public async Task RecoverDeletedRsaHsmKey()
{
string keyName = Recording.GenerateId();
CreateRsaKeyOptions options = new CreateRsaKeyOptions(keyName, hardwareProtected: true);
KeyVaultKey rsaHsmKey = await Client.CreateRsaKeyAsync(options);
DeleteKeyOperation deleteOperation = await Client.StartDeleteKeyAsync(keyName);
DeletedKey deletedKey = await deleteOperation.WaitForCompletionAsync();
await WaitForDeletedKey(keyName);
Assert.ThrowsAsync <RequestFailedException>(() => Client.GetKeyAsync(keyName));
RecoverDeletedKeyOperation recoverOperation = await Client.StartRecoverDeletedKeyAsync(keyName);
KeyVaultKey recoverKeyResult = await recoverOperation.WaitForCompletionAsync();
await WaitForKey(keyName);
KeyVaultKey recoveredKey = await Client.GetKeyAsync(keyName);
RegisterForCleanup(recoveredKey.Name);
AssertKeyVaultKeysEqual(rsaHsmKey, deletedKey);
AssertKeyVaultKeysEqual(rsaHsmKey, recoverKeyResult);
AssertKeyVaultKeysEqual(rsaHsmKey, recoveredKey);
}
public void DeleteKey()
{
#region DeleteKey
DeletedKey key = client.DeleteKey("key-name");
Console.WriteLine(key.Name);
Console.WriteLine(key.DeletedDate);
#endregion
DeletedKey rsaKey = client.DeleteKey("rsa-key-name");
DeletedKey ecKey = client.DeleteKey("ec-key-name");
try
{
// Deleting a key when soft delete is enabled may not happen immediately.
WaitForDeletedKey(key.Name);
WaitForDeletedKey(rsaKey.Name);
WaitForDeletedKey(ecKey.Name);
client.PurgeDeletedKey(key.Name);
client.PurgeDeletedKey(rsaKey.Name);
client.PurgeDeletedKey(ecKey.Name);
}
catch
{
// Merely attempt to purge a deleted key since the Key Vault may not have soft delete enabled.
}
}
public async Task DeleteAndPurgeKey()
{
#region Snippet:DeleteAndPurgeKeyAsync
DeleteKeyOperation operation = await client.StartDeleteKeyAsync("key-name");
// You only need to wait for completion if you want to purge or recover the key.
await operation.WaitForCompletionAsync();
DeletedKey key = operation.Value;
await client.PurgeDeletedKeyAsync(key.Name);
#endregion
DeleteKeyOperation rsaKeyOperation = client.StartDeleteKey("rsa-key-name");
DeleteKeyOperation ecKeyOperation = client.StartDeleteKey("ec-key-name");
try
{
// You only need to wait for completion if you want to purge or recover the key.
await Task.WhenAll(
rsaKeyOperation.WaitForCompletionAsync().AsTask(),
ecKeyOperation.WaitForCompletionAsync().AsTask());
await Task.WhenAll(
client.PurgeDeletedKeyAsync(rsaKeyOperation.Value.Name),
client.PurgeDeletedKeyAsync(ecKeyOperation.Value.Name));
}
catch
{
// Merely attempt to purge a deleted key since the Key Vault may not have soft delete enabled.
}
}
public async Task RecoverDeletedKey()
{
string keyName = Recording.GenerateId();
KeyVaultKey key = await Client.CreateKeyAsync(keyName, KeyType.Ec);
DeleteKeyOperation deleteOperation = await Client.StartDeleteKeyAsync(keyName);
DeletedKey deletedKey = deleteOperation.Value;
await WaitForDeletedKey(keyName);
Assert.ThrowsAsync <RequestFailedException>(() => Client.GetKeyAsync(keyName));
RecoverDeletedKeyOperation recoverOperation = await Client.StartRecoverDeletedKeyAsync(keyName);
KeyVaultKey recoverKeyResult = recoverOperation.Value;
await WaitForKey(keyName);
KeyVaultKey recoveredKey = await Client.GetKeyAsync(keyName);
RegisterForCleanup(recoveredKey.Name);
AssertKeyVaultKeysEqual(key, deletedKey);
AssertKeyVaultKeysEqual(key, recoverKeyResult);
AssertKeyVaultKeysEqual(key, recoveredKey);
}
public async Task DeleteKey()
{
#region Snippet:DeleteKey
DeleteKeyOperation operation = await client.StartDeleteKeyAsync("key-name");
DeletedKey key = operation.Value;
Console.WriteLine(key.Name);
Console.WriteLine(key.DeletedOn);
#endregion
}
public void DeleteKey()
{
#region Snippet:DeleteKey
DeleteKeyOperation operation = client.StartDeleteKey("key-name");
DeletedKey key = operation.Value;
Console.WriteLine(key.Name);
Console.WriteLine(key.DeletedOn);
#endregion
}
public void DeleteAndPurge()
{
#region Snippet:DeleteAndPurgeKey
DeleteKeyOperation operation = client.StartDeleteKey("key-name");
while (!operation.HasCompleted)
{
Thread.Sleep(2000);
operation.UpdateStatus();
}
DeletedKey key = operation.Value;
client.PurgeDeletedKey(key.Name);
#endregion
}
public async Task DeleteKey()
{
string keyName = Recording.GenerateId();
Key key = await Client.CreateKeyAsync(keyName, KeyType.Ec);
RegisterForCleanup(key.Name, delete: false);
DeletedKey deletedKey = await Client.DeleteKeyAsync(keyName);
Assert.NotNull(deletedKey.DeletedDate);
Assert.NotNull(deletedKey.RecoveryId);
Assert.NotNull(deletedKey.ScheduledPurgeDate);
AssertKeysEqual(key, deletedKey);
Assert.ThrowsAsync <RequestFailedException>(() => Client.GetKeyAsync(keyName));
}
public void DeleteAndPurge()
{
#region Snippet:DeleteAndPurgeKey
DeleteKeyOperation operation = client.StartDeleteKey("key-name");
// You only need to wait for completion if you want to purge or recover the key.
while (!operation.HasCompleted)
{
Thread.Sleep(2000);
operation.UpdateStatus();
}
DeletedKey key = operation.Value;
client.PurgeDeletedKey(key.Name);
#endregion
}
public async Task DeleteRsaHsmKey()
{
string keyName = Recording.GenerateId();
CreateRsaKeyOptions options = new CreateRsaKeyOptions(keyName, hardwareProtected: true);
KeyVaultKey rsaHsmKey = await Client.CreateRsaKeyAsync(options);
RegisterForCleanup(keyName);
DeleteKeyOperation operation = await Client.StartDeleteKeyAsync(keyName);
DeletedKey deletedKey = await operation.WaitForCompletionAsync();
Assert.NotNull(deletedKey.DeletedOn);
Assert.NotNull(deletedKey.RecoveryId);
Assert.NotNull(deletedKey.ScheduledPurgeDate);
AssertKeyVaultKeysEqual(rsaHsmKey, deletedKey);
Assert.ThrowsAsync <RequestFailedException>(() => Client.GetKeyAsync(keyName));
}
public async Task GetDeletedKey()
{
string keyName = Recording.GenerateId();
Key key = await Client.CreateKeyAsync(keyName, KeyType.Ec);
RegisterForCleanup(key.Name, delete: false);
DeletedKey deletedKey = await Client.DeleteKeyAsync(keyName);
await WaitForDeletedKey(keyName);
DeletedKey polledSecret = await Client.GetDeletedKeyAsync(keyName);
Assert.NotNull(deletedKey.DeletedDate);
Assert.NotNull(deletedKey.RecoveryId);
Assert.NotNull(deletedKey.ScheduledPurgeDate);
AssertKeysEqual(deletedKey, polledSecret);
AssertKeysEqual(key, polledSecret);
}
internal PSDeletedKeyVaultKey(DeletedKey deletedKey, VaultUriHelper vaultUriHelper, bool isHsm = false)
{
if (deletedKey == null)
{
throw new ArgumentNullException("deletedKey");
}
if (deletedKey.Key == null || deletedKey.Properties == null)
{
throw new ArgumentException(Resources.InvalidKeyBundle);
}
SetObjectIdentifier(vaultUriHelper, new Microsoft.Azure.KeyVault.KeyIdentifier(deletedKey.Id.ToString()));
Key = deletedKey.Key.ToTrack1JsonWebKey();
KeySize = JwkHelper.ConvertToRSAKey(Key)?.KeySize;
Attributes = new PSKeyVaultKeyAttributes(
deletedKey.Properties.Enabled,
// see https://docs.microsoft.com/en-us/dotnet/standard/datetime/converting-between-datetime-and-offset#conversions-from-datetimeoffset-to-datetime
deletedKey.Properties.ExpiresOn?.UtcDateTime, // time returned by key vault are UTC
deletedKey.Properties.NotBefore?.UtcDateTime,
deletedKey.KeyType.ToString(),
deletedKey.KeyOperations.Select(op => op.ToString()).ToArray(),
deletedKey.Properties.CreatedOn?.UtcDateTime,
deletedKey.Properties.UpdatedOn?.UtcDateTime,
deletedKey.Properties.RecoveryLevel,
deletedKey.Properties.Tags
);
Enabled = deletedKey.Properties.Enabled;
Expires = deletedKey.Properties.ExpiresOn?.UtcDateTime;
NotBefore = deletedKey.Properties.NotBefore?.UtcDateTime;
Created = deletedKey.Properties.CreatedOn?.UtcDateTime;
Updated = deletedKey.Properties.UpdatedOn?.UtcDateTime;
RecoveryLevel = deletedKey.Properties.RecoveryLevel;
Tags = deletedKey.Properties.Tags.ConvertToHashtable();
ScheduledPurgeDate = deletedKey.ScheduledPurgeDate?.UtcDateTime;
DeletedDate = deletedKey.DeletedOn?.UtcDateTime;
IsHsm = isHsm;
}
public async Task GetDeletedKey()
{
string keyName = Recording.GenerateId();
KeyVaultKey key = await Client.CreateKeyAsync(keyName, KeyType.Ec);
RegisterForCleanup(key.Name);
DeleteKeyOperation operation = await Client.StartDeleteKeyAsync(keyName);
DeletedKey deletedKey = operation.Value;
// Wait a little longer since live tests are failing with only a 2s delay.
await WaitForDeletedKey(keyName, KeyVaultTestEnvironment.DefaultPollingInterval);
DeletedKey polledSecret = await Client.GetDeletedKeyAsync(keyName);
Assert.NotNull(deletedKey.DeletedOn);
Assert.NotNull(deletedKey.RecoveryId);
Assert.NotNull(deletedKey.ScheduledPurgeDate);
AssertKeyVaultKeysEqual(deletedKey, polledSecret);
AssertKeyVaultKeysEqual(key, polledSecret);
}
public async Task RecoverDeletedKey()
{
string keyName = Recording.GenerateId();
Key key = await Client.CreateKeyAsync(keyName, KeyType.EllipticCurve);
DeletedKey deletedKey = await Client.DeleteKeyAsync(keyName);
await WaitForDeletedKey(keyName);
Assert.ThrowsAsync <RequestFailedException>(() => Client.GetKeyAsync(keyName));
KeyBase recoverKeyResult = await Client.RecoverDeletedKeyAsync(keyName);
await PollForKey(keyName);
Key recoveredKey = await Client.GetKeyAsync(keyName);
RegisterForCleanup(recoveredKey);
AssertKeysEqual(key, deletedKey);
AssertKeysEqual(key, recoverKeyResult);
AssertKeysEqual(key, recoveredKey);
}
public async Task GetDeletedRsaHsmKey()
{
string keyName = Recording.GenerateId();
CreateRsaKeyOptions options = new CreateRsaKeyOptions(keyName, hardwareProtected: true);
KeyVaultKey rsaHsmKey = await Client.CreateRsaKeyAsync(options);
RegisterForCleanup(keyName);
DeleteKeyOperation operation = await Client.StartDeleteKeyAsync(keyName);
DeletedKey deletedKey = await operation.WaitForCompletionAsync();
await WaitForDeletedKey(keyName);
DeletedKey polledSecret = await Client.GetDeletedKeyAsync(keyName);
Assert.NotNull(deletedKey.DeletedOn);
Assert.NotNull(deletedKey.RecoveryId);
Assert.NotNull(deletedKey.ScheduledPurgeDate);
AssertKeyVaultKeysEqual(deletedKey, polledSecret);
AssertKeyVaultKeysEqual(rsaHsmKey, polledSecret);
}
static async Task Main(string[] args)
{
// Create a new key client using the default credential from Azure.Identity using environment variables previously set,
// including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID.
var client = new KeyClient(vaultUri: new Uri(keyVaultUrl), credential: new ClientSecretCredential(tenantId, clientId, clientSecret));
// next two lines are just to recover key in case we stop program after deleting and before recovering / purging
//var recoverOperation1 = await client.StartRecoverDeletedKeyAsync("rsa-key-name");
//await recoverOperation1.WaitForCompletionAsync();
// Create a software RSA key
var rsaCreateKey = new CreateRsaKeyOptions("rsa-key-name", hardwareProtected: false);
KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(rsaCreateKey);
Console.WriteLine("Created the key....");
Console.WriteLine($"rsaKey.Name: {rsaKey.Name}");
Console.WriteLine($"rsaKey.KeyType: {rsaKey.KeyType}");
Console.WriteLine("==================================================");
Console.WriteLine();
// Retrieve
KeyVaultKey key = await client.GetKeyAsync("rsa-key-name");
Console.WriteLine("Retrieve the key");
Console.WriteLine($"key.Name: {key.Name}");
Console.WriteLine($"key.KeyType: {key.KeyType}");
Console.WriteLine("==================================================");
Console.WriteLine();
// Update
KeyVaultKey updateKey = await client.CreateKeyAsync("rsa-key-name", KeyType.Rsa);
// You can specify additional application-specific metadata in the form of tags.
updateKey.Properties.Tags["foo"] = "updated tag";
KeyVaultKey updatedKey = await client.UpdateKeyPropertiesAsync(updateKey.Properties);
Console.WriteLine("Update Initiated.");
Console.WriteLine($"updatedKey.Name: {updatedKey.Name}");
Console.WriteLine($"updatedKey.Properties.Version: {updatedKey.Properties.Version}");
Console.WriteLine($"updatedKey.Properties.UpdatedOn: {updatedKey.Properties.UpdatedOn}");
Console.WriteLine("==================================================");
Console.WriteLine();
/// Delete
DeleteKeyOperation operation = await client.StartDeleteKeyAsync("rsa-key-name");
DeletedKey deletedKey = operation.Value;
Console.WriteLine("Delete operation initialted.");
Console.WriteLine($"deletedKey.Name: {deletedKey.Name}");
Console.WriteLine($"deletedKey.DeletedOn: {deletedKey.DeletedOn}");
Console.WriteLine("==================================================");
Console.WriteLine();
// Wait for deletion to complete
await operation.WaitForCompletionAsync();
// Recover deleted key
var recoverOperation = await client.StartRecoverDeletedKeyAsync("rsa-key-name");
await recoverOperation.WaitForCompletionAsync();
Console.WriteLine("Recovery completed");
Console.WriteLine("==================================================");
Console.WriteLine();
// Create crypto client and demo of encryption / decryption
var cryptoClient = new CryptographyClient(keyId: key.Id, credential: new ClientSecretCredential(tenantId, clientId, clientSecret));
byte[] plaintext = Encoding.UTF8.GetBytes("If you can dream it, you can do it.");
// encrypt the data using the algorithm RSAOAEP
EncryptResult encryptResult = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep, plaintext);
Console.WriteLine("Encryption demo.");
Console.WriteLine("Encrypted Base64: " + Convert.ToBase64String(encryptResult.Ciphertext));
Console.WriteLine("==================================================");
Console.WriteLine();
// decrypt the encrypted data.
DecryptResult decryptResult = await cryptoClient.DecryptAsync(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
Console.WriteLine("Decryption demo.");
Console.WriteLine("Decrypted: " + Encoding.UTF8.GetString(decryptResult.Plaintext));
Console.WriteLine("==================================================");
Console.WriteLine();
// Purge
DeleteKeyOperation deleteOperation = await client.StartDeleteKeyAsync("rsa-key-name");
await deleteOperation.WaitForCompletionAsync();
DeletedKey purgekey = deleteOperation.Value;
await client.PurgeDeletedKeyAsync(purgekey.Name);
Console.WriteLine("Purge Initiated.");
Console.WriteLine($"purgekey.Name: {purgekey.Name}");
Console.WriteLine("==================================================");
Console.WriteLine();
}
private async Task MigrationGuide()
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create
KeyClient client = new KeyClient(
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential());
CryptographyClient cryptoClient = new CryptographyClient(
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential());
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
KeyClientOptions options = new KeyClientOptions
{
Transport = new HttpClientTransport(httpClient)
};
#if SNIPPET
KeyClient client = new KeyClient(
#else
client = new KeyClient(
#endif
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential(),
options);
CryptographyClientOptions cryptoOptions = new CryptographyClientOptions
{
Transport = new HttpClientTransport(httpClient)
};
#if SNIPPET
CryptographyClient cryptoClient = new CryptographyClient(
#else
cryptoClient = new CryptographyClient(
#endif
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential(),
cryptoOptions);
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys
// Create RSA key.
CreateRsaKeyOptions createRsaOptions = new CreateRsaKeyOptions("rsa-key-name")
{
KeySize = 4096
};
KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(createRsaOptions);
// Create Elliptic-Curve key.
CreateEcKeyOptions createEcOptions = new CreateEcKeyOptions("ec-key-name")
{
CurveName = KeyCurveName.P256
};
KeyVaultKey ecKey = await client.CreateEcKeyAsync(createEcOptions);
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
// List all keys asynchronously.
await foreach (KeyProperties item in client.GetPropertiesOfKeysAsync())
{
KeyVaultKey key = await client.GetKeyAsync(item.Name);
}
// List all keys synchronously.
foreach (KeyProperties item in client.GetPropertiesOfKeys())
{
KeyVaultKey key = client.GetKey(item.Name);
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
// Delete the key.
DeleteKeyOperation deleteOperation = await client.StartDeleteKeyAsync("key-name");
// Purge or recover the deleted key if soft delete is enabled.
if (deleteOperation.Value.RecoveryId != null)
{
// Deleting a key does not happen immediately. Wait for the key to be deleted.
DeletedKey deletedKey = await deleteOperation.WaitForCompletionAsync();
// Purge the deleted key.
await client.PurgeDeletedKeyAsync(deletedKey.Name);
// You can also recover the deleted key using StartRecoverDeletedKeyAsync,
// which returns RecoverDeletedKeyOperation you can await like DeleteKeyOperation above.
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
// Encrypt a message. The plaintext must be small enough for the chosen algorithm.
byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt");
EncryptResult encrypted = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep256, plaintext);
// Decrypt the message.
DecryptResult decrypted = await cryptoClient.DecryptAsync(encrypted.Algorithm, encrypted.Ciphertext);
string message = Encoding.UTF8.GetString(decrypted.Plaintext);
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap
using (Aes aes = Aes.Create())
{
// Use a symmetric key to encrypt large amounts of data, possibly streamed...
// Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data.
WrapResult wrapped = await cryptoClient.WrapKeyAsync(KeyWrapAlgorithm.RsaOaep256, aes.Key);
// Read the IV and the encrypted key from the payload, then unwrap the key.
UnwrapResult unwrapped = await cryptoClient.UnwrapKeyAsync(wrapped.Algorithm, wrapped.EncryptedKey);
aes.Key = unwrapped.Key;
// Decrypt the payload with the symmetric key.
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap
}
}
