Package com.azure.security.keyvault.keys

package com.azure.security.keyvault.keys

Azure Key Vault is a cloud-based service provided by Microsoft Azure that allows users to securely store and manage cryptographic keys used for encrypting and decrypting data. It is a part of Azure Key Vault, which is a cloud-based service for managing cryptographic keys, secrets, and certificates.

Azure Key Vault Keys provides a centralized and highly secure key management solution, allowing you to protect your keys and control access to them. It eliminates the need for storing keys in code or configuration files, reducing the risk of exposure and unauthorized access.

With Azure Key Vault Keys, you can perform various operations on cryptographic keys, such as creating keys, importing existing keys, generating key pairs, encrypting data using keys, and decrypting data using keys. The service supports various key types and algorithms, including symmetric keys, asymmetric keys, and Elliptic Curve Cryptography (ECC) keys.

The Azure Key Vault Keys client library allows developers to interact with the Azure Key Vault service from their applications. The library provides a set of APIs that enable developers to securely create keys, import existing keys, delete keys, retrieving key metadata, encrypting and decrypting data using keys, and signing and verifying signatures using keys.

Key Concepts:

What is a Key Client?

The key client performs the interactions with the Azure Key Vault service for getting, setting, updating, deleting, and listing keys and its versions. Asynchronous (`KeyAsyncClient`) and synchronous (`KeyClient`) clients exist in the SDK allowing for the selection of a client based on an application's use case. Once you have initialized a key, you can interact with the primary resource types in Key Vault.

What is an Azure Key Vault Key ?

Azure Key Vault supports multiple key types (RSA and EC) and algorithms, and enables the use of Hardware Security Modules (HSM) for high value keys. In addition to the key material, the following attributes may be specified:

  • enabled: Specifies whether the key is enabled and usable for cryptographic operations.
  • notBefore: Identifies the time before which the key must not be used for cryptographic operations.
  • expires: Identifies the expiration time on or after which the key MUST NOT be used for cryptographic operations.
  • created: Indicates when this version of the key was created.
  • updated: Indicates when this version of the key was updated.

Getting Started

In order to interact with the Azure Key Vault service, you will need to create an instance of the KeyClient class, a vault url and a credential object.

The examples shown in this document use a credential object named DefaultAzureCredential for authentication, which is appropriate for most scenarios, including local development and production environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the Azure Identity documentation".

Sample: Construct Synchronous Key Client

The following code sample demonstrates the creation of a KeyClient, using the KeyClientBuilder to configure it.

 KeyClient keyClient = new KeyClientBuilder()
     .vaultUrl("<your-key-vault-url>")
     .credential(new DefaultAzureCredentialBuilder().build())
     .buildClient();

Sample: Construct Asynchronous Key Client

The following code sample demonstrates the creation of a KeyClient, using the KeyClientBuilder to configure it.

 KeyAsyncClient keyAsyncClient = new KeyClientBuilder()
     .vaultUrl("<your-key-vault-url>")
     .credential(new DefaultAzureCredentialBuilder().build())
     .buildAsyncClient();

Create a Cryptographic Key

The KeyClient or KeyAsyncClient can be used to create a key in the key vault.

Synchronous Code Sample:

The following code sample demonstrates how to synchronously create a cryptographic key in the key vault, using the KeyClient.createKey(java.lang.String, com.azure.security.keyvault.keys.models.KeyType) API.

 KeyVaultKey key = keyClient.createKey("keyName", KeyType.EC);
 System.out.printf("Created key with name: %s and id: %s%n", key.getName(), key.getId());

Note: For the asynchronous sample, refer to KeyAsyncClient.


Get a Cryptographic Key

The KeyClient or KeyAsyncClient can be used to retrieve a key from the key vault.

Synchronous Code Sample:

The following code sample demonstrates how to synchronously retrieve a key from the key vault, using the KeyClient.getKey(java.lang.String) API.

 KeyVaultKey keyWithVersionValue = keyClient.getKey("keyName");

 System.out.printf("Retrieved key with name: %s and: id %s%n", keyWithVersionValue.getName(),
     keyWithVersionValue.getId());

Note: For the asynchronous sample, refer to KeyAsyncClient.


Delete a Cryptographic Key

The KeyClient or KeyAsyncClient can be used to delete a key from the key vault.

Synchronous Code Sample:

The following code sample demonstrates how to synchronously delete a key from the key vault, using the KeyClient.beginDeleteKey(java.lang.String) API.

 SyncPoller<DeletedKey, Void> deleteKeyPoller = keyClient.beginDeleteKey("keyName");
 PollResponse<DeletedKey> deleteKeyPollResponse = deleteKeyPoller.poll();

 // Deleted date only works for SoftDelete Enabled Key Vault.
 DeletedKey deletedKey = deleteKeyPollResponse.getValue();

 System.out.printf("Key delete date: %s%n", deletedKey.getDeletedOn());
 System.out.printf("Deleted key's recovery id: %s%n", deletedKey.getRecoveryId());

 // Key is being deleted on the server.
 deleteKeyPoller.waitForCompletion();
 // Key is deleted

Note: For the asynchronous sample, refer to KeyAsyncClient.

See Also: