az keyvault key create error when creating symmetric key
I created an azure key vault (not a managed HSM service) and gave myself necessary permissions in azure portal to create and view keys. I wanted to create an AES-256 bit symmetric wrapping key (also known as key encryption key or KEK) with following azure CLI command:
az keyvault key create --name mywrappingkey --vault-name raghu-keyvault-wrap-exp --kty oct --size 256 --ops wrapKey --protection software
It fails with following error:
(BadParameter) Invalid kty value: oct
Code: BadParameter
Message: Invalid kty value: oct
Inner error: {
"code": "KeyTypeNotSupported"
}
The following documentation says it should work: https://learn.microsoft.com/en-us/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-create
I also tried using command (i.e. changed the --protection value to hsm):
az keyvault key create --name mywrappingkey --vault-name raghu-keyvault-wrap-exp --kty oct --size 256 --ops wrapKey --protection hsm
This time, it erred with following:
(BadParameter) Property has invalid value
Code: BadParameter
Message: Property has invalid value
Not sure what I am doing wrong here. Any ideas?
Note: Azure Key Vault does not support creating symmetric
octkeys forwrapKeyordecryptoperations directly via CLI.
- You can create symmetric keys for encryption and decryption with
az keyvault key createusing theocttype, but if you need key wrapping (KEK), you must use RSA or EC keys. For AES-256 keys, consider using Azure Key Vault Secrets to store the key. Refer this MsDoc
I got the same errors when creating symmetric key like below:
az keyvault key create --name mywrappingkey --vault-name KvName --kty oct --size 256 --ops wrapKey --protection software
az keyvault key create --name mywrappingkey --vault-name KvName --kty oct --size 256 --ops wrapKey --protection hsm
- You cannot store any symmetric key in the
az keyvault key create. The only option is storing them as secrets. - For symmetric keys, oct can be used for encryption and decryption operations, but key wrapping operations (such as wrapKey) are only supported for RSA and EC keys, not for symmetric oct keys.
Note: Azure Key Vault does not support symmetric (oct) keys for key wrapping operations. Only RSA or EC keys can be used for key wrapping (wrapKey), as AES symmetric KEKs cannot be created directly in Azure Key Vault.
- If you're specifically looking to create a KEK (key encryption key) for wrapping, you must use RSA or EC keys. For symmetric AES-256 keys, you may want to use Azure Key Vault Secrets instead of keys, as Key Vault Secrets can be used to store the symmetric key securely.
- Only RSA is allowed for key wrapping.
Reference:
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions