KeyClient Class
- java.
lang. Object - com.
azure. security. keyvault. keys. KeyClient
- com.
public final class KeyClient
The KeyClient provides synchronous methods to manage KeyVaultKey in the Azure Key Vault. The client supports creating, retrieving, updating, deleting, purging, backing up, restoring, listing, releasing and rotating the KeyVaultKey. The client also supports listing DeletedKey for a soft-delete enabled Azure Key Vault.
Getting Started
In order to interact with the Azure Key Vault service, you will need to create an instance of the KeyClient class, a vault url and a credential object.
The examples shown in this document use a credential object named DefaultAzureCredential for authentication, which is appropriate for most scenarios, including local development and production environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the Azure Identity documentation".
Sample: Construct Synchronous Key Client
The following code sample demonstrates the creation of a KeyClient, using the KeyClientBuilder to configure it.
KeyClient keyClient = new KeyClientBuilder()
.vaultUrl("<your-key-vault-url>")
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();
Create a Cryptographic Key
The KeyClient can be used to create a key in the key vault.
Code Sample:
The following code sample demonstrates how to synchronously create a cryptographic key in the key vault, using the createKey(String name, KeyType keyType) API.
KeyVaultKey key = keyClient.createKey("keyName", KeyType.EC);
System.out.printf("Created key with name: %s and id: %s%n", key.getName(), key.getId());
Note: For the asynchronous sample, refer to KeyAsyncClient.
Get a Cryptographic Key
The KeyClient can be used to retrieve a key from the key vault.
Code Sample:
The following code sample demonstrates how to synchronously retrieve a key from the key vault, using the getKey(String name) API.
KeyVaultKey keyWithVersionValue = keyClient.getKey("keyName");
System.out.printf("Retrieved key with name: %s and: id %s%n", keyWithVersionValue.getName(),
keyWithVersionValue.getId());
Note: For the asynchronous sample, refer to KeyAsyncClient.
Delete a Cryptographic Key
The KeyClient can be used to delete a key from the key vault.
Code Sample:
The following code sample demonstrates how to synchronously delete a key from the key vault, using the beginDeleteKey(String name) API.
SyncPoller<DeletedKey, Void> deleteKeyPoller = keyClient.beginDeleteKey("keyName");
PollResponse<DeletedKey> deleteKeyPollResponse = deleteKeyPoller.poll();
// Deleted date only works for SoftDelete Enabled Key Vault.
DeletedKey deletedKey = deleteKeyPollResponse.getValue();
System.out.printf("Key delete date: %s%n", deletedKey.getDeletedOn());
System.out.printf("Deleted key's recovery id: %s%n", deletedKey.getRecoveryId());
// Key is being deleted on the server.
deleteKeyPoller.waitForCompletion();
// Key is deleted
Note: For the asynchronous sample, refer to KeyAsyncClient.
Method Summary
Methods inherited from java.lang.Object
Method Details
backupKey
public byte[] backupKey(String name)
Requests a backup of the specified KeyVaultKey be downloaded to the client. The key backup operation exports a KeyVaultKey from Azure Key Vault in a protected form. Note that this operation does not return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to generate a KeyVaultKey in one Azure Key Vault instance, backup the KeyVaultKey, and then restore it into another Azure Key Vault instance. The backup operation may be used to export, in protected form, any KeyType from Azure Key Vault. Individual versions of a KeyVaultKey cannot be backed up. Backup/Restore can be performed within geographical boundaries only; meaning that a backup from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.
Code Samples
Backs up the KeyVaultKey from the key vault.
byte[] keyBackup = keyClient.backupKey("keyName");
System.out.printf("Key backup byte array length: %s%n", keyBackup.length);
Parameters:
Returns:
backupKeyWithResponse
public Response
Requests a backup of the specified KeyVaultKey be downloaded to the client. The key backup operation exports a KeyVaultKey from Azure Key Vault in a protected form. Note that this operation does not return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to generate a KeyVaultKey in one Azure Key Vault instance, backup the KeyVaultKey, and then restore it into another Azure Key Vault instance. The backup operation may be used to export, in protected form, any KeyType from Azure Key Vault. Individual versions of a KeyVaultKey cannot be backed up. Backup/Restore can be performed within geographical boundaries only; meaning that a backup from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.
Code Samples
Backs up the KeyVaultKey from the key vault and prints out the length of the key's backup byte array returned in the Response<T>.
Response<byte[]> backupKeyResponse = keyClient.backupKeyWithResponse("keyName", new Context("key1", "value1"));
System.out.printf("Key backup byte array length: %s%n", backupKeyResponse.getValue().length);
Parameters:
Returns:
beginDeleteKey
public SyncPoller
Deletes a KeyVaultKey of any type from the key vault. If soft-delete is enabled on the key vault then the KeyVaultKey is placed in the deleted state and requires to be purged for permanent deletion else the KeyVaultKey is permanently deleted. The delete operation applies to any KeyVaultKey stored in Azure Key Vault but it cannot be applied to an individual version of a KeyVaultKey. This operation removes the cryptographic material associated with the KeyVaultKey, which means the KeyVaultKey is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission.
Code Samples
Deletes the KeyVaultKey from the key vault. Prints out the recovery id of the KeyVaultKey.
SyncPoller<DeletedKey, Void> deleteKeyPoller = keyClient.beginDeleteKey("keyName");
PollResponse<DeletedKey> deleteKeyPollResponse = deleteKeyPoller.poll();
// Deleted date only works for SoftDelete Enabled Key Vault.
DeletedKey deletedKey = deleteKeyPollResponse.getValue();
System.out.printf("Key delete date: %s%n", deletedKey.getDeletedOn());
System.out.printf("Deleted key's recovery id: %s%n", deletedKey.getRecoveryId());
// Key is being deleted on the server.
deleteKeyPoller.waitForCompletion();
// Key is deleted
Parameters:
Returns:
beginRecoverDeletedKey
public SyncPoller
Recovers the KeyVaultKey in the key vault to its latest version and can only be performed on a soft-delete enabled vault. An attempt to recover an KeyVaultKey will return an error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation requires the keys/recover permission.
Code Samples
Recovers the KeyVaultKey from the key vault enabled for soft-delete.
SyncPoller<KeyVaultKey, Void> recoverKeyPoller = keyClient.beginRecoverDeletedKey("deletedKeyName");
PollResponse<KeyVaultKey> recoverKeyPollResponse = recoverKeyPoller.poll();
KeyVaultKey recoveredKey = recoverKeyPollResponse.getValue();
System.out.printf("Recovered key name: %s%n", recoveredKey.getName());
System.out.printf("Recovered key id: %s%n", recoveredKey.getId());
// Key is being recovered on the server.
recoverKeyPoller.waitForCompletion();
// Key is recovered
Parameters:
Returns:
createEcKey
public KeyVaultKey createEcKey(CreateEcKeyOptions createEcKeyOptions)
Creates a new KeyVaultKey and stores it in the key vault. The create EC key operation can be used to create any EC KeyType in Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. It requires the keys/create permission.
The CreateEcKeyOptions parameter is required. The getCurveName() can be optionally specified. If not specified, the default value P_256 is used by Azure Key Vault. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.
The keyType indicates the type of KeyVaultKey key to create. Possible values include: EC and EC_HSM.
Code Samples
Creates a new KeyVaultKey with a P_384 web key curve. The key activates in one day and expires in one year. Prints out the details of the KeyVaultKey.
CreateEcKeyOptions createEcKeyOptions = new CreateEcKeyOptions("keyName")
.setCurveName(KeyCurveName.P_384)
.setNotBefore(OffsetDateTime.now().plusDays(1))
.setExpiresOn(OffsetDateTime.now().plusYears(1));
KeyVaultKey ecKey = keyClient.createEcKey(createEcKeyOptions);
System.out.printf("Created key with name: %s and id: %s%n", ecKey.getName(), ecKey.getId());
Parameters:
Returns:
createEcKeyWithResponse
public Response
Creates a new KeyVaultKey and stores it in the key vault. The create EC key operation can be used to create any EC KeyType in Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. It requires the keys/create permission.
The CreateEcKeyOptions parameter is required. The getCurveName() can be optionally specified. If not specified, the default value P_256 is used by Azure Key Vault. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.
The keyType indicates the type of KeyVaultKey key to create. Possible values include: EC and EC_HSM.
Code Samples
Creates a new KeyVaultKey with a P_384 web key curve. The key activates in one day and expires in one year. Prints out the details of the KeyVaultKey.
CreateEcKeyOptions createEcKeyOptions = new CreateEcKeyOptions("keyName")
.setCurveName(KeyCurveName.P_384)
.setNotBefore(OffsetDateTime.now().plusDays(1))
.setExpiresOn(OffsetDateTime.now().plusYears(1));
Response<KeyVaultKey> createEcKeyResponse =
keyClient.createEcKeyWithResponse(createEcKeyOptions, new Context("key1", "value1"));
System.out.printf("Created key with name: %s and: id %s%n", createEcKeyResponse.getValue().getName(),
createEcKeyResponse.getValue().getId());
Parameters:
Returns:
createKey
public KeyVaultKey createKey(CreateKeyOptions createKeyOptions)
Creates a new KeyVaultKey and stores it in the key vault. The create key operation can be used to create any KeyType in Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. It requires the keys/create permission.
The CreateKeyOptions parameter is required. The getExpiresOn() and getNotBefore() values are optional. The isEnabled() enabled} field is set to true by Azure Key Vault, if not specified.
The getKeyType() indicates the type of KeyVaultKey to create. Possible values include: EC, EC_HSM, RSA, RSA_HSM, OCT, and OCT_HSM.
Code Samples
Creates a new KeyVaultKey which activates in one day and expires in one year. Prints out the details of the KeyVaultKey.
CreateKeyOptions createKeyOptions = new CreateKeyOptions("keyName", KeyType.RSA)
.setNotBefore(OffsetDateTime.now().plusDays(1))
.setExpiresOn(OffsetDateTime.now().plusYears(1));
KeyVaultKey optionsKey = keyClient.createKey(createKeyOptions);
System.out.printf("Created key with name: %s and id: %s%n", optionsKey.getName(), optionsKey.getId());
Parameters:
Returns:
createKey
public KeyVaultKey createKey(String name, KeyType keyType)
Creates a new KeyVaultKey and stores it in the key vault. The create key operation can be used to create any KeyType in Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. It requires the keys/create permission.
The KeyType indicates the type of KeyVaultKey to create. Possible values include: EC, EC_HSM, RSA, RSA_HSM, OCT, and OCT_HSM.
Code Samples
Creates a new KeyVaultKey. Prints out the details of the KeyVaultKey.
KeyVaultKey key = keyClient.createKey("keyName", KeyType.EC);
System.out.printf("Created key with name: %s and id: %s%n", key.getName(), key.getId());
Parameters:
Returns:
createKeyWithResponse
public Response
Creates a new KeyVaultKey and stores it in the key vault. The create key operation can be used to create any KeyType in Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. It requires the keys/create permission.
The CreateKeyOptions parameter is required. The getExpiresOn() and getNotBefore() values are optional. The isEnabled() field is set to true by Azure Key Vault, if not specified.
The getKeyType() indicates the type of KeyVaultKey to create. Possible values include: EC, EC_HSM, RSA, RSA_HSM, OCT, and OCT_HSM.
Code Samples
Creates a new KeyVaultKey which activates in one day and expires in one year. Prints out the details of the KeyVaultKey.
CreateKeyOptions createKeyOptions = new CreateKeyOptions("keyName", KeyType.RSA)
.setNotBefore(OffsetDateTime.now().plusDays(1))
.setExpiresOn(OffsetDateTime.now().plusYears(1));
Response<KeyVaultKey> createKeyResponse =
keyClient.createKeyWithResponse(createKeyOptions, new Context("key1", "value1"));
System.out.printf("Created key with name: %s and: id %s%n", createKeyResponse.getValue().getName(),
createKeyResponse.getValue().getId());
Parameters:
Returns:
createOctKey
public KeyVaultKey createOctKey(CreateOctKeyOptions createOctKeyOptions)
Creates and stores a new KeyVaultKey in the key vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/create permission.
The CreateOctKeyOptions parameter is required. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.
The keyType indicates the type of KeyVaultKey key to create. Possible values include: OCT and OCT_HSM.
Code Samples
Creates a new KeyVaultKey. The KeyVaultKey activates in one day and expires in one year. Prints out the details of the newly KeyVaultKey.
CreateOctKeyOptions createOctKeyOptions = new CreateOctKeyOptions("keyName")
.setNotBefore(OffsetDateTime.now().plusDays(1))
.setExpiresOn(OffsetDateTime.now().plusYears(1));
KeyVaultKey octKey = keyClient.createOctKey(createOctKeyOptions);
System.out.printf("Created key with name: %s and id: %s%n", octKey.getName(), octKey.getId());
Parameters:
Returns:
createOctKeyWithResponse
public Response
Creates and stores a new KeyVaultKey in the key vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/create permission.
The CreateOctKeyOptions parameter is required. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.
The keyType indicates the type of KeyVaultKey key to create. Possible values include: OCT and OCT_HSM.
Code Samples
Creates a new KeyVaultKey. The KeyVaultKey activates in one day and expires in one year. Prints out the details of the newly KeyVaultKey.
CreateOctKeyOptions createOctKeyOptions = new CreateOctKeyOptions("keyName")
.setNotBefore(OffsetDateTime.now().plusDays(1))
.setExpiresOn(OffsetDateTime.now().plusYears(1));
Response<KeyVaultKey> createOctKeyResponse =
keyClient.createOctKeyWithResponse(createOctKeyOptions, new Context("key1", "value1"));
System.out.printf("Created key with name: %s and: id %s%n", createOctKeyResponse.getValue().getName(),
createOctKeyResponse.getValue().getId());
Parameters:
Returns:
createRsaKey
public KeyVaultKey createRsaKey(CreateRsaKeyOptions createRsaKeyOptions)
Creates a new KeyVaultKey and stores it in the key vault. The create RSA key operation can be used to create any RSA key type in Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. It requires the keys/create permission.
The CreateRsaKeyOptions parameter is required. The getKeySize() can be optionally specified. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.
The keyType indicates the type of KeyVaultKey to create. Possible values include: RSA and RSA_HSM.
Code Samples
Creates a new KeyVaultKey with size 2048 which activates in one day and expires in one year. Prints out the details of the KeyVaultKey.
CreateRsaKeyOptions createRsaKeyOptions = new CreateRsaKeyOptions("keyName")
.setKeySize(2048)
.setNotBefore(OffsetDateTime.now().plusDays(1))
.setExpiresOn(OffsetDateTime.now().plusYears(1));
KeyVaultKey rsaKey = keyClient.createRsaKey(createRsaKeyOptions);
System.out.printf("Created key with name: %s and id: %s%n", rsaKey.getName(), rsaKey.getId());
Parameters:
Returns:
createRsaKeyWithResponse
public Response
Creates a new KeyVaultKey and stores it in the key vault. The create RSA key operation can be used to create any RSA key type in Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. It requires the keys/create permission.
The CreateRsaKeyOptions parameter is required. The getKeySize() can be optionally specified. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.
The keyType indicates the type of KeyVaultKey to create. Possible values include: RSA and RSA_HSM.
Code Samples
Creates a new KeyVaultKey with size 2048 which activates in one day and expires in one year. Prints out the details of the KeyVaultKey.
CreateRsaKeyOptions createRsaKeyOptions = new CreateRsaKeyOptions("keyName")
.setKeySize(2048)
.setNotBefore(OffsetDateTime.now().plusDays(1))
.setExpiresOn(OffsetDateTime.now().plusYears(1));
Response<KeyVaultKey> createRsaKeyResponse =
keyClient.createRsaKeyWithResponse(createRsaKeyOptions, new Context("key1", "value1"));
System.out.printf("Created key with name: %s and: id %s%n", createRsaKeyResponse.getValue().getName(),
createRsaKeyResponse.getValue().getId());
Parameters:
Returns:
getCryptographyClient
public CryptographyClient getCryptographyClient(String keyName)
Creates a CryptographyClient for the latest version of a given key.
To ensure correct behavior when performing operations such as Decrypt, Unwrap and Verify, it is recommended to use a CryptographyClient created for the specific key version that was used for the corresponding inverse operation: Encrypt, Wrap, or Sign, respectively.
You can provide a key version either via getCryptographyClient(String keyName, String keyVersion) or by ensuring it is included in the keyIdentifier passed to keyIdentifier(String keyId) before building a client.
Parameters:
Returns:
getCryptographyClient
public CryptographyClient getCryptographyClient(String keyName, String keyVersion)
Creates a CryptographyClient for a given key version.
Parameters:
Returns:
keyVersion is null or empty, the client will use the latest version of the key.getDeletedKey
public DeletedKey getDeletedKey(String name)
Gets the public part of a KeyVaultKey. The get deleted Key operation is applicable for soft-delete enabled vaults. This operation requires the keys/get permission.
Code Samples
Gets the KeyVaultKey from the key vault enabled for soft-delete. Prints out the details of the KeyVaultKey.
DeletedKey deletedKey = keyClient.getDeletedKey("keyName");
System.out.printf("Deleted key's recovery id: %s%n", deletedKey.getRecoveryId());
Parameters:
Returns:
getDeletedKeyWithResponse
public Response
Gets the public part of a KeyVaultKey. The get deleted Key operation is applicable for soft-delete enabled vaults. This operation requires the keys/get permission.
Code Samples
Gets the KeyVaultKey from the key vault enabled for soft-delete. Prints out the details of the KeyVaultKey returned in the Response<T>.
Response<DeletedKey> deletedKeyResponse =
keyClient.getDeletedKeyWithResponse("keyName", new Context("key1", "value1"));
System.out.printf("Deleted key with recovery id: %s%n", deletedKeyResponse.getValue().getRecoveryId());
Parameters:
Returns:
getKey
public KeyVaultKey getKey(String name)
Gets the public part of the specified KeyVaultKey and key version. The get key operation is applicable to all KeyType and it requires the keys/get permission.
Code Samples
Gets a specific version of the KeyVaultKey in the key vault. Prints out the details of the KeyVaultKey.
KeyVaultKey keyWithVersionValue = keyClient.getKey("keyName");
System.out.printf("Retrieved key with name: %s and: id %s%n", keyWithVersionValue.getName(),
keyWithVersionValue.getId());
Parameters:
Returns:
getKey
public KeyVaultKey getKey(String name, String version)
Gets the public part of the specified KeyVaultKey and key version. The get key operation is applicable to all KeyType and it requires the keys/get permission.
Code Samples
Gets a specific version of the KeyVaultKey in the key vault. Prints out the details of the KeyVaultKey.
String keyVersion = "6A385B124DEF4096AF1361A85B16C204";
KeyVaultKey keyWithVersion = keyClient.getKey("keyName", keyVersion);
System.out.printf("Retrieved key with name: %s and: id %s%n", keyWithVersion.getName(),
keyWithVersion.getId());
Parameters:
null, this call is equivalent to calling getKey(String name), with the latest version
being retrieved.
Returns:
null if
both name and version are null or empty.getKeyRotationPolicy
public KeyRotationPolicy getKeyRotationPolicy(String keyName)
Gets the KeyRotationPolicy for the KeyVaultKey with the provided name. This operation requires the keys/get permission.
Code Samples
Retrieves the KeyRotationPolicy of a given KeyVaultKey. Prints out the KeyRotationPolicy details.
KeyRotationPolicy keyRotationPolicy = keyClient.getKeyRotationPolicy("keyName");
System.out.printf("Retrieved key rotation policy with id: %s%n", keyRotationPolicy.getId());
Parameters:
Returns:
getKeyRotationPolicyWithResponse
public Response
Gets the KeyRotationPolicy for the KeyVaultKey with the provided name. This operation requires the keys/get permission.
Code Samples
Retrieves the KeyRotationPolicy of a given KeyVaultKey. Prints out the Response<T> and KeyRotationPolicy details.
Response<KeyRotationPolicy> keyRotationPolicyResponse =
keyClient.getKeyRotationPolicyWithResponse("keyName", new Context("key1", "value1"));
System.out.printf("Response received successfully with status code: %d. Retrieved key rotation policy"
+ "with id: %s%n", keyRotationPolicyResponse.getStatusCode(), keyRotationPolicyResponse.getValue().getId());
Parameters:
Returns:
getKeyWithResponse
public Response
Gets the public part of the specified KeyVaultKey and key version. The get key operation is applicable to all KeyType and it requires the keys/get permission.
Code Samples
Gets a specific version of the KeyVaultKey in the key vault. Prints out the details of the KeyVaultKey.
String keyVersion = "6A385B124DEF4096AF1361A85B16C204";
Response<KeyVaultKey> getKeyResponse =
keyClient.getKeyWithResponse("keyName", keyVersion, new Context("key1", "value1"));
System.out.printf("Retrieved key with name: %s and: id %s%n", getKeyResponse.getValue().getName(),
getKeyResponse.getValue().getId());
Parameters:
null, this call is equivalent to calling getKey(String name), with the latest version
being retrieved.
Returns:
null if both name and
version are null or empty.getRandomBytes
public byte[] getRandomBytes(int count)
Get the requested number of bytes containing random values from a managed HSM.
Code Samples
Gets a number of bytes containing random values from a Managed HSM. Prints out the retrieved bytes in base64Url format.
int amount = 16;
byte[] randomBytes = keyClient.getRandomBytes(amount);
System.out.printf("Retrieved %d random bytes: %s%n", amount, Arrays.toString(randomBytes));
Parameters:
Returns:
getRandomBytesWithResponse
public Response
Get the requested number of bytes containing random values from a managed HSM.
Code Samples
Gets a number of bytes containing random values from a Managed HSM. Prints out the Response<T> details and the retrieved bytes in base64Url format.
int amountOfBytes = 16;
Response<byte[]> response =
keyClient.getRandomBytesWithResponse(amountOfBytes, new Context("key1", "value1"));
System.out.printf("Response received successfully with status code: %d. Retrieved %d random bytes: %s%n",
response.getStatusCode(), amountOfBytes, Arrays.toString(response.getValue()));
Parameters:
Returns:
getVaultUrl
public String getVaultUrl()
Get the vault endpoint url to which service requests are sent to.
Returns:
importKey
public KeyVaultKey importKey(ImportKeyOptions importKeyOptions)
Imports an externally created JsonWebKey and stores it in the key vault. The import key operation may be used to import any KeyType into Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. This operation requires the keys/import permission.
ImportKeyOptions is required and its fields name and getKey() cannot be null. The expires and notBefore values in keyImportOptions are optional. If not specified, no values are set for the fields. The enabled field is set to true and the isHardwareProtected() field is set to false by Azure Key Vault, if they are not specified.
Code Samples
Imports a new KeyVaultKey into the key vault. Prints out the details of the KeyVaultKey.
ImportKeyOptions options = new ImportKeyOptions("keyName", jsonWebKeyToImport)
.setHardwareProtected(false);
KeyVaultKey importedKey = keyClient.importKey(options);
System.out.printf("Imported key with name: %s and id: %s%n", importedKey.getName(),
importedKey.getId());
Parameters:
Returns:
importKey
public KeyVaultKey importKey(String name, JsonWebKey keyMaterial)
Imports an externally created JsonWebKey and stores it in the key vault. The import key operation may be used to import any KeyType into Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. This operation requires the keys/import permission.
Code Samples
Imports a new KeyVaultKey into the key vault. Prints out the details of the KeyVaultKey.
KeyVaultKey key = keyClient.importKey("keyName", jsonWebKeyToImport);
System.out.printf("Imported key with name: %s and id: %s%n", key.getName(), key.getId());
Parameters:
Returns:
importKeyWithResponse
public Response
Imports an externally created JsonWebKey and stores it in the key vault. The import key operation may be used to import any KeyType into Azure Key Vault. If a KeyVaultKey with the provided name already exists, Azure Key Vault creates a new version of the KeyVaultKey. This operation requires the keys/import permission.
ImportKeyOptions is required and its fields name and getKey() cannot be null. The expires and notBefore values in keyImportOptions are optional. If not specified, no values are set for the fields. The enabled field is set to true and the isHardwareProtected() field is set to false by Azure Key Vault, if they are not specified.
Code Samples
Imports a new KeyVaultKey into the key vault. Prints out the details of the KeyVaultKey.
ImportKeyOptions importKeyOptions = new ImportKeyOptions("keyName", jsonWebKeyToImport)
.setHardwareProtected(false);
Response<KeyVaultKey> response =
keyClient.importKeyWithResponse(importKeyOptions, new Context("key1", "value1"));
System.out.printf("Imported key with name: %s and id: %s%n", response.getValue().getName(),
response.getValue().getId());
Parameters:
Returns:
listDeletedKeys
public PagedIterable
Lists DeletedKey of the key vault. The DeletedKey are retrieved as JsonWebKey structures that contain the public part of a DeletedKey. The get deleted keys operation is applicable for vaults enabled for soft-delete. This operation requires the keys/list permission.
Code Samples
Lists the DeletedKey in the key vault and for each DeletedKey prints out its recovery id.
for (DeletedKey deletedKey : keyClient.listDeletedKeys()) {
System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId());
}
Code Samples to iterate over deleted keys by page
Iterates over the DeletedKey by page in the key vault and for each deleted key prints out its recovery id.
keyClient.listDeletedKeys().iterableByPage().forEach(pagedResponse -> {
System.out.printf("Got response details. Url: %s. Status code: %d.%n",
pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
pagedResponse.getElements().forEach(deletedKey ->
System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId()));
});
Returns:
listDeletedKeys
public PagedIterable
Lists DeletedKey of the key vault. The DeletedKey are retrieved as JsonWebKey structures that contain the public part of a DeletedKey. The get deleted keys operation is applicable for vaults enabled for soft-delete. This operation requires the keys/list permission.
Code Samples
Lists the DeletedKey in the key vault and for each DeletedKey prints out its recovery id.
for (DeletedKey deletedKey : keyClient.listDeletedKeys(new Context("key1", "value1"))) {
System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId());
}
Code Samples to iterate over deleted keys by page
Iterates over the DeletedKey by page in the key vault and for each deleted key prints out its recovery id.
keyClient.listDeletedKeys().iterableByPage().forEach(pagedResponse -> {
System.out.printf("Got response details. Url: %s. Status code: %d.%n",
pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
pagedResponse.getElements().forEach(deletedKey ->
System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId()));
});
Parameters:
Returns:
listPropertiesOfKeyVersions
public PagedIterable
List all versions of the specified KeyVaultKey. The individual key response in the flux is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material values are not provided in the response. This operation requires the keys/list permission.
It is possible to get KeyVaultKey with key material for each version from this information. Loop over the KeyProperties and call getKey(String name, String version). This will return the KeyVaultKey with key material included of the specified versions.
for (KeyProperties keyProperties : keyClient.listPropertiesOfKeyVersions("keyName")) {
KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());
System.out.printf("Retrieved key version: %s with name: %s and type: %s%n",
key.getProperties().getVersion(), key.getName(), key.getKeyType());
}
Code Samples to iterate over key versions by page
It is possible to get KeyVaultKey with key material for each version from this information. Iterate over all the KeyProperties by page and call getKey(String name, String version). This will return the KeyVaultKey with key material included of the specified versions.
keyClient.listPropertiesOfKeyVersions("keyName").iterableByPage().forEach(pagedResponse -> {
System.out.printf("Got response details. Url: %s. Status code: %d.%n",
pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
pagedResponse.getElements().forEach(keyProperties ->
System.out.printf("Key name: %s. Key version: %s.%n", keyProperties.getName(),
keyProperties.getVersion()));
});
Parameters:
Returns:
name does not exist in the key vault.listPropertiesOfKeyVersions
public PagedIterable
List all versions of the specified KeyVaultKey. The individual key response in the flux is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material values are not provided in the response. This operation requires the keys/list permission.
It is possible to get KeyVaultKey with key material for each version from this information. Loop over the KeyProperties and call getKey(String name, String version). This will return the KeyVaultKey with key material included of the specified versions.
for (KeyProperties keyProperties : keyClient.listPropertiesOfKeyVersions("keyName", new Context("key1", "value1"))) {
KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());
System.out.printf("Retrieved key version: %s with name: %s and type: %s%n",
key.getProperties().getVersion(), key.getName(), key.getKeyType());
}
Code Samples to iterate over key versions by page
It is possible to get KeyVaultKey with key material for each version from this information. Iterate over all the KeyProperties by page and call getKey(String name, String version). This will return the KeyVaultKey with key material included of the specified versions.
keyClient.listPropertiesOfKeyVersions("keyName").iterableByPage().forEach(pagedResponse -> {
System.out.printf("Got response details. Url: %s. Status code: %d.%n",
pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
pagedResponse.getElements().forEach(keyProperties ->
System.out.printf("Key name: %s. Key version: %s.%n", keyProperties.getName(),
keyProperties.getVersion()));
});
Parameters:
Returns:
name does not exist in the key vault.listPropertiesOfKeys
public PagedIterable
List KeyVaultKey in the key vault. Retrieves a list of the KeyVaultKey in the key vault as JsonWebKey structures that contain the public part of a stored KeyVaultKey. The list operation is applicable to all KeyType and the individual KeyVaultKey response in the list is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material and individual key versions are not listed in the response. This operation requires the keys/list permission.
Code Samples
It is possible to get KeyVaultKey with key material from this information. Loop over the KeyProperties and call getKey(String name, String version). This will return the KeyVaultKey with key material included as of its latest version.
for (KeyProperties keyProperties : keyClient.listPropertiesOfKeys()) {
KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());
System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(), key.getKeyType());
}
Iterate keys by page
It is possible to get KeyVaultKey with key material from this information. Iterate over all the KeyProperties by page and call getKey(String name, String version). This will return the KeyVaultKey with key material included as of its latest version.
keyClient.listPropertiesOfKeys().iterableByPage().forEach(pagedResponse -> {
System.out.printf("Got response details. Url: %s. Status code: %d.%n",
pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
pagedResponse.getElements().forEach(keyProperties -> {
KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());
System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(),
key.getKeyType());
});
});
Returns:
listPropertiesOfKeys
public PagedIterable
List KeyVaultKey in the key vault. Retrieves a list of the KeyVaultKey in the key vault as JsonWebKey structures that contain the public part of a stored KeyVaultKey. The list operation is applicable to all KeyType and the individual KeyVaultKey response in the list is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material and individual key versions are not listed in the response. This operation requires the keys/list permission.
Code Samples
It is possible to get KeyVaultKey with key material from this information. Loop over the KeyProperties and call getKey(String name, String version). This will return the KeyVaultKey with key material included as of its latest version.
for (KeyProperties keyProperties : keyClient.listPropertiesOfKeys(new Context("key1", "value1"))) {
KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());
System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(),
key.getKeyType());
}
Iterate by page
It is possible to get KeyVaultKey with key material from this information. Iterate over all the KeyProperties by page and call getKey(String name, String version). This will return the KeyVaultKey with key material included as of its latest version.
keyClient.listPropertiesOfKeys().iterableByPage().forEach(pagedResponse -> {
System.out.printf("Got response details. Url: %s. Status code: %d.%n",
pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode());
pagedResponse.getElements().forEach(keyProperties -> {
KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion());
System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(),
key.getKeyType());
});
});
Parameters:
Returns:
purgeDeletedKey
public void purgeDeletedKey(String name)
Permanently deletes the specified KeyVaultKey without the possibility of recovery. The purge deleted key operation is applicable for soft-delete enabled vaults. This operation requires the keys/purge permission.
Code Samples
Purges the KeyVaultKey from the key vault enabled for soft-delete.
keyClient.purgeDeletedKey("deletedKeyName");
Parameters:
purgeDeletedKeyWithResponse
public Response
Permanently deletes the specified KeyVaultKey without the possibility of recovery. The purge deleted key operation is applicable for soft-delete enabled vaults. This operation requires the keys/purge permission.
Code Samples
Purges the KeyVaultKey from the key vault enabled for soft-delete.
Response<Void> purgeDeletedKeyResponse = keyClient.purgeDeletedKeyWithResponse("deletedKeyName",
new Context("key1", "value1"));
System.out.printf("Purge response status code: %d%n", purgeDeletedKeyResponse.getStatusCode());
Parameters:
Returns:
releaseKey
public ReleaseKeyResult releaseKey(String name, String targetAttestationToken)
Releases the latest version of a KeyVaultKey.
The KeyVaultKey must be exportable. This operation requires the keys/release permission.
Code Samples
Releases a KeyVaultKey. Prints out the signed object that contains the release key.
String targetAttestationToken = "someAttestationToken";
ReleaseKeyResult releaseKeyResult = keyClient.releaseKey("keyName", targetAttestationToken);
System.out.printf("Signed object containing released key: %s%n", releaseKeyResult);
Parameters:
Returns:
releaseKey
public ReleaseKeyResult releaseKey(String name, String version, String targetAttestationToken)
Releases a specific version of a KeyVaultKey.
The KeyVaultKey must be exportable. This operation requires the keys/release permission.
Code Samples
Releases a KeyVaultKey. Prints out the signed object that contains the release key.
String myKeyVersion = "6A385B124DEF4096AF1361A85B16C204";
String myTargetAttestationToken = "someAttestationToken";
ReleaseKeyResult releaseKeyVersionResult =
keyClient.releaseKey("keyName", myKeyVersion, myTargetAttestationToken);
System.out.printf("Signed object containing released key: %s%n", releaseKeyVersionResult);
Parameters:
null, this call is equivalent to
calling releaseKey(String name, String targetAttestationToken), with the latest key version being released.
Returns:
releaseKeyWithResponse
public Response
Releases a KeyVaultKey.
The key must be exportable. This operation requires the keys/release permission.
Code Samples
Releases a KeyVaultKey. Prints out the Response<T> details and the signed object that contains the release key.
String releaseKeyVersion = "6A385B124DEF4096AF1361A85B16C204";
String someTargetAttestationToken = "someAttestationToken";
ReleaseKeyOptions releaseKeyOptions = new ReleaseKeyOptions()
.setAlgorithm(KeyExportEncryptionAlgorithm.RSA_AES_KEY_WRAP_256)
.setNonce("someNonce");
Response<ReleaseKeyResult> releaseKeyResultResponse =
keyClient.releaseKeyWithResponse("keyName", releaseKeyVersion, someTargetAttestationToken,
releaseKeyOptions, new Context("key1", "value1"));
System.out.printf("Response received successfully with status code: %d. Signed object containing"
+ "released key: %s%n", releaseKeyResultResponse.getStatusCode(),
releaseKeyResultResponse.getValue().getValue());
Parameters:
null, this call
is equivalent to calling releaseKey(String name, String targetAttestationToken), with the latest key version being
released.
Returns:
restoreKeyBackup
public KeyVaultKey restoreKeyBackup(byte[] backup)
Restores a backed up KeyVaultKey to a vault. Imports a previously backed up KeyVaultKey into Azure Key Vault, restoring the KeyVaultKey, its key identifier, attributes and access control policies. The restore operation may be used to import a previously backed up KeyVaultKey. Individual versions of a KeyVaultKey cannot be restored. The KeyVaultKey is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target key vault, the restore operation will be rejected. While the key name is retained during restore, the final key identifier will change if the KeyVaultKey is restored to a different vault. Restore will restore all versions and preserve version identifiers. The restore operation is subject to security constraints: The target key vault must be owned by the same Microsoft Azure Subscription as the source key vault. The user must have the restore permission in the target key vault. This operation requires the keys/restore permission.
Code Samples
Restores the KeyVaultKey in the key vault from its backup.
// Pass the key backup byte array to the restore operation.
byte[] keyBackupByteArray = {};
KeyVaultKey keyResponse = keyClient.restoreKeyBackup(keyBackupByteArray);
System.out.printf("Restored key with name: %s and: id %s%n", keyResponse.getName(), keyResponse.getId());
Parameters:
Returns:
restoreKeyBackupWithResponse
public Response
Restores a backed up KeyVaultKey to a vault. Imports a previously backed up KeyVaultKey into Azure Key Vault, restoring the KeyVaultKey, its key identifier, attributes and access control policies. The restore operation may be used to import a previously backed up KeyVaultKey. Individual versions of a KeyVaultKey cannot be restored. The KeyVaultKey is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target key vault, the restore operation will be rejected. While the key name is retained during restore, the final key identifier will change if the KeyVaultKey is restored to a different vault. Restore will restore all versions and preserve version identifiers. The restore operation is subject to security constraints: The target key vault must be owned by the same Microsoft Azure Subscription as the source key vault. The user must have the restore permission in the target key vault. This operation requires the keys/restore permission.
Code Samples
Restores the KeyVaultKey in the key vault from its backup. Prints out the details of the KeyVaultKey returned in the Response<T>.
// Pass the key backup byte array to the restore operation.
Response<KeyVaultKey> keyResponse = keyClient.restoreKeyBackupWithResponse(keyBackupByteArray,
new Context("key1", "value1"));
System.out.printf("Restored key with name: %s and: id %s%n",
keyResponse.getValue().getName(), keyResponse.getValue().getId());
Parameters:
Returns:
rotateKey
public KeyVaultKey rotateKey(String name)
Rotates a KeyVaultKey. The rotate key operation will do so based on KeyRotationPolicy. This operation requires the keys/rotate permission.
Code Samples
Rotates a KeyVaultKey. Prints out KeyVaultKey details.
KeyVaultKey key = keyClient.rotateKey("keyName");
System.out.printf("Rotated key with name: %s and version:%s%n", key.getName(),
key.getProperties().getVersion());
Parameters:
Returns:
rotateKeyWithResponse
public Response
Rotates a KeyVaultKey. The rotate key operation will do so based on KeyRotationPolicy. This operation requires the keys/rotate permission.
Code Samples
Rotates a KeyVaultKey. Prints out the Response<T> and KeyVaultKey details.
Response<KeyVaultKey> keyResponse = keyClient.rotateKeyWithResponse("keyName", new Context("key1", "value1"));
System.out.printf("Response received successfully with status code: %d. Rotated key with name: %s and"
+ "version: %s%n", keyResponse.getStatusCode(), keyResponse.getValue().getName(),
keyResponse.getValue().getProperties().getVersion());
Parameters:
Returns:
updateKeyProperties
public KeyVaultKey updateKeyProperties(KeyProperties keyProperties, KeyOperation[] keyOperations)
Updates the KeyProperties and KeyOperation associated with the specified KeyVaultKey, but not the cryptographic key material of the specified KeyVaultKey in the key vault. The update operation changes specified KeyProperties of an existing stored KeyVaultKey and KeyProperties that are not specified in the request are left unchanged. The cryptographic key material of a KeyVaultKey itself cannot be changed. This operation requires the keys/set permission.
Code Samples
Gets the latest version of the KeyVaultKey, changes its expiry time and KeyOperation and the updates the KeyVaultKey in the key vault.
KeyVaultKey key = keyClient.getKey("keyName");
key.getProperties().setExpiresOn(OffsetDateTime.now().plusDays(60));
KeyVaultKey updatedKey = keyClient.updateKeyProperties(key.getProperties(), KeyOperation.ENCRYPT,
KeyOperation.DECRYPT);
System.out.printf("Key is updated with name %s and id %s %n", updatedKey.getName(), updatedKey.getId());
Parameters:
Returns:
updateKeyPropertiesWithResponse
public Response
Updates the KeyProperties and KeyOperation associated with the specified KeyVaultKey, but not the cryptographic key material of the specified KeyVaultKey in the key vault. The update operation changes specified KeyProperties of an existing stored KeyVaultKey and KeyProperties that are not specified in the request are left unchanged. The cryptographic key material of a KeyVaultKey itself cannot be changed. This operation requires the keys/set permission.
Code Samples
Gets the latest version of the KeyVaultKey, changes its expiry time and KeyOperation and the updates the KeyVaultKey in the key vault.
KeyVaultKey key = keyClient.getKey("keyName");
key.getProperties().setExpiresOn(OffsetDateTime.now().plusDays(60));
Response<KeyVaultKey> updateKeyResponse =
keyClient.updateKeyPropertiesWithResponse(key.getProperties(), new Context("key1", "value1"),
KeyOperation.ENCRYPT, KeyOperation.DECRYPT);
System.out.printf("Updated key with name: %s and id: %s%n", updateKeyResponse.getValue().getName(),
updateKeyResponse.getValue().getId());
Parameters:
Returns:
updateKeyRotationPolicy
public KeyRotationPolicy updateKeyRotationPolicy(String keyName, KeyRotationPolicy keyRotationPolicy)
Updates the KeyRotationPolicy of the KeyVaultKey with the provided name. This operation requires the keys/update permission.
Code Samples
Updates the KeyRotationPolicy of a given KeyVaultKey. Prints out the KeyRotationPolicy details.
List<KeyRotationLifetimeAction> lifetimeActions = new ArrayList<>();
KeyRotationLifetimeAction rotateLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE)
.setTimeAfterCreate("P90D");
KeyRotationLifetimeAction notifyLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY)
.setTimeBeforeExpiry("P45D");
lifetimeActions.add(rotateLifetimeAction);
lifetimeActions.add(notifyLifetimeAction);
KeyRotationPolicy keyRotationPolicy = new KeyRotationPolicy()
.setLifetimeActions(lifetimeActions)
.setExpiresIn("P6M");
KeyRotationPolicy updatedPolicy =
keyClient.updateKeyRotationPolicy("keyName", keyRotationPolicy);
System.out.printf("Updated key rotation policy with id: %s%n", updatedPolicy.getId());
Parameters:
Returns:
updateKeyRotationPolicyWithResponse
public Response
Updates the KeyRotationPolicy of the key with the provided name. This operation requires the keys/update permission.
Code Samples
Updates the KeyRotationPolicy of a given KeyVaultKey. Prints out the Response<T> and KeyRotationPolicy details.
List<KeyRotationLifetimeAction> myLifetimeActions = new ArrayList<>();
KeyRotationLifetimeAction myRotateLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE)
.setTimeAfterCreate("P90D");
KeyRotationLifetimeAction myNotifyLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY)
.setTimeBeforeExpiry("P45D");
myLifetimeActions.add(myRotateLifetimeAction);
myLifetimeActions.add(myNotifyLifetimeAction);
KeyRotationPolicy myKeyRotationPolicy = new KeyRotationPolicy()
.setLifetimeActions(myLifetimeActions)
.setExpiresIn("P6M");
Response<KeyRotationPolicy> keyRotationPolicyResponse = keyClient.updateKeyRotationPolicyWithResponse(
"keyName", myKeyRotationPolicy, new Context("key1", "value1"));
System.out.printf("Response received successfully with status code: %d. Updated key rotation policy"
+ "with id: %s%n", keyRotationPolicyResponse.getStatusCode(), keyRotationPolicyResponse.getValue().getId());
Parameters:
Returns:
Applies to
Azure SDK for Java