sets: InputObject
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Name
+Key name.
+Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.
+
+```yaml
+Type: System.String
+Parameter Sets: Default
+Aliases: KeyName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSDeletedKeyVaultKeyIdentityItem
+
+## OUTPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKey
+
+## NOTES
+
+## RELATED LINKS
+
+[Add-AzManagedHsmKey](./Add-AzManagedHsmKey.md)
+
+[Backup-AzManagedHsmKey](./Backup-AzManagedHsmKey.md)
+
+[Remove-AzManagedHsmKey](./Remove-AzManagedHsmKey.md)
+
+[Restore-AzManagedHsmKey](./Restore-AzManagedHsmKey.md)
+
+[Get-AzManagedHsmKey](./Get-AzManagedHsmKey.md)
+
+[Update-AzManagedHsmKey](./Update-AzManagedHsmKey.md)
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/help/Update-AzManagedHsm.md b/src/KeyVault/KeyVault/help/Update-AzManagedHsm.md
index a203836b1d8a..de5d6784a1fc 100644
--- a/src/KeyVault/KeyVault/help/Update-AzManagedHsm.md
+++ b/src/KeyVault/KeyVault/help/Update-AzManagedHsm.md
@@ -1,4 +1,4 @@
----
+---
external help file: Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll-Help.xml
Module Name: Az.KeyVault
online version: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azmanagedhsm
@@ -57,7 +57,6 @@ Tags :
Name Value
==== =====
testKey testValued
-
```
Updates tags for the managed Hsm named `$hsmName` in resource group `$resourceGroupName`.
diff --git a/src/KeyVault/KeyVault/help/Update-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Update-AzManagedHsmKey.md
new file mode 100644
index 000000000000..cd18ddd5140c
--- /dev/null
+++ b/src/KeyVault/KeyVault/help/Update-AzManagedHsmKey.md
@@ -0,0 +1,293 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll-Help.xml
+Module Name: Az.KeyVault
+online version: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azmanagedhsmkey
+schema: 2.0.0
+---
+
+# Update-AzManagedHsmKey
+
+## SYNOPSIS
+Updates the attributes of a key in a managed HSM.
+
+## SYNTAX
+
+### Default (Default)
+```
+Update-AzManagedHsmKey [-HsmName] [-Name] [[-Version] ] [-Enable ]
+ [-Expires ] [-NotBefore ] [-KeyOps ] [-Tag ] [-PassThru]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+### InputObject
+```
+Update-AzManagedHsmKey [-InputObject] [[-Version] ] [-Enable ]
+ [-Expires ] [-NotBefore ] [-KeyOps ] [-Tag ] [-PassThru]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+## DESCRIPTION
+The **Update-AzManagedHsmKey** cmdlet updates the editable attributes of a key in a managed HSM.
+
+## EXAMPLES
+
+### Example 1: Modify a key to enable it, and set the expiration date and tags
+```powershell
+PS C:\> $Expires = (Get-Date).AddYears(2).ToUniversalTime()
+PS C:\> $Tags = @{'Severity' = 'high'; 'Accounting' = 'true'}
+PS C:\> Update-AzManagedHsmKey -HsmName testmhsm -Name testkey001 -Expires $Expires -Enable $True -Tag $Tags -PassThru
+
+Vault/HSM Name : testmhsm
+Name : testkey001
+Version : 49b74a39dab605bd336628dc094dc31b
+Id : https://testmhsm.managedhsm.azure.net:443/keys/testkey001/49b74a39dab605bd336628dc094dc31b
+Enabled : True
+Expires : 10/14/2022 9:46:55 AM
+Not Before :
+Created : 10/14/2020 3:39:16 AM
+Updated : 10/14/2020 9:47:06 AM
+Recovery Level : Recoverable+Purgeable
+Tags : Name Value
+ Severity high
+ Accounting true
+```
+
+The first command creates a **DateTime** object by using the **Get-Date** cmdlet. That object
+specifies a time two years in the future. The command stores that date in the $Expires variable.
+For more information, type `Get-Help Get-Date`.
+The second command creates a variable to store tag values of high severity and Accounting.
+The final command modifies a key named testkey001. The command enables the key, sets its expiration
+time to the time stored in $Expires, and sets the tags that are stored in $Tags.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Enable
+Value of true enables the key and a value of false disabless the key.
+If not specified, the existing enabled/disabled state remains unchanged.
+
+```yaml
+Type: System.Nullable`1[System.Boolean]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Expires
+The expiration time of a key in UTC time.
+If not specified, the existing expiration time of the key remains unchanged.
+
+```yaml
+Type: System.Nullable`1[System.DateTime]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -HsmName
+HSM name. Cmdlet constructs the FQDN of a managed HSM based on the name and currently selected environment.
+
+```yaml
+Type: System.String
+Parameter Sets: Default
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Key object
+
+```yaml
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+Parameter Sets: InputObject
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -KeyOps
+The operations that can be performed with the key.
+If not specified, the existing key operations of the key remain unchanged.
+
+```yaml
+Type: System.String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Name
+Key name.
+Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment and key name.
+
+```yaml
+Type: System.String
+Parameter Sets: Default
+Aliases: KeyName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -NotBefore
+The UTC time before which key can't be used.
+If not specified, the existing NotBefore attribute of the key remains unchanged.
+
+```yaml
+Type: System.Nullable`1[System.DateTime]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PassThru
+Cmdlet does not return an object by default.
+If this switch is specified, returns the updated key bundle object.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tag
+A hashtable represents key tags.
+If not specified, the existings tags of the key remain unchanged.
+
+```yaml
+Type: System.Collections.Hashtable
+Parameter Sets: (All)
+Aliases: Tags
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Version
+Key version.
+Cmdlet constructs the FQDN of a key from managed HSM name, currently selected environment, key name and key version.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases: KeyVersion
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+
+## OUTPUTS
+
+### Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKey
+
+## NOTES
+
+## RELATED LINKS
+
+[Add-AzManagedHsmKey](./Add-AzManagedHsmKey.md)
+
+[Backup-AzManagedHsmKey](./Backup-AzManagedHsmKey.md)
+
+[Remove-AzManagedHsmKey](./Remove-AzManagedHsmKey.md)
+
+[Undo-AzManagedHsmKeyRemoval](./Undo-AzManagedHsmKeyRemoval.md)
+
+[Get-AzManagedHsmKey](./Get-AzManagedHsmKey.md)
+
+[Restore-AzManagedHsmKey](./Restore-AzManagedHsmKey.md)
\ No newline at end of file
diff --git a/tools/StaticAnalysis/Exceptions/Az.KeyVault/SignatureIssues.csv b/tools/StaticAnalysis/Exceptions/Az.KeyVault/SignatureIssues.csv
index d487291581a3..d01bd03ea014 100644
--- a/tools/StaticAnalysis/Exceptions/Az.KeyVault/SignatureIssues.csv
+++ b/tools/StaticAnalysis/Exceptions/Az.KeyVault/SignatureIssues.csv
@@ -1,4 +1,9 @@
"AssemblyFileName","ClassName","Target","Severity","ProblemId","Description","Remediation"
+"Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll","Microsoft.Azure.Commands.KeyVault.GetAzureManagedHsmKey","Get-AzManagedHsmKey","1","8410","Parameter IncludeVersions of cmdlet Get-AzManagedHsmKey does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
+"Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll","Microsoft.Azure.Commands.KeyVault.UpdateAzureManagedHsmKey","Update-AzManagedHsmKey","1","8410","Parameter Expires of cmdlet Update-AzManagedHsmKey does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
+"Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll","Microsoft.Azure.Commands.KeyVault.UpdateAzureManagedHsmKey","Update-AzManagedHsmKey","1","8410","Parameter KeyOps of cmdlet Update-AzManagedHsmKey does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
+"Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll","Microsoft.Azure.Commands.KeyVault.Commands.AddAzureManagedHsmKey","Add-AzManagedHsmKey","1","8410","Parameter KeyOps of cmdlet Add-AzManagedHsmKey does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
+"Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll","Microsoft.Azure.Commands.KeyVault.Commands.AddAzureManagedHsmKey","Add-AzManagedHsmKey","1","8410","Parameter Expires of cmdlet Add-AzManagedHsmKey does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
"Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll","Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultManagedStorageSasDefinition","Set-AzKeyVaultManagedStorageSasDefinition","1","8420","Parameter set 'Default' of cmdlet 'Set-AzKeyVaultManagedStorageSasDefinition' contains at least one parameter with a position larger than four, which is discouraged.","Limit the number of positional parameters in a single parameter set to four or fewer."
"Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll","Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultManagedStorageSasDefinition","Set-AzKeyVaultManagedStorageSasDefinition","1","8420","Parameter set 'ByInputObject' of cmdlet 'Set-AzKeyVaultManagedStorageSasDefinition' contains at least one parameter with a position larger than four, which is discouraged.","Limit the number of positional parameters in a single parameter set to four or fewer."
"Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll","Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultManagedStorageSasDefinition","Set-AzKeyVaultManagedStorageSasDefinition","1","8420","Parameter set '__AllParameterSets' of cmdlet 'Set-AzKeyVaultManagedStorageSasDefinition' contains at least one parameter with a position larger than four, which is discouraged.","Limit the number of positional parameters in a single parameter set to four or fewer."