HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/current/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/current/help/man/man1/gcloud_beta_kms_keys_versions_import.1
.TH "GCLOUD_BETA_KMS_KEYS_VERSIONS_IMPORT" 1



.SH "NAME"
.HP
gcloud beta kms keys versions import \- import a version into an existing crypto key



.SH "SYNOPSIS"
.HP
\f5gcloud beta kms keys versions import\fR \fB\-\-algorithm\fR=\fIALGORITHM\fR \fB\-\-import\-job\fR=\fIIMPORT_JOB\fR [\fB\-\-key\fR=\fIKEY\fR] [\fB\-\-keyring\fR=\fIKEYRING\fR] [\fB\-\-location\fR=\fILOCATION\fR] [\fB\-\-public\-key\-file\fR=\fIPUBLIC_KEY_FILE\fR] [\fB\-\-target\-key\-file\fR=\fITARGET_KEY_FILE\fR] [\fB\-\-version\fR=\fIVERSION\fR] [\fB\-\-wrapped\-key\-file\fR=\fIWRAPPED_KEY_FILE\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(BETA)\fR Imports wrapped key material into a new version within an existing
crypto key following the import procedure documented at
https://cloud.google.com/kms/docs/importing\-a\-key.



.SH "EXAMPLES"

The following command will read the files 'path/to/ephemeral/key' and
\'path/to/target/key' and use them to create a new version with algorithm
\'google\-symmetric\-encryption' within the 'frodo' crypto key, 'fellowship'
keyring, and 'us\-central1' location using import job 'strider' to unwrap the
provided key material.

.RS 2m
$ gcloud beta kms keys versions import \-\-location=global \e
    \-\-keyring=fellowship \-\-key=frodo \-\-import\-job=strider \e
    \-\-wrapped\-key\-file=path/to/target/key \e
    \-\-algorithm=google\-symmetric\-encryption
.RE



.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-algorithm\fR=\fIALGORITHM\fR

The algorithm to assign to the new key version. For more information about
supported algorithms, see https://cloud.google.com/kms/docs/algorithms.
\fIALGORITHM\fR must be one of: \fBaes\-128\-cbc\fR, \fBaes\-128\-ctr\fR,
\fBaes\-128\-gcm\fR, \fBaes\-256\-cbc\fR, \fBaes\-256\-ctr\fR,
\fBaes\-256\-gcm\fR, \fBec\-sign\-ed25519\fR, \fBec\-sign\-p256\-sha256\fR,
\fBec\-sign\-p384\-sha384\fR, \fBec\-sign\-secp256k1\-sha256\fR,
\fBgoogle\-symmetric\-encryption\fR, \fBhmac\-sha1\fR, \fBhmac\-sha224\fR,
\fBhmac\-sha256\fR, \fBhmac\-sha384\fR, \fBhmac\-sha512\fR, \fBkem\-xwing\fR,
\fBml\-kem\-1024\fR, \fBml\-kem\-768\fR,
\fBpq\-sign\-hash\-slh\-dsa\-sha2\-128s\-sha256\fR, \fBpq\-sign\-ml\-dsa\-65\fR,
\fBpq\-sign\-slh\-dsa\-sha2\-128s\fR, \fBrsa\-decrypt\-oaep\-2048\-sha1\fR,
\fBrsa\-decrypt\-oaep\-2048\-sha256\fR, \fBrsa\-decrypt\-oaep\-3072\-sha1\fR,
\fBrsa\-decrypt\-oaep\-3072\-sha256\fR, \fBrsa\-decrypt\-oaep\-4096\-sha1\fR,
\fBrsa\-decrypt\-oaep\-4096\-sha256\fR, \fBrsa\-decrypt\-oaep\-4096\-sha512\fR,
\fBrsa\-sign\-pkcs1\-2048\-sha256\fR, \fBrsa\-sign\-pkcs1\-3072\-sha256\fR,
\fBrsa\-sign\-pkcs1\-4096\-sha256\fR, \fBrsa\-sign\-pkcs1\-4096\-sha512\fR,
\fBrsa\-sign\-pss\-2048\-sha256\fR, \fBrsa\-sign\-pss\-3072\-sha256\fR,
\fBrsa\-sign\-pss\-4096\-sha256\fR, \fBrsa\-sign\-pss\-4096\-sha512\fR,
\fBrsa\-sign\-raw\-pkcs1\-2048\fR, \fBrsa\-sign\-raw\-pkcs1\-3072\fR,
\fBrsa\-sign\-raw\-pkcs1\-4096\fR.

.TP 2m
\fB\-\-import\-job\fR=\fIIMPORT_JOB\fR

Name of the import job to import from.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-key\fR=\fIKEY\fR

The containing key to import into.

.TP 2m
\fB\-\-keyring\fR=\fIKEYRING\fR

Key ring of the key.

.TP 2m
\fB\-\-location\fR=\fILOCATION\fR

Location of the keyring.

.TP 2m
\fB\-\-public\-key\-file\fR=\fIPUBLIC_KEY_FILE\fR

Path to the public key of the ImportJob, used to wrap the key for import. If
missing, the public key will be fetched on your behalf.

.TP 2m
\fB\-\-target\-key\-file\fR=\fITARGET_KEY_FILE\fR

Path to the unwrapped target key to import into a Cloud KMS key version. If
specified, the key will be securely wrapped before transmission to Google.

.TP 2m
\fB\-\-version\fR=\fIVERSION\fR

Version to re\-import into. Omit this field for first\-time import.

.TP 2m
\fB\-\-wrapped\-key\-file\fR=\fIWRAPPED_KEY_FILE\fR

Path to the RSA/RSA+AES wrapped key file to import.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in beta and might change without notice. These
variants are also available:

.RS 2m
$ gcloud kms keys versions import
.RE

.RS 2m
$ gcloud alpha kms keys versions import
.RE
@ Telegram