Class KeyClient

java.lang.Object
com.azure.security.keyvault.keys.KeyClient
public final class KeyClient extends Object
The KeyClient provides synchronous methods to manage keys in the Azure Key Vault. The client supports creating, retrieving, updating, deleting, purging, backing up, restoring, listing, releasing and rotating the keys. The client also supports listing deleted keys for a soft-delete enabled Azure Key Vault.

Getting Started

In order to interact with the Azure Key Vault service, you will need to create an instance of the KeyClient class, a vault url and a credential object.

The examples shown in this document use a credential object named DefaultAzureCredential for authentication, which is appropriate for most scenarios, including local development and production environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the Azure Identity documentation".

Sample: Construct Synchronous Key Client

The following code sample demonstrates the creation of a KeyClient, using the KeyClientBuilder to configure it.

KeyClient keyClient = new KeyClientBuilder()
    .vaultUrl("<your-key-vault-url>")
    .credential(new DefaultAzureCredentialBuilder().build())
    .buildClient();

Create a Cryptographic Key

The KeyClient can be used to create a key in the key vault.

Code Sample:

The following code sample demonstrates how to synchronously create a cryptographic key in the key vault, using the createKey(String, KeyType) API.

KeyVaultKey key = keyClient.createKey("keyName", KeyType.EC);
System.out.printf("Created key with name: %s and id: %s%n", key.getName(), key.getId());

Note: For the asynchronous sample, refer to KeyAsyncClient.


Get a Cryptographic Key

The KeyClient can be used to retrieve a key from the key vault.

Code Sample:

The following code sample demonstrates how to synchronously retrieve a key from the key vault, using the getKey(String) API.

KeyVaultKey keyWithVersionValue = keyClient.getKey("keyName");

System.out.printf("Retrieved key with name: %s and: id %s%n", keyWithVersionValue.getName(),
    keyWithVersionValue.getId());

Note: For the asynchronous sample, refer to KeyAsyncClient.


Delete a Cryptographic Key

The KeyClient can be used to delete a key from the key vault.

Code Sample:

The following code sample demonstrates how to synchronously delete a key from the key vault, using the beginDeleteKey(String) API.

SyncPoller<DeletedKey, Void> deleteKeyPoller = keyClient.beginDeleteKey("keyName");
PollResponse<DeletedKey> deleteKeyPollResponse = deleteKeyPoller.poll();

// Deleted date only works for SoftDelete Enabled Key Vault.
DeletedKey deletedKey = deleteKeyPollResponse.getValue();

System.out.printf("Key delete date: %s%n", deletedKey.getDeletedOn());
System.out.printf("Deleted key's recovery id: %s%n", deletedKey.getRecoveryId());

// Key is being deleted on the server.
deleteKeyPoller.waitForCompletion();
// Key is deleted

Note: For the asynchronous sample, refer to KeyAsyncClient.

See Also:

  • Method Details

    • getVaultUrl

      public String getVaultUrl()
      Get the vault endpoint url to which service requests are sent to.
      Returns:
      The vault endpoint url.

    • getCryptographyClient

      public CryptographyClient getCryptographyClient(String keyName)
      Creates a CryptographyClient for the latest version of a given key.

      To ensure correct behavior when performing operations such as Decrypt, Unwrap and Verify, it is recommended to use a CryptographyClient created for the specific key version that was used for the corresponding inverse operation: Encrypt, Wrap, or Sign, respectively.

      You can provide a key version either via getCryptographyClient(String, String) or by ensuring it is included in the keyIdentifier passed to CryptographyClientBuilder.keyIdentifier(String) before building a client.

      Parameters:
      keyName - The name of the key.
      Returns:
      An instance of CryptographyClient associated with the latest version of a key with the provided name.
      Throws:
      IllegalArgumentException - If keyName is null or empty.

    • getCryptographyClient

      public CryptographyClient getCryptographyClient(String keyName, String keyVersion)
      Creates a CryptographyClient for a given key version.
      Parameters:
      keyName - The name of the key.
      keyVersion - The key version.
      Returns:
      An instance of CryptographyClient associated with a key with the provided name and version. If keyVersion is null or empty, the client will use the latest version of the key.
      Throws:
      IllegalArgumentException - If keyName is null or empty.

    • createKey

      public KeyVaultKey createKey(String name, KeyType keyType)
      Creates a new key and stores it in the key vault. The create key operation can be used to create any keyType in Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

      The keyType indicates the type of key to create. Possible values include: EC, EC-HSM, RSA, RSA-HSM, OCT, and OCT-HSM.

      Code Samples

      Creates a new EC key. Prints out the details of the created key.

      KeyVaultKey key = keyClient.createKey("keyName", KeyType.EC);
System.out.printf("Created key with name: %s and id: %s%n", key.getName(), key.getId());
      Parameters:
      name - The name of the key being created.
      keyType - The type of key to create. For valid values, see KeyType.
      Returns:
      The created key.
      Throws:
      com.azure.core.exception.ResourceModifiedException - If name or keyType are null.
      com.azure.core.exception.HttpResponseException - If name is an empty string.

    • createKey

      public KeyVaultKey createKey(CreateKeyOptions createKeyOptions)
      Creates a new key and stores it in the key vault. The create key operation can be used to create any keyType in Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

      The CreateKeyOptions parameter is required. The expires and notBefore values are optional. The CreateKeyOptions.isEnabled() enabled} field is set to true by Azure Key Vault, if not specified.

      The keyType indicates the type of key to create. Possible values include: EC, EC-HSM, RSA, RSA-HSM, OCT, and OCT-HSM.

      Code Samples

      Creates a new RSA key which activates in one day and expires in one year. Prints out the details of the created key.

      CreateKeyOptions createKeyOptions = new CreateKeyOptions("keyName", KeyType.RSA)
    .setNotBefore(OffsetDateTime.now().plusDays(1))
    .setExpiresOn(OffsetDateTime.now().plusYears(1));
KeyVaultKey optionsKey = keyClient.createKey(createKeyOptions);

System.out.printf("Created key with name: %s and id: %s%n", optionsKey.getName(), optionsKey.getId());
      Parameters:
      createKeyOptions - The options object containing information about the key being created.
      Returns:
      The created key.
      Throws:
      com.azure.core.exception.HttpResponseException - If CreateKeyOptions.getName() is an empty string.
      NullPointerException - If createKeyOptions is null.
      com.azure.core.exception.HttpResponseException - If name is an empty string.

    • createKeyWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> createKeyWithResponse(CreateKeyOptions createKeyOptions, com.azure.core.util.Context context)
      Creates a new key and stores it in the key vault. The create key operation can be used to create any keyType in Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

      The CreateKeyOptions parameter is required. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

      The keyType indicates the type of key to create. Possible values include: EC, EC-HSM, RSA, RSA-HSM, OCT, and OCT-HSM.

      Code Samples

      Creates a new RSA key which activates in one day and expires in one year. Prints out the details of the created key.

      CreateKeyOptions createKeyOptions = new CreateKeyOptions("keyName", KeyType.RSA)
    .setNotBefore(OffsetDateTime.now().plusDays(1))
    .setExpiresOn(OffsetDateTime.now().plusYears(1));
Response<KeyVaultKey> createKeyResponse =
    keyClient.createKeyWithResponse(createKeyOptions, new Context("key1", "value1"));

System.out.printf("Created key with name: %s and: id %s%n", createKeyResponse.getValue().getName(),
    createKeyResponse.getValue().getId());
      Parameters:
      createKeyOptions - The options object containing information about the key being created.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the created key.
      Throws:
      com.azure.core.exception.HttpResponseException - If CreateKeyOptions.getName() is an empty string.
      NullPointerException - If createKeyOptions is null.
      com.azure.core.exception.ResourceModifiedException - If createKeyOptions is malformed.

    • createRsaKey

      public KeyVaultKey createRsaKey(CreateRsaKeyOptions createRsaKeyOptions)
      Creates a new RSA key and stores it in the key vault. The create RSA key operation can be used to create any RSA key type in Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

      The CreateRsaKeyOptions parameter is required. The keySize can be optionally specified. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

      The keyType indicates the type of key to create. Possible values include: RSA and RSA-HSM.

      Code Samples

      Creates a new RSA key with size 2048 which activates in one day and expires in one year. Prints out the details of the created key.

      CreateRsaKeyOptions createRsaKeyOptions = new CreateRsaKeyOptions("keyName")
    .setKeySize(2048)
    .setNotBefore(OffsetDateTime.now().plusDays(1))
    .setExpiresOn(OffsetDateTime.now().plusYears(1));
KeyVaultKey rsaKey = keyClient.createRsaKey(createRsaKeyOptions);

System.out.printf("Created key with name: %s and id: %s%n", rsaKey.getName(), rsaKey.getId());
      Parameters:
      createRsaKeyOptions - The options object containing information about the RSA key being created.
      Returns:
      The created key.
      Throws:
      com.azure.core.exception.HttpResponseException - If CreateKeyOptions.getName() is an empty string.
      NullPointerException - If createRsaKeyOptions is null.
      com.azure.core.exception.ResourceModifiedException - If createRsaKeyOptions is malformed.

    • createRsaKeyWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> createRsaKeyWithResponse(CreateRsaKeyOptions createRsaKeyOptions, com.azure.core.util.Context context)
      Creates a new RSA key and stores it in the key vault. The create RSA key operation can be used to create any RSA key type in Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

      The CreateRsaKeyOptions parameter is required. The keySize can be optionally specified. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

      The keyType indicates the type of key to create. Possible values include: RSA and RSA-HSM.

      Code Samples

      Creates a new RSA key with size 2048 which activates in one day and expires in one year. Prints out the details of the created key.

      CreateRsaKeyOptions createRsaKeyOptions = new CreateRsaKeyOptions("keyName")
    .setKeySize(2048)
    .setNotBefore(OffsetDateTime.now().plusDays(1))
    .setExpiresOn(OffsetDateTime.now().plusYears(1));
Response<KeyVaultKey> createRsaKeyResponse =
    keyClient.createRsaKeyWithResponse(createRsaKeyOptions, new Context("key1", "value1"));

System.out.printf("Created key with name: %s and: id %s%n", createRsaKeyResponse.getValue().getName(),
    createRsaKeyResponse.getValue().getId());
      Parameters:
      createRsaKeyOptions - The options object containing information about the RSA key being created.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the created key.
      Throws:
      com.azure.core.exception.HttpResponseException - If CreateKeyOptions.getName() is an empty string.
      NullPointerException - If createRsaKeyOptions is null.
      com.azure.core.exception.ResourceModifiedException - If createRsaKeyOptions is malformed.

    • createEcKey

      public KeyVaultKey createEcKey(CreateEcKeyOptions createEcKeyOptions)
      Creates a new EC key and stores it in the key vault. The create EC key operation can be used to create any EC key type in Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

      The CreateEcKeyOptions parameter is required. The key curve can be optionally specified. If not specified, the default value P-256 is used by Azure Key Vault. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

      The keyType indicates the type of KeyVaultKey key to create. Possible values include: EC and EC-HSM.

      Code Samples

      Creates a new EC key with a P-384 web key curve. The key activates in one day and expires in one year. Prints out the details of the created key.

      CreateEcKeyOptions createEcKeyOptions = new CreateEcKeyOptions("keyName")
    .setCurveName(KeyCurveName.P_384)
    .setNotBefore(OffsetDateTime.now().plusDays(1))
    .setExpiresOn(OffsetDateTime.now().plusYears(1));
KeyVaultKey ecKey = keyClient.createEcKey(createEcKeyOptions);

System.out.printf("Created key with name: %s and id: %s%n", ecKey.getName(), ecKey.getId());
      Parameters:
      createEcKeyOptions - The options object containing information about the EC key being created.
      Returns:
      The created key.
      Throws:
      com.azure.core.exception.HttpResponseException - If CreateKeyOptions.getName() is an empty string.
      NullPointerException - If createEcKeyOptions is null.
      com.azure.core.exception.ResourceModifiedException - If createEcKeyOptions is malformed.

    • createEcKeyWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> createEcKeyWithResponse(CreateEcKeyOptions createEcKeyOptions, com.azure.core.util.Context context)
      Creates a new EC key and stores it in the key vault. The create EC key operation can be used to create any EC key type in Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

      The CreateEcKeyOptions parameter is required. The key curve can be optionally specified. If not specified, the default value P-256 is used by Azure Key Vault. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

      The keyType indicates the type of KeyVaultKey key to create. Possible values include: EC and EC-HSM.

      Code Samples

      Creates a new EC key with a P-384 web key curve. The key activates in one day and expires in one year. Prints out the details of the created key.

      CreateEcKeyOptions createEcKeyOptions = new CreateEcKeyOptions("keyName")
    .setCurveName(KeyCurveName.P_384)
    .setNotBefore(OffsetDateTime.now().plusDays(1))
    .setExpiresOn(OffsetDateTime.now().plusYears(1));
Response<KeyVaultKey> createEcKeyResponse =
    keyClient.createEcKeyWithResponse(createEcKeyOptions, new Context("key1", "value1"));

System.out.printf("Created key with name: %s and: id %s%n", createEcKeyResponse.getValue().getName(),
    createEcKeyResponse.getValue().getId());
      Parameters:
      createEcKeyOptions - The options object containing information about the EC key being created.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the created key.
      Throws:
      com.azure.core.exception.HttpResponseException - If CreateKeyOptions.getName() is an empty string.
      NullPointerException - If createEcKeyOptions is null.
      com.azure.core.exception.ResourceModifiedException - If createEcKeyOptions is malformed.

    • createOctKey

      public KeyVaultKey createOctKey(CreateOctKeyOptions createOctKeyOptions)
      Creates and stores a new symmetric key in the key vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/create permission.

      The CreateOctKeyOptions parameter is required. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

      The keyType indicates the type of KeyVaultKey key to create. Possible values include: OCT and OCT-HSM.

      Code Samples

      Creates a new symmetric key. The key activates in one day and expires in one year. Prints out the details of the newly created key.

      CreateOctKeyOptions createOctKeyOptions = new CreateOctKeyOptions("keyName")
    .setNotBefore(OffsetDateTime.now().plusDays(1))
    .setExpiresOn(OffsetDateTime.now().plusYears(1));
KeyVaultKey octKey = keyClient.createOctKey(createOctKeyOptions);

System.out.printf("Created key with name: %s and id: %s%n", octKey.getName(), octKey.getId());
      Parameters:
      createOctKeyOptions - The options object containing information about the symmetric key being created.
      Returns:
      The created key.
      Throws:
      com.azure.core.exception.HttpResponseException - If CreateKeyOptions.getName() is an empty string.
      NullPointerException - If createOctKeyOptions is null.
      com.azure.core.exception.ResourceModifiedException - If createOctKeyOptions is malformed.

    • createOctKeyWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> createOctKeyWithResponse(CreateOctKeyOptions createOctKeyOptions, com.azure.core.util.Context context)
      Creates and stores a new symmetric key in the key vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/create permission.

      The CreateOctKeyOptions parameter is required. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

      The keyType indicates the type of KeyVaultKey key to create. Possible values include: OCT and OCT-HSM.

      Code Samples

      Creates a new symmetric key. The key activates in one day and expires in one year. Prints out the details of the newly created key.

      CreateOctKeyOptions createOctKeyOptions = new CreateOctKeyOptions("keyName")
    .setNotBefore(OffsetDateTime.now().plusDays(1))
    .setExpiresOn(OffsetDateTime.now().plusYears(1));
Response<KeyVaultKey> createOctKeyResponse =
    keyClient.createOctKeyWithResponse(createOctKeyOptions, new Context("key1", "value1"));

System.out.printf("Created key with name: %s and: id %s%n", createOctKeyResponse.getValue().getName(),
    createOctKeyResponse.getValue().getId());
      Parameters:
      createOctKeyOptions - The options object containing information about the symmetric key being created.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the created key.
      Throws:
      com.azure.core.exception.HttpResponseException - If CreateKeyOptions.getName() is an empty string.
      NullPointerException - If createOctKeyOptions is null.
      com.azure.core.exception.ResourceModifiedException - If createOctKeyOptions is malformed.

    • importKey

      public KeyVaultKey importKey(String name, JsonWebKey keyMaterial)
      Imports an externally created key and stores it in the key vault. The import key operation may be used to import any key type into Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

      Code Samples

      Imports a new key into the key vault. Prints out the details of the imported key.

      KeyVaultKey key = keyClient.importKey("keyName", jsonWebKeyToImport);

System.out.printf("Imported key with name: %s and id: %s%n", key.getName(), key.getId());
      Parameters:
      name - The name for the imported key.
      keyMaterial - The JsonWebKey being imported.
      Returns:
      The imported key.
      Throws:
      com.azure.core.exception.HttpResponseException - If name is an empty string.

    • importKey

      public KeyVaultKey importKey(ImportKeyOptions importKeyOptions)
      Imports an externally created key and stores it in the key vault. The import key operation may be used to import any key type into Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

      ImportKeyOptions is required and its fields name and key material cannot be null. The expires and notBefore values in keyImportOptions are optional. If not specified, no values are set for the fields. The enabled field is set to true and the hsm field is set to false by Azure Key Vault, if they are not specified.

      Code Samples

      Imports a new key into the key vault. Prints out the details of the imported key.

      ImportKeyOptions options = new ImportKeyOptions("keyName", jsonWebKeyToImport)
    .setHardwareProtected(false);
KeyVaultKey importedKey = keyClient.importKey(options);

System.out.printf("Imported key with name: %s and id: %s%n", importedKey.getName(),
    importedKey.getId());
      Parameters:
      importKeyOptions - The options object containing information about the JsonWebKey being imported.
      Returns:
      The imported key.
      Throws:
      com.azure.core.exception.HttpResponseException - If KeyProperties.getName() is an empty string.
      NullPointerException - If importKeyOptions is null.

    • importKeyWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> importKeyWithResponse(ImportKeyOptions importKeyOptions, com.azure.core.util.Context context)
      Imports an externally created key and stores it in the key vault. The import key operation may be used to import any key type into Azure Key Vault. If a key with the provided name already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

      ImportKeyOptions is required and its fields name and key material cannot be null. The expires and notBefore values in keyImportOptions are optional. If not specified, no values are set for the fields. The enabled field is set to true and the hsm field is set to false by Azure Key Vault, if they are not specified.

      Code Samples

      Imports a new key into the key vault. Prints out the details of the imported key.

      ImportKeyOptions importKeyOptions = new ImportKeyOptions("keyName", jsonWebKeyToImport)
    .setHardwareProtected(false);
Response<KeyVaultKey> response =
    keyClient.importKeyWithResponse(importKeyOptions, new Context("key1", "value1"));

System.out.printf("Imported key with name: %s and id: %s%n", response.getValue().getName(),
    response.getValue().getId());
      Parameters:
      importKeyOptions - The options object containing information about the JsonWebKey being imported.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the imported key.
      Throws:
      com.azure.core.exception.HttpResponseException - If KeyProperties.getName() is an empty string.
      NullPointerException - If keyImportOptions is null.

    • getKey

      public KeyVaultKey getKey(String name, String version)
      Gets the public part of the specified key and key version. The get key operation is applicable to all key types and it requires the keys/get permission.

      Code Samples

      Gets a specific version of the key in the key vault. Prints out the details of the retrieved key.

      String keyVersion = "<key-version>";
KeyVaultKey keyWithVersion = keyClient.getKey("keyName", keyVersion);

System.out.printf("Retrieved key with name: %s and: id %s%n", keyWithVersion.getName(),
    keyWithVersion.getId());
      Parameters:
      name - The name of the key, cannot be null.
      version - The version of the key to retrieve. If this is an empty string or null, this call is equivalent to calling getKey(String), with the latest version being retrieved.
      Returns:
      The requested key. The content of the key is null if both name and version are null or empty.
      Throws:
      com.azure.core.exception.HttpResponseException - If a valid name and a non-null/empty version is specified.
      com.azure.core.exception.ResourceNotFoundException - When a key with the provided name doesn't exist in the key vault or an empty/null name and a non-null/empty version is provided.

    • getKeyWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> getKeyWithResponse(String name, String version, com.azure.core.util.Context context)
      Gets the public part of the specified key and key version. The get key operation is applicable to all key types and it requires the keys/get permission.

      Code Samples

      Gets a specific version of the key in the key vault. Prints out the details of the retrieved key.

      String keyVersion = "<key-version>";
Response<KeyVaultKey> getKeyResponse =
    keyClient.getKeyWithResponse("keyName", keyVersion, new Context("key1", "value1"));

System.out.printf("Retrieved key with name: %s and: id %s%n", getKeyResponse.getValue().getName(),
    getKeyResponse.getValue().getId());
      Parameters:
      name - The name of the key, cannot be null.
      version - The version of the key to retrieve. If this is an empty string or null, this call is equivalent to calling getKey(String), with the latest version being retrieved.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the requested key. The content of the key is null if both name and version are null or empty.
      Throws:
      com.azure.core.exception.HttpResponseException - If a valid name and a non-null/empty version is specified.
      com.azure.core.exception.ResourceNotFoundException - When a key with the provided name doesn't exist in the key vault or an empty/null name and a non-null/empty version is provided.

    • getKey

      public KeyVaultKey getKey(String name)
      Gets the public part of the specified key and key version. The get key operation is applicable to all key types and it requires the keys/get permission.

      Code Samples

      Gets a specific version of the key in the key vault. Prints out the details of the retrieved key.

      KeyVaultKey keyWithVersionValue = keyClient.getKey("keyName");

System.out.printf("Retrieved key with name: %s and: id %s%n", keyWithVersionValue.getName(),
    keyWithVersionValue.getId());
      Parameters:
      name - The name of the key, cannot be null.
      Returns:
      The requested key. The content of the key is null if name is null or empty.
      Throws:
      com.azure.core.exception.HttpResponseException - If a non null/empty and an invalid name is specified.
      com.azure.core.exception.ResourceNotFoundException - When a key with non null/empty name doesn't exist in the key vault.

    • updateKeyProperties

      public KeyVaultKey updateKeyProperties(KeyProperties keyProperties, KeyOperation... keyOperations)
      Updates the attributes and key operations associated with the specified key, but not the cryptographic key material of the specified key in the key vault. The update operation changes specified attributes of an existing stored key and attributes that are not specified in the request are left unchanged. The cryptographic key material of a key itself cannot be changed. This operation requires the keys/set permission.

      Code Samples

      Gets the latest version of the key, changes its expiry time and key operations and the updates the key in the key vault.

      KeyVaultKey key = keyClient.getKey("keyName");

key.getProperties().setExpiresOn(OffsetDateTime.now().plusDays(60));

KeyVaultKey updatedKey = keyClient.updateKeyProperties(key.getProperties(), KeyOperation.ENCRYPT,
    KeyOperation.DECRYPT);

System.out.printf("Key is updated with name %s and id %s %n", updatedKey.getName(), updatedKey.getId());
      Parameters:
      keyProperties - The key properties object with updated properties.
      keyOperations - The updated key operations to associate with the key.
      Returns:
      A Response whose value contains the updated key.
      Throws:
      com.azure.core.exception.HttpResponseException - If name or version is an empty string.
      NullPointerException - If key is null.
      com.azure.core.exception.ResourceNotFoundException - When a key with name and version doesn't exist in the key vault.

    • updateKeyPropertiesWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> updateKeyPropertiesWithResponse(KeyProperties keyProperties, com.azure.core.util.Context context, KeyOperation... keyOperations)
      Updates the attributes and key operations associated with the specified key, but not the cryptographic key material of the specified key in the key vault. The update operation changes specified attributes of an existing stored key and attributes that are not specified in the request are left unchanged. The cryptographic key material of a key itself cannot be changed. This operation requires the keys/set permission.

      Code Samples

      Gets the latest version of the key, changes its expiry time and key operations and the updates the key in the key vault.

      KeyVaultKey key = keyClient.getKey("keyName");

key.getProperties().setExpiresOn(OffsetDateTime.now().plusDays(60));

Response<KeyVaultKey> updateKeyResponse =
    keyClient.updateKeyPropertiesWithResponse(key.getProperties(), new Context("key1", "value1"),
        KeyOperation.ENCRYPT, KeyOperation.DECRYPT);

System.out.printf("Updated key with name: %s and id: %s%n", updateKeyResponse.getValue().getName(),
    updateKeyResponse.getValue().getId());
      Parameters:
      keyProperties - The key properties object with updated properties.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      keyOperations - The updated key operations to associate with the key.
      Returns:
      A Response whose value contains the updated key.
      Throws:
      com.azure.core.exception.HttpResponseException - If name or version is an empty string.
      NullPointerException - If keyProperties is null.
      com.azure.core.exception.ResourceNotFoundException - When a key with name and version doesn't exist in the key vault.

    • beginDeleteKey

      public com.azure.core.util.polling.SyncPoller<DeletedKey, Void> beginDeleteKey(String name)
      Deletes a key of any type from the key vault. If soft-delete is enabled on the key vault then the key is placed in the deleted state and requires to be purged for permanent deletion else the key is permanently deleted. The delete operation applies to any key stored in Azure Key Vault but it cannot be applied to an individual version of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission.

      Code Samples

      Deletes the key from the key vault. Prints out the recovery id of the deleted key.

      SyncPoller<DeletedKey, Void> deleteKeyPoller = keyClient.beginDeleteKey("keyName");
PollResponse<DeletedKey> deleteKeyPollResponse = deleteKeyPoller.poll();

// Deleted date only works for SoftDelete Enabled Key Vault.
DeletedKey deletedKey = deleteKeyPollResponse.getValue();

System.out.printf("Key delete date: %s%n", deletedKey.getDeletedOn());
System.out.printf("Deleted key's recovery id: %s%n", deletedKey.getRecoveryId());

// Key is being deleted on the server.
deleteKeyPoller.waitForCompletion();
// Key is deleted
      Parameters:
      name - The name of the key to be deleted.
      Returns:
      A SyncPoller to poll on and retrieve deleted key
      Throws:
      com.azure.core.exception.HttpResponseException - When a key with name is an empty string.
      com.azure.core.exception.ResourceNotFoundException - When a key with name doesn't exist in the key vault.

    • getDeletedKey

      public DeletedKey getDeletedKey(String name)
      Gets the public part of a deleted key. The get deleted Key operation is applicable for soft-delete enabled vaults. This operation requires the keys/get permission.

      Code Samples

      Gets the deleted key from the key vault enabled for soft-delete. Prints out the details of the deleted key.

      DeletedKey deletedKey = keyClient.getDeletedKey("keyName");

System.out.printf("Deleted key's recovery id: %s%n", deletedKey.getRecoveryId());
      Parameters:
      name - The name of the deleted key.
      Returns:
      The deleted key.
      Throws:
      com.azure.core.exception.HttpResponseException - When a key with name is an empty string.
      com.azure.core.exception.ResourceNotFoundException - When a key with name doesn't exist in the key vault.

    • getDeletedKeyWithResponse

      public com.azure.core.http.rest.Response<DeletedKey> getDeletedKeyWithResponse(String name, com.azure.core.util.Context context)
      Gets the public part of a deleted key. The get deleted Key operation is applicable for soft-delete enabled vaults. This operation requires the keys/get permission.

      Code Samples

      Gets the deleted key from the key vault enabled for soft-delete. Prints out the details of the deleted key returned in the HTTPresponse.

      Response<DeletedKey> deletedKeyResponse =
    keyClient.getDeletedKeyWithResponse("keyName", new Context("key1", "value1"));

System.out.printf("Deleted key with recovery id: %s%n", deletedKeyResponse.getValue().getRecoveryId());
      Parameters:
      name - The name of the deleted key.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the deleted key.
      Throws:
      com.azure.core.exception.HttpResponseException - When a key with name is an empty string.
      com.azure.core.exception.ResourceNotFoundException - When a key with name doesn't exist in the key vault.

    • purgeDeletedKey

      public void purgeDeletedKey(String name)
      Permanently deletes the specified key without the possibility of recovery. The purge deleted key operation is applicable for soft-delete enabled vaults. This operation requires the keys/purge permission.

      Code Samples

      Purges the deleted key from the key vault enabled for soft-delete.

      keyClient.purgeDeletedKey("deletedKeyName");
      Parameters:
      name - The name of the deleted key.
      Throws:
      com.azure.core.exception.HttpResponseException - When a key with name is an empty string.
      com.azure.core.exception.ResourceNotFoundException - When a key with name doesn't exist in the key vault.

    • purgeDeletedKeyWithResponse

      public com.azure.core.http.rest.Response<Void> purgeDeletedKeyWithResponse(String name, com.azure.core.util.Context context)
      Permanently deletes the specified key without the possibility of recovery. The purge deleted key operation is applicable for soft-delete enabled vaults. This operation requires the keys/purge permission.

      Code Samples

      Purges the deleted key from the key vault enabled for soft-delete.

      Response<Void> purgeDeletedKeyResponse = keyClient.purgeDeletedKeyWithResponse("deletedKeyName",
    new Context("key1", "value1"));

System.out.printf("Purge response status code: %d%n", purgeDeletedKeyResponse.getStatusCode());
      Parameters:
      name - The name of the deleted key.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response containing status code and HTTP headers.
      Throws:
      com.azure.core.exception.HttpResponseException - When a key with name is an empty string.
      com.azure.core.exception.ResourceNotFoundException - When a key with name doesn't exist in the key vault.

    • beginRecoverDeletedKey

      public com.azure.core.util.polling.SyncPoller<KeyVaultKey, Void> beginRecoverDeletedKey(String name)
      Recovers the deleted key in the key vault to its latest version and can only be performed on a soft-delete enabled vault. An attempt to recover an non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation requires the keys/recover permission.

      Code Samples

      Recovers the deleted key from the key vault enabled for soft-delete.

      SyncPoller<KeyVaultKey, Void> recoverKeyPoller = keyClient.beginRecoverDeletedKey("deletedKeyName");

PollResponse<KeyVaultKey> recoverKeyPollResponse = recoverKeyPoller.poll();

KeyVaultKey recoveredKey = recoverKeyPollResponse.getValue();
System.out.printf("Recovered key name: %s%n", recoveredKey.getName());
System.out.printf("Recovered key id: %s%n", recoveredKey.getId());

// Key is being recovered on the server.
recoverKeyPoller.waitForCompletion();
// Key is recovered
      Parameters:
      name - The name of the deleted key to be recovered.
      Returns:
      A SyncPoller to poll on and retrieve recovered key.
      Throws:
      com.azure.core.exception.HttpResponseException - When a key with name is an empty string.
      com.azure.core.exception.ResourceNotFoundException - When a key with name doesn't exist in the key vault.

    • backupKey

      public byte[] backupKey(String name)
      Requests a backup of the specified key be downloaded to the client. The key backup operation exports a key from Azure Key Vault in a protected form. Note that this operation does not return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to generate a key in one Azure Key Vault instance, backup the key, and then restore it into another Azure Key Vault instance. The backup operation may be used to export, in protected form, any key type from Azure Key Vault. Individual versions of a key cannot be backed up. Backup/Restore can be performed within geographical boundaries only; meaning that a backup from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.

      Code Samples

      Backs up the key from the key vault.

      byte[] keyBackup = keyClient.backupKey("keyName");

System.out.printf("Key backup byte array length: %s%n", keyBackup.length);
      Parameters:
      name - The name of the key.
      Returns:
      The backed up key blob.
      Throws:
      com.azure.core.exception.HttpResponseException - When a key with name is an empty string.
      com.azure.core.exception.ResourceNotFoundException - When a key with name doesn't exist in the key vault.

    • backupKeyWithResponse

      public com.azure.core.http.rest.Response<byte[]> backupKeyWithResponse(String name, com.azure.core.util.Context context)
      Requests a backup of the specified key be downloaded to the client. The key backup operation exports a key from Azure Key Vault in a protected form. Note that this operation does not return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to generate a key in one Azure Key Vault instance, backup the key, and then restore it into another Azure Key Vault instance. The backup operation may be used to export, in protected form, any key type from Azure Key Vault. Individual versions of a key cannot be backed up. Backup/Restore can be performed within geographical boundaries only; meaning that a backup from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.

      Code Samples

      Backs up the key from the key vault and prints out the length of the key's backup byte array returned in the HTTPresponse.

      Response<byte[]> backupKeyResponse = keyClient.backupKeyWithResponse("keyName", new Context("key1", "value1"));

System.out.printf("Key backup byte array length: %s%n", backupKeyResponse.getValue().length);
      Parameters:
      name - The name of the key.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the backed up key blob.
      Throws:
      com.azure.core.exception.HttpResponseException - When a key with name is an empty string.
      com.azure.core.exception.ResourceNotFoundException - When a key with name doesn't exist in the key vault.

    • restoreKeyBackup

      public KeyVaultKey restoreKeyBackup(byte[] backup)
      Restores a backed up key to a vault. Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, attributes and access control policies. The restore operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target key vault, the restore operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different vault. Restore will restore all versions and preserve version identifiers. The restore operation is subject to security constraints: The target key vault must be owned by the same Microsoft Azure Subscription as the source key vault. The user must have the restore permission in the target key vault. This operation requires the keys/restore permission.

      Code Samples

      Restores the key in the key vault from its backup.

      // Pass the key backup byte array to the restore operation. 
      byte[] keyBackupByteArray = {};
KeyVaultKey keyResponse = keyClient.restoreKeyBackup(keyBackupByteArray);
System.out.printf("Restored key with name: %s and: id %s%n", keyResponse.getName(), keyResponse.getId());
      Parameters:
      backup - The backup blob associated with the key.
      Returns:
      The restored key.
      Throws:
      com.azure.core.exception.ResourceModifiedException - When the backup blob is malformed.

    • restoreKeyBackupWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> restoreKeyBackupWithResponse(byte[] backup, com.azure.core.util.Context context)
      Restores a backed up key to a vault. Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, attributes and access control policies. The restore operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target key vault, the restore operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different vault. Restore will restore all versions and preserve version identifiers. The restore operation is subject to security constraints: The target key vault must be owned by the same Microsoft Azure Subscription as the source key vault. The user must have the restore permission in the target key vault. This operation requires the keys/restore permission.

      Code Samples

      Restores the key in the key vault from its backup. Prints out the details of the restored key returned in the HTTPresponse.

      // Pass the key backup byte array to the restore operation. 
      Response<KeyVaultKey> keyResponse = keyClient.restoreKeyBackupWithResponse(keyBackupByteArray,
    new Context("key1", "value1"));

System.out.printf("Restored key with name: %s and: id %s%n",
    keyResponse.getValue().getName(), keyResponse.getValue().getId());
      Parameters:
      backup - The backup blob associated with the key.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the restored key.
      Throws:
      com.azure.core.exception.ResourceModifiedException - When the backup blob is malformed.

    • listPropertiesOfKeys

      public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeys()
      List keys in the key vault. Retrieves a list of the keys in the key vault as JsonWebKey structures that contain the public part of a stored key. The list operation is applicable to all key types and the individual key response in the list is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material and individual key versions are not listed in the response. This operation requires the keys/list permission.

      Code Samples

      It is possible to get full keys with key material from this information. Loop over the KeyProperties and call getKey(String, String). This will return the key with key material included as of its latest version.

      for (KeyProperties keyProperties : keyClient.listPropertiesOfKeys()) {
    KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());

    System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(), key.getKeyType());
}

      Iterate keys by page

      It is possible to get full keys with key material from this information. Iterate over all the KeyProperties by page and call getKey(String, String). This will return the key with key material included as of its latest version.

      keyClient.listPropertiesOfKeys().iterableByPage().forEach(pagedResponse -> {
    System.out.printf("Got response details. Url: %s. Status code: %d.%n",
        pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
    pagedResponse.getElements().forEach(keyProperties -> {
        KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());

        System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(),
            key.getKeyType());
    });
});
      Returns:
      PagedIterable of key of all the keys in the vault.

    • listPropertiesOfKeys

      public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeys(com.azure.core.util.Context context)
      List keys in the key vault. Retrieves a list of the keys in the key vault as JsonWebKey structures that contain the public part of a stored key. The list operation is applicable to all key types and the individual key response in the list is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material and individual key versions are not listed in the response. This operation requires the keys/list permission.

      Code Samples

      It is possible to get full keys with key material from this information. Loop over the KeyProperties and call getKey(String, String). This will return the key with key material included as of its latest version.

      for (KeyProperties keyProperties : keyClient.listPropertiesOfKeys(new Context("key1", "value1"))) {
    KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());

    System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(),
        key.getKeyType());
}

      Iterate by page

      It is possible to get full keys with key material from this information. Iterate over all the KeyProperties by page and call getKey(String, String). This will return the key with key material included as of its latest version.

      keyClient.listPropertiesOfKeys().iterableByPage().forEach(pagedResponse -> {
    System.out.printf("Got response details. Url: %s. Status code: %d.%n",
        pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
    pagedResponse.getElements().forEach(keyProperties -> {
        KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());

        System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(),
            key.getKeyType());
    });
});
      Parameters:
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      PagedIterable of key of all the keys in the vault.

    • listDeletedKeys

      public com.azure.core.http.rest.PagedIterable<DeletedKey> listDeletedKeys()
      Lists deleted keys of the key vault. The deleted keys are retrieved as JsonWebKey structures that contain the public part of a deleted key. The get deleted keys operation is applicable for vaults enabled for soft-delete. This operation requires the keys/list permission.

      Code Samples

      Lists the deleted keys in the key vault and for each deleted key prints out its recovery id.

      for (DeletedKey deletedKey : keyClient.listDeletedKeys()) {
    System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId());
}

      Code Samples to iterate over deleted keys by page

      Iterates over the deleted keys by page in the key vault and for each deleted key prints out its recovery id.

      keyClient.listDeletedKeys().iterableByPage().forEach(pagedResponse -> {
    System.out.printf("Got response details. Url: %s. Status code: %d.%n",
        pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
    pagedResponse.getElements().forEach(deletedKey ->
        System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId()));
});
      Returns:
      PagedIterable of all of the deleted keys in the vault.

    • listDeletedKeys

      public com.azure.core.http.rest.PagedIterable<DeletedKey> listDeletedKeys(com.azure.core.util.Context context)
      Lists deleted keys of the key vault. The deleted keys are retrieved as JsonWebKey structures that contain the public part of a deleted key. The get deleted keys operation is applicable for vaults enabled for soft-delete. This operation requires the keys/list permission.

      Code Samples

      Lists the deleted keys in the key vault and for each deleted key prints out its recovery id.

      for (DeletedKey deletedKey : keyClient.listDeletedKeys(new Context("key1", "value1"))) {
    System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId());
}

      Code Samples to iterate over deleted keys by page

      Iterates over the deleted keys by page in the key vault and for each deleted key prints out its recovery id.

      keyClient.listDeletedKeys().iterableByPage().forEach(pagedResponse -> {
    System.out.printf("Got response details. Url: %s. Status code: %d.%n",
        pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
    pagedResponse.getElements().forEach(deletedKey ->
        System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId()));
});
      Parameters:
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      PagedIterable of all of the deleted keys in the vault.

    • listPropertiesOfKeyVersions

      public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeyVersions(String name)
      List all versions of the specified keys. The individual key response in the flux is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material values are not provided in the response. This operation requires the keys/list permission.

      It is possible to get full keys with key material for each version from this information. Loop over the key and call getKey(String, String). This will return the keys with key material included of the specified versions.

      for (KeyProperties keyProperties : keyClient.listPropertiesOfKeyVersions("keyName")) {
    KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());

    System.out.printf("Retrieved key version: %s with name: %s and type: %s%n",
        key.getProperties().getVersion(), key.getName(), key.getKeyType());
}

      Code Samples to iterate over key versions by page

      It is possible to get full keys with key material for each version from this information. Iterate over all the key by page and call getKey(String, String). This will return the keys with key material included of the specified versions.

      keyClient.listPropertiesOfKeyVersions("keyName").iterableByPage().forEach(pagedResponse -> {
    System.out.printf("Got response details. Url: %s. Status code: %d.%n",
        pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
    pagedResponse.getElements().forEach(keyProperties ->
        System.out.printf("Key name: %s. Key version: %s.%n", keyProperties.getName(),
            keyProperties.getVersion()));
});
      Parameters:
      name - The name of the key.
      Returns:
      PagedIterable of key of all the versions of the specified key in the vault. The list is empty if a key with the provided name does not exist in the key vault.
      Throws:
      com.azure.core.exception.ResourceNotFoundException - When a given key name is null or an empty string.

    • listPropertiesOfKeyVersions

      public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeyVersions(String name, com.azure.core.util.Context context)
      List all versions of the specified keys. The individual key response in the flux is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material values are not provided in the response. This operation requires the keys/list permission.

      It is possible to get full keys with key material for each version from this information. Loop over the key and call getKey(String, String). This will return the keys with key material included of the specified versions.

      for (KeyProperties keyProperties : keyClient.listPropertiesOfKeyVersions("keyName", new Context("key1", "value1"))) {
    KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());

    System.out.printf("Retrieved key version: %s with name: %s and type: %s%n",
        key.getProperties().getVersion(), key.getName(), key.getKeyType());
}

      Code Samples to iterate over key versions by page

      It is possible to get full keys with key material for each version from this information. Iterate over all the key by page and call getKey(String, String). This will return the keys with key material included of the specified versions.

      keyClient.listPropertiesOfKeyVersions("keyName").iterableByPage().forEach(pagedResponse -> {
    System.out.printf("Got response details. Url: %s. Status code: %d.%n",
        pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
    pagedResponse.getElements().forEach(keyProperties ->
        System.out.printf("Key name: %s. Key version: %s.%n", keyProperties.getName(),
            keyProperties.getVersion()));
});
      Parameters:
      name - The name of the key.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      PagedIterable of key of all the versions of the specified key in the vault. The list is empty if a key with the provided name does not exist in the key vault.
      Throws:
      com.azure.core.exception.ResourceNotFoundException - When a given key name is null or an empty string.

    • getRandomBytes

      public byte[] getRandomBytes(int count)
      Get the requested number of bytes containing random values from a managed HSM.

      Code Samples

      Gets a number of bytes containing random values from a Managed HSM. Prints out the retrieved bytes in base64Url format.

      int amount = 16;
byte[] randomBytes = keyClient.getRandomBytes(amount);

System.out.printf("Retrieved %d random bytes: %s%n", amount, Arrays.toString(randomBytes));
      Parameters:
      count - The requested number of random bytes.
      Returns:
      The requested number of bytes containing random values from a managed HSM.

    • getRandomBytesWithResponse

      public com.azure.core.http.rest.Response<byte[]> getRandomBytesWithResponse(int count, com.azure.core.util.Context context)
      Get the requested number of bytes containing random values from a managed HSM.

      Code Samples

      Gets a number of bytes containing random values from a Managed HSM. Prints out the HTTP Response details and the retrieved bytes in base64Url format.

      int amountOfBytes = 16;
Response<byte[]> response =
    keyClient.getRandomBytesWithResponse(amountOfBytes, new Context("key1", "value1"));

System.out.printf("Response received successfully with status code: %d. Retrieved %d random bytes: %s%n",
    response.getStatusCode(), amountOfBytes, Arrays.toString(response.getValue()));
      Parameters:
      count - The requested number of random bytes.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      The HTTP response for this operation and the requested number of bytes containing random values from a managed HSM.

    • releaseKey

      public ReleaseKeyResult releaseKey(String name, String targetAttestationToken)
      Releases the latest version of a key.

      The key must be exportable. This operation requires the keys/release permission.

      Code Samples

      Releases a key. Prints out the signed object that contains the release key.

      String targetAttestationToken = "someAttestationToken";
ReleaseKeyResult releaseKeyResult = keyClient.releaseKey("keyName", targetAttestationToken);

System.out.printf("Signed object containing released key: %s%n", releaseKeyResult);
      Parameters:
      name - The name of the key to release.
      targetAttestationToken - The attestation assertion for the target of the key release.
      Returns:
      The key release result containing the released key.
      Throws:
      IllegalArgumentException - If name or targetAttestationToken are null or empty.
      com.azure.core.exception.ResourceNotFoundException - If the key for the provided name does not exist.

    • releaseKey

      public ReleaseKeyResult releaseKey(String name, String version, String targetAttestationToken)
      Releases a specific version of a key.

      The key must be exportable. This operation requires the keys/release permission.

      Code Samples

      Releases a key. Prints out the signed object that contains the release key.

      String myKeyVersion = "<key-version>";
String myTargetAttestationToken = "someAttestationToken";
ReleaseKeyResult releaseKeyVersionResult =
    keyClient.releaseKey("keyName", myKeyVersion, myTargetAttestationToken);

System.out.printf("Signed object containing released key: %s%n", releaseKeyVersionResult);
      Parameters:
      name - The name of the key to release.
      version - The version of the key to release. If this is empty or null, this call is equivalent to calling releaseKey(String, String), with the latest key version being released.
      targetAttestationToken - The attestation assertion for the target of the key release.
      Returns:
      The key release result containing the released key.
      Throws:
      IllegalArgumentException - If name or targetAttestationToken are null or empty.
      com.azure.core.exception.ResourceNotFoundException - If the key for the provided name does not exist.

    • releaseKeyWithResponse

      public com.azure.core.http.rest.Response<ReleaseKeyResult> releaseKeyWithResponse(String name, String version, String targetAttestationToken, ReleaseKeyOptions releaseKeyOptions, com.azure.core.util.Context context)
      Releases a key.

      The key must be exportable. This operation requires the keys/release permission.

      Code Samples

      Releases a key. Prints out the HTTP Response details and the signed object that contains the release key.

      String releaseKeyVersion = "<key-version>";
String someTargetAttestationToken = "someAttestationToken";
ReleaseKeyOptions releaseKeyOptions = new ReleaseKeyOptions()
    .setAlgorithm(KeyExportEncryptionAlgorithm.RSA_AES_KEY_WRAP_256)
    .setNonce("someNonce");

Response<ReleaseKeyResult> releaseKeyResultResponse =
    keyClient.releaseKeyWithResponse("keyName", releaseKeyVersion, someTargetAttestationToken,
        releaseKeyOptions, new Context("key1", "value1"));

System.out.printf("Response received successfully with status code: %d. Signed object containing"
        + "released key: %s%n", releaseKeyResultResponse.getStatusCode(),
    releaseKeyResultResponse.getValue().getValue());
      Parameters:
      name - The name of the key to release.
      version - The version of the key to release. If this is empty or null, this call is equivalent to calling releaseKey(String, String), with the latest key version being released.
      targetAttestationToken - The attestation assertion for the target of the key release.
      releaseKeyOptions - Additional options for releasing a key.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      The HTTP response for this operation and the ReleaseKeyResult containing the released key.
      Throws:
      IllegalArgumentException - If name or targetAttestationToken are null or empty.
      com.azure.core.exception.ResourceNotFoundException - If the key for the provided name does not exist.

    • rotateKey

      public KeyVaultKey rotateKey(String name)
      Rotates a key. The rotate key operation will do so based on key's rotation policy. This operation requires the keys/rotate permission.

      Code Samples

      Rotates a key. Prints out rotated key details.

      KeyVaultKey key = keyClient.rotateKey("keyName");

System.out.printf("Rotated key with name: %s and version:%s%n", key.getName(),
    key.getProperties().getVersion());
      Parameters:
      name - The name of key to be rotated. The system will generate a new version in the specified key.
      Returns:
      The new version of the rotated key.
      Throws:
      IllegalArgumentException - If name is null or empty.
      com.azure.core.exception.ResourceNotFoundException - If the key for the provided name does not exist.

    • rotateKeyWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> rotateKeyWithResponse(String name, com.azure.core.util.Context context)
      Rotates a key. The rotate key operation will do so based on key's rotation policy. This operation requires the keys/rotate permission.

      Code Samples

      Rotates a key. Prints out the HTTP Response and rotated key details.

      Response<KeyVaultKey> keyResponse = keyClient.rotateKeyWithResponse("keyName", new Context("key1", "value1"));

System.out.printf("Response received successfully with status code: %d. Rotated key with name: %s and"
        + "version: %s%n", keyResponse.getStatusCode(), keyResponse.getValue().getName(),
    keyResponse.getValue().getProperties().getVersion());
      Parameters:
      name - The name of key to be rotated. The system will generate a new version in the specified key.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      The HTTP response for this operation containing the new version of the rotated key.
      Throws:
      IllegalArgumentException - If name is null or empty.
      com.azure.core.exception.ResourceNotFoundException - If the key for the provided name does not exist.

    • getKeyRotationPolicy

      public KeyRotationPolicy getKeyRotationPolicy(String keyName)
      Gets the KeyRotationPolicy for the key with the provided name. This operation requires the keys/get permission.

      Code Samples

      Retrieves the rotation policy of a given key. Prints out the rotation policy key details.

      KeyRotationPolicy keyRotationPolicy = keyClient.getKeyRotationPolicy("keyName");

System.out.printf("Retrieved key rotation policy with id: %s%n", keyRotationPolicy.getId());
      Parameters:
      keyName - The name of the key.
      Returns:
      The KeyRotationPolicy for the key.
      Throws:
      IllegalArgumentException - If name is null or empty.
      com.azure.core.exception.ResourceNotFoundException - If the key for the provided name does not exist.

    • getKeyRotationPolicyWithResponse

      public com.azure.core.http.rest.Response<KeyRotationPolicy> getKeyRotationPolicyWithResponse(String keyName, com.azure.core.util.Context context)
      Gets the KeyRotationPolicy for the key with the provided name. This operation requires the keys/get permission.

      Code Samples

      Retrieves the rotation policy of a given key. Prints out the HTTP Response and rotation policy key details.

      Response<KeyRotationPolicy> keyRotationPolicyResponse =
    keyClient.getKeyRotationPolicyWithResponse("keyName", new Context("key1", "value1"));

System.out.printf("Response received successfully with status code: %d. Retrieved key rotation policy"
    + "with id: %s%n", keyRotationPolicyResponse.getStatusCode(), keyRotationPolicyResponse.getValue().getId());
      Parameters:
      keyName - The name of the key.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A HTTP response for this operation containing the KeyRotationPolicy for the key.
      Throws:
      IllegalArgumentException - If name is null or empty.
      com.azure.core.exception.ResourceNotFoundException - If the key for the provided name does not exist.

    • updateKeyRotationPolicy

      public KeyRotationPolicy updateKeyRotationPolicy(String keyName, KeyRotationPolicy keyRotationPolicy)
      Updates the KeyRotationPolicy of the key with the provided name. This operation requires the keys/update permission.

      Code Samples

      Updates the rotation policy of a given key. Prints out the rotation policy key details.

      List<KeyRotationLifetimeAction> lifetimeActions = new ArrayList<>();
KeyRotationLifetimeAction rotateLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE)
    .setTimeAfterCreate("P90D");
KeyRotationLifetimeAction notifyLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY)
    .setTimeBeforeExpiry("P45D");

lifetimeActions.add(rotateLifetimeAction);
lifetimeActions.add(notifyLifetimeAction);

KeyRotationPolicy keyRotationPolicy = new KeyRotationPolicy()
    .setLifetimeActions(lifetimeActions)
    .setExpiresIn("P6M");

KeyRotationPolicy updatedPolicy =
    keyClient.updateKeyRotationPolicy("keyName", keyRotationPolicy);

System.out.printf("Updated key rotation policy with id: %s%n", updatedPolicy.getId());
      Parameters:
      keyName - The name of the key.
      keyRotationPolicy - The KeyRotationPolicy for the kekeyy.
      Returns:
      The KeyRotationPolicy for the key.
      Throws:
      IllegalArgumentException - If name is null or empty.
      com.azure.core.exception.ResourceNotFoundException - If the key for the provided name does not exist.

    • updateKeyRotationPolicyWithResponse

      public com.azure.core.http.rest.Response<KeyRotationPolicy> updateKeyRotationPolicyWithResponse(String keyName, KeyRotationPolicy keyRotationPolicy, com.azure.core.util.Context context)
      Updates the KeyRotationPolicy of the key with the provided name. This operation requires the keys/update permission.

      Code Samples

      Updates the rotation policy of a given key. Prints out the HTTP Response and rotation policy key details.

      List<KeyRotationLifetimeAction> myLifetimeActions = new ArrayList<>();
KeyRotationLifetimeAction myRotateLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE)
    .setTimeAfterCreate("P90D");
KeyRotationLifetimeAction myNotifyLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY)
    .setTimeBeforeExpiry("P45D");

myLifetimeActions.add(myRotateLifetimeAction);
myLifetimeActions.add(myNotifyLifetimeAction);

KeyRotationPolicy myKeyRotationPolicy = new KeyRotationPolicy()
    .setLifetimeActions(myLifetimeActions)
    .setExpiresIn("P6M");

Response<KeyRotationPolicy> keyRotationPolicyResponse = keyClient.updateKeyRotationPolicyWithResponse(
    "keyName", myKeyRotationPolicy, new Context("key1", "value1"));

System.out.printf("Response received successfully with status code: %d. Updated key rotation policy"
    + "with id: %s%n", keyRotationPolicyResponse.getStatusCode(), keyRotationPolicyResponse.getValue().getId());
      Parameters:
      keyName - The name of the key.
      keyRotationPolicy - The KeyRotationPolicy for the key.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A HTTP response for this operation containing the KeyRotationPolicy for the key.
      Throws:
      IllegalArgumentException - If name is null or empty.
      com.azure.core.exception.ResourceNotFoundException - If the key for the provided name does not exist.

    • getKeyAttestation

      public KeyVaultKey getKeyAttestation(String name)
      Gets the public part of the latest version of the specified key, including its key attestation information. The get key operation is applicable to all key types and it requires the keys/get permission.

      Code Samples

      Gets the latest version of the key in the key vault, including its attestation information. Prints out the details of the retrieved key.

      KeyVaultKey keyVaultKey = keyClient.getKeyAttestation("keyName");

System.out.printf("Retrieved key with name: %s and: id %s%n", keyVaultKey.getName(),
    keyVaultKey.getId());

KeyAttestation keyAttestationInfo = keyVaultKey.getProperties().getKeyAttestation();

System.out.printf("Attestation information details: %n"
        + "Certificate PEM file: %s%n"
        + "Private key attestation: %s%n"
        + "Public key attestation: %s%n"
        + "Version: %s",
    Base64Url.encode(keyAttestationInfo.getCertificatePemFile()),
    Base64Url.encode(keyAttestationInfo.getPrivateKeyAttestation()),
    Base64Url.encode(keyAttestationInfo.getPublicKeyAttestation()),
    keyAttestationInfo.getVersion());
      Parameters:
      name - The name of the key, cannot be null.
      Returns:
      The requested key. The content of the key is null if both name and version are null or empty.
      Throws:
      com.azure.core.exception.HttpResponseException - If a valid name and a non-null/empty version is specified.
      com.azure.core.exception.ResourceNotFoundException - When a key with the provided name doesn't exist in the key vault or an empty/null name and a non-null/empty version is provided.

    • getKeyAttestationWithResponse

      public com.azure.core.http.rest.Response<KeyVaultKey> getKeyAttestationWithResponse(String name, String version, com.azure.core.util.Context context)
      Gets the public part of the specified key and key version, including its key attestation information. The get key operation is applicable to all key types and it requires the keys/get permission.

      Code Samples

      Gets a specific version of the key in the key vault, including its attestation information. Prints out the details of the retrieved key.

      String keyVersion = "<key-version>";
Response<KeyVaultKey> getKeyResponse =
    keyClient.getKeyAttestationWithResponse("keyName", keyVersion, new Context("key1", "value1"));
KeyVaultKey keyVaultKey = getKeyResponse.getValue();

System.out.printf("Retrieved key with name: %s and: id %s%n", keyVaultKey.getName(), keyVaultKey.getId());

KeyAttestation keyAttestationInfo = keyVaultKey.getProperties().getKeyAttestation();

System.out.printf("Attestation information details: %n"
        + "Certificate PEM file: %s%n"
        + "Private key attestation: %s%n"
        + "Public key attestation: %s%n"
        + "Version: %s",
    Base64Url.encode(keyAttestationInfo.getCertificatePemFile()),
    Base64Url.encode(keyAttestationInfo.getPrivateKeyAttestation()),
    Base64Url.encode(keyAttestationInfo.getPublicKeyAttestation()),
    keyAttestationInfo.getVersion());
      Parameters:
      name - The name of the key, cannot be null.
      version - The version of the key to retrieve. If this is an empty string or null, this call is equivalent to calling getKey(String), with the latest version being retrieved.
      context - Additional Context that is passed through the HttpPipeline during the service call.
      Returns:
      A Response whose value contains the requested key. The content of the key is null if both name and version are null or empty.
      Throws:
      com.azure.core.exception.HttpResponseException - If a valid name and a non-null/empty version is specified.
      com.azure.core.exception.ResourceNotFoundException - When a key with the provided name doesn't exist in the key vault or an empty/null name and a non-null/empty version is provided.