Merge pull request #2663 from msmbaldwin/placeholder-standardization-keys

Standardize placeholders in key-vault/keys

Author: prmerger-automator[bot]

articles/key-vault/keys/about-keys.md

@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: overview
-ms.date: 05/30/2025
+ms.date: 03/26/2026
 ms.author: mbaldwin
 ---
 
@@ -17,8 +17,8 @@ Azure Key Vault provides two types of resources to store and manage cryptographi
 
 |Resource type|Key protection methods|Data-plane endpoint base URL|
 |--|--|--|
-| **Vaults** | Software-protected and HSM-protected (HSM key types in Premium SKU) | https://{vault-name}.vault.azure.net |
-| **Managed HSMs** | HSM-protected | https://{hsm-name}.managedhsm.azure.net |
+| **Vaults** | Software-protected and HSM-protected (HSM key types in Premium SKU) | `https://<vault-name>.vault.azure.net` |
+| **Managed HSMs** | HSM-protected | `https://<hsm-name>.managedhsm.azure.net` |
 ||||
 
 - **Vaults** - Vaults provide a low-cost, easy to deploy, multi-tenant, zone-resilient (where available), highly available key management solution suitable for most common cloud application scenarios.

articles/key-vault/keys/byok-specification.md

@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: feature-guide
-ms.date: 01/30/2026
+ms.date: 03/26/2026
 ms.author: mbaldwin 
 ms.custom: devx-track-azurecli
 ---
@@ -66,7 +66,7 @@ The configuration of the source HSM is generally outside the scope of this speci
 Use the **az keyvault key create** command to create a KEK with key operations set to import. Note the key identifier `kid` returned from this command.
 
 ```azurecli
-az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --vault-name ContosoKeyVaultHSM
+az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --vault-name <vault-name>
 ```
 
 > [!NOTE]
@@ -77,7 +77,7 @@ az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import
 Download the public key portion of the KEK and store it in a PEM file.
 
 ```azurecli
-az keyvault key download --name KEKforBYOK --vault-name ContosoKeyVaultHSM --file KEKforBYOK.publickey.pem
+az keyvault key download --name KEKforBYOK --vault-name <vault-name> --file KEKforBYOK.publickey.pem
 ```
 
 ### Generate key transfer blob by using HSM vendor provided BYOK tool
@@ -106,17 +106,17 @@ If you use CKM_RSA_AES_KEY_WRAP_PAD, the JSON serialization of the transfer blob
   "schema_version": "1.0.0",
   "header":
   {
-    "kid": "<key identifier of the KEK>",
+    "kid": "<kek-key-id>",
     "alg": "dir",
     "enc": "CKM_RSA_AES_KEY_WRAP"
   },
-  "ciphertext":"BASE64URL(<ciphertext contents>)",
+  "ciphertext":"BASE64URL(<ciphertext>)",
   "generator": "BYOK tool name and version; source HSM name and firmware version"
 }
 
 ```
 
-* `kid` = key identifier of KEK. For Key Vault keys, it looks like this: `https://ContosoKeyVaultHSM.vault.azure.net/keys/mykek/eba63d27e4e34e028839b53fac905621`
+* `kid` = key identifier of KEK. For Key Vault keys, it looks like this: `https://<vault-name>.vault.azure.net/keys/mykek/<key-version>`
 * `alg` = algorithm. 
 * `dir` = Direct mode. The referenced `kid` directly protects the ciphertext, which is an accurate representation of CKM_RSA_AES_KEY_WRAP.
 * `generator` = an informational field that denotes the name and version of BYOK tool and the source HSM manufacturer and model. Use this information for troubleshooting and support.
@@ -129,18 +129,18 @@ To import a key, transfer the Key Transfer Blob (".byok" file) to an online work
 
 To import an RSA key, use the following command:
 ```azurecli
-az keyvault key import --vault-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok --ops encrypt decrypt
+az keyvault key import --vault-name <vault-name> --name <key-name> --byok-file KeyTransferPackage-<key-name>.byok --ops encrypt decrypt
 ```
 To import an EC key, specify the key type and the curve name.
 
 ```azurecli
-az keyvault key import --vault-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --kty EC-HSM --curve-name "P-256" --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok --ops sign verify
+az keyvault key import --vault-name <vault-name> --name <key-name> --kty EC-HSM --curve-name "P-256" --byok-file KeyTransferPackage-<key-name>.byok --ops sign verify
 ```
 
 When you run this command, it sends a REST API request as follows:
 
 ```
-PUT https://contosokeyvaulthsm.vault.azure.net/keys/ContosoFirstHSMKey?api-version=7.0
+PUT https://<vault-name>.vault.azure.net/keys/<key-name>?api-version=7.0
 ```
 
 Request body when importing an RSA key:
@@ -152,7 +152,7 @@ Request body when importing an RSA key:
       "decrypt",
       "encrypt"
     ],
-    "key_hsm": "<Base64 encoded BYOK_BLOB>"
+    "key_hsm": "<base64-encoded-byok-blob>"
   },
   "attributes": {
     "enabled": true
@@ -170,15 +170,15 @@ Request body when importing an EC key:
       "sign",
       "verify"
     ],
-    "key_hsm": "<Base64 encoded BYOK_BLOB>"
+    "key_hsm": "<base64-encoded-byok-blob>"
   },
   "attributes": {
     "enabled": true
   }
 }
 ```
 
-The `key_hsm` value is the entire contents of the KeyTransferPackage-ContosoFirstHSMkey.byok file, encoded in Base64 format.
+The `key_hsm` value is the entire contents of the KeyTransferPackage-`<key-name>`.byok file, encoded in Base64 format.
 
 ## References
 - [Key Vault Developer's Guide](../general/developers-guide.md)

articles/key-vault/keys/hsm-protected-keys-byok.md

@@ -106,25 +106,25 @@ Use the [az keyvault key create](/cli/azure/keyvault/key#az-keyvault-key-create)
 ### [Azure CLI](#tab/azure-cli)
 
 ```azurecli
-az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --vault-name ContosoKeyVaultHSM
+az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --vault-name <vault-name>
 ```
 
 For Managed HSM:
 
 ```azurecli
-az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --hsm-name ContosoKeyVaultHSM
+az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --hsm-name <hsm-name>
 ```
 
 ### [Azure PowerShell](#tab/azure-powershell)
 
 ```azurepowershell
-Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -Name 'KEKforBYOK' -Destination 'HSM' -Size 4096 -KeyOps 'import'
+Add-AzKeyVaultKey -VaultName "<vault-name>" -Name "KEKforBYOK" -Destination "HSM" -Size 4096 -KeyOps "import"
 ```
 
 For Managed HSM:
 
 ```azurepowershell
-Add-AzKeyVaultKey -HsmName 'ContosoKeyVaultHSM' -Name 'KEKforBYOK' -Destination 'HSM' -Size 4096 -KeyOps 'import'
+Add-AzKeyVaultKey -HsmName "<hsm-name>" -Name "KEKforBYOK" -Destination "HSM" -Size 4096 -KeyOps "import"
 ```
 
 ---
@@ -136,25 +136,25 @@ Use [az keyvault key download](/cli/azure/keyvault/key#az-keyvault-key-download)
 ### [Azure CLI](#tab/azure-cli)
 
 ```azurecli
-az keyvault key download --name KEKforBYOK --vault-name ContosoKeyVaultHSM --file KEKforBYOK.publickey.pem
+az keyvault key download --name KEKforBYOK --vault-name <vault-name> --file KEKforBYOK.publickey.pem
 ```
 
 For Managed HSM:
 
 ```azurecli
-az keyvault key download --name KEKforBYOK --hsm-name ContosoKeyVaultHSM --file KEKforBYOK.publickey.pem
+az keyvault key download --name KEKforBYOK --hsm-name <hsm-name> --file KEKforBYOK.publickey.pem
 ```
 
 ### [Azure PowerShell](#tab/azure-powershell)
 
 ```azurepowershell
-Get-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -KeyName 'KEKforBYOK' -OutFile 'KEKforBYOK.publickey.pem'
+Get-AzKeyVaultKey -VaultName "<vault-name>" -KeyName "KEKforBYOK" -OutFile "KEKforBYOK.publickey.pem"
 ```
 
 For Managed HSM:
 
 ```azurepowershell
-Get-AzKeyVaultKey -HsmName 'ContosoKeyVaultHSM' -KeyName 'KEKforBYOK' -OutFile 'KEKforBYOK.publickey.pem'
+Get-AzKeyVaultKey -HsmName "<hsm-name>" -KeyName "KEKforBYOK" -OutFile "KEKforBYOK.publickey.pem"
 ```
 
 ---
@@ -183,24 +183,24 @@ To import an RSA key, use the following command. The `--kty` parameter is option
 ### [Azure CLI](#tab/azure-cli)
 
 ```azurecli
-az keyvault key import --vault-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
+az keyvault key import --vault-name <vault-name> --name <key-name> --byok-file KeyTransferPackage-<key-name>.byok
 ```
 
 For Managed HSM:
 
 ```azurecli
-az keyvault key import --hsm-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
+az keyvault key import --hsm-name <hsm-name> --name <key-name> --byok-file KeyTransferPackage-<key-name>.byok
 ```
 
 ### [Azure PowerShell](#tab/azure-powershell)
 
 ```azurepowershell
-Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
+Add-AzKeyVaultKey -VaultName "<vault-name>" -KeyName "<key-name>" -KeyFilePath "KeyTransferPackage-<key-name>.byok"
 ```
 For Managed HSM:
 
 ```azurepowershell
-Add-AzKeyVaultKey -HsmName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
+Add-AzKeyVaultKey -HsmName "<hsm-name>" -KeyName "<key-name>" -KeyFilePath "KeyTransferPackage-<key-name>.byok"
 ```
 
 ---
@@ -210,25 +210,25 @@ To import an EC key, you must specify the key type and the curve name.
 ### [Azure CLI](#tab/azure-cli)
 
 ```azurecli
-az keyvault key import --vault-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --kty EC-HSM --curve-name "P-256" --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
+az keyvault key import --vault-name <vault-name> --name <key-name> --kty EC-HSM --curve-name "P-256" --byok-file KeyTransferPackage-<key-name>.byok
 ```
 
 For Managed HSM:
 
 ```azurecli
-az keyvault key import --hsm-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --kty EC-HSM --curve-name "P-256" --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
+az keyvault key import --hsm-name <hsm-name> --name <key-name> --kty EC-HSM --curve-name "P-256" --byok-file KeyTransferPackage-<key-name>.byok
 ```
 
 ### [Azure PowerShell](#tab/azure-powershell)
 
 ```azurepowershell
-Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyType EC -CurveName P-256  -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
+Add-AzKeyVaultKey -VaultName "<vault-name>" -KeyName "<key-name>" -KeyType EC -CurveName P-256  -KeyFilePath "KeyTransferPackage-<key-name>.byok"
 ```
 
 For Managed HSM:
 
 ```azurepowershell
-Add-AzKeyVaultKey -HsmName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyType EC -CurveName P-256  -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
+Add-AzKeyVaultKey -HsmName "<hsm-name>" -KeyName "<key-name>" -KeyType EC -CurveName P-256  -KeyFilePath "KeyTransferPackage-<key-name>.byok"
 ```
 
 ---

articles/key-vault/keys/hsm-protected-keys-ncipher.md

@@ -582,7 +582,7 @@ When you run this command, replace *contosokey* with the same value you specifie
 
 You are asked to plug in your security world admin cards.
 
-When the command completes, you see **Result: SUCCESS** and the copy of your key with reduced permissions are in the file named key_xferacId_\<contosokey>.
+When the command completes, you see **Result: SUCCESS** and the copy of your key with reduced permissions are in the file named key_xferacId_`<contosokey>`.
 
 You may inspects the ACLS using following commands using the nCipher nShield utilities:
 

articles/key-vault/keys/quick-create-bicep.md

@@ -8,7 +8,7 @@ ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: quickstart
 ms.author: mbaldwin
-ms.date: 11/19/2025
+ms.date: 03/26/2026
 #Customer intent: As a security admin who is new to Azure, I want to use Key Vault to securely store keys and passwords in Azure.
 ---
 
@@ -140,13 +140,13 @@ More Azure Key Vault template samples can be found in [Azure Quickstart Template
 
     ```azurepowershell
     New-AzResourceGroup -Name exampleRG -Location eastus
-    New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -vaultName "<key-vault-name>" -keyName "<key-name>"
+    New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -vaultName "<vault-name>" -keyName "<key-name>"
     ```
 
     ---
 
     > [!NOTE]
-    > Replace **\<vault-name\>** with the name of the key vault. Replace **\<vault-name\>** with the name of the key vault, and replace **\<key-name\>** with the name of the key.
+    > Replace **`<vault-name>`** with the name of the key vault. Replace **`<vault-name>`** with the name of the key vault, and replace **`<key-name>`** with the name of the key.
 
     When the deployment finishes, you should see a message indicating the deployment succeeded.
 

articles/key-vault/keys/quick-create-cli.md

@@ -5,7 +5,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: quickstart
-ms.date: 01/30/2026
+ms.date: 03/26/2026
 ms.author: mbaldwin
 ms.custom: devx-track-azurecli, mode-api
 #Customer intent: As a security admin who is new to Azure, I want to use Key Vault to securely store keys and passwords in Azure
@@ -39,16 +39,16 @@ To add a key to the vault, you just need to take a couple of additional steps. T
 Type this command to create a key called **ExampleKey** :
 
 ```azurecli
-az keyvault key create --vault-name "<your-unique-keyvault-name>" -n ExampleKey --protection software
+az keyvault key create --vault-name "<vault-name>" -n ExampleKey --protection software
 ```
 
-You can now reference this key that you added to Azure Key Vault by using its URI. Use **`https://<your-unique-keyvault-name>.vault.azure.net/keys/ExampleKey`** to get the current version.
+You can now reference this key that you added to Azure Key Vault by using its URI. Use **`https://<vault-name>.vault.azure.net/keys/ExampleKey`** to get the current version.
 
 To view previously stored key:
 
 ```azurecli
 
-az keyvault key show --name "ExampleKey" --vault-name "<your-unique-keyvault-name>"
+az keyvault key show --name "ExampleKey" --vault-name "<vault-name>"
 ```
 
 Now, you've created a Key Vault, stored a key, and retrieved it.

articles/key-vault/keys/quick-create-java.md

@@ -4,7 +4,7 @@ description: Provides a quickstart for the Azure Key Vault Keys client library f
 author: msmbaldwin
 ms.custom: devx-track-java, devx-track-azurecli, devx-track-azurepowershell, mode-api, passwordless-java, devx-track-extended-java
 ms.author: mbaldwin
-ms.date: 01/30/2026
+ms.date: 03/26/2026
 
 ms.service: azure-key-vault
 ms.subservice: keys
@@ -125,19 +125,19 @@ This application is using your key vault name as an environment variable called
 Windows
 
 ```cmd
-set KEY_VAULT_NAME=<your-key-vault-name>
+set KEY_VAULT_NAME=<vault-name>
 ````
 
 Windows PowerShell
 
 ```powershell
-$Env:KEY_VAULT_NAME="<your-key-vault-name>"
+$Env:KEY_VAULT_NAME="<vault-name>"
 ```
 
 macOS or Linux
 
 ```cmd
-export KEY_VAULT_NAME=<your-key-vault-name>
+export KEY_VAULT_NAME=<vault-name>
 ```
 
 ## Object model
@@ -169,7 +169,7 @@ Application requests to most Azure services must be authorized. Using the [Defau
 
 In this quickstart, `DefaultAzureCredential` authenticates to key vault using the credentials of the local development user logged into the Azure CLI. When the application is deployed to Azure, the same `DefaultAzureCredential` code can automatically discover and use a managed identity that is assigned to an App Service, Virtual Machine, or other services. For more information, see [Managed Identity Overview](/entra/identity/managed-identities-azure-resources/overview).
 
-In this example, the name of your key vault is expanded to the key vault URI, in the format `https://<your-key-vault-name>.vault.azure.net`. For more information about authenticating to key vault, see [Developer's Guide](/azure/key-vault/general/developers-guide#authenticate-to-key-vault-in-code).
+In this example, the name of your key vault is expanded to the key vault URI, in the format `https://<vault-name>.vault.azure.net`. For more information about authenticating to key vault, see [Developer's Guide](/azure/key-vault/general/developers-guide#authenticate-to-key-vault-in-code).
 
 ```java
 String keyVaultName = System.getenv("KEY_VAULT_NAME");
@@ -192,7 +192,7 @@ keyClient.createKey(keyName, KeyType.RSA);
 You can verify that the key has been set with the [az keyvault key show](/cli/azure/keyvault/key?#az-keyvault-key-show) command:
 
 ```azurecli
-az keyvault key show --vault-name <your-unique-key-vault-name> --name myKey
+az keyvault key show --vault-name <vault-name> --name myKey
 ```
 
 ### Retrieve a key
@@ -219,19 +219,19 @@ deletionPoller.waitForCompletion();
 You can verify that the key has been deleted with the [az keyvault key show](/cli/azure/keyvault/key?#az-keyvault-key-show) command:
 
 ```azurecli
-az keyvault key show --vault-name <your-unique-key-vault-name> --name myKey
+az keyvault key show --vault-name <vault-name> --name myKey
 ```
 
 ## Clean up resources
 
 When no longer needed, you can use the Azure CLI or Azure PowerShell to remove your key vault and the corresponding resource group.
 
 ```azurecli
-az group delete -g "myResourceGroup"
+az group delete -g "<resource-group>"
 ```
 
 ```azurepowershell
-Remove-AzResourceGroup -Name "myResourceGroup"
+Remove-AzResourceGroup -Name "<resource-group>"
 ```
 
 ## Sample code