public async Task BackupAndRestoreAsync()
{
// Environment variable with the Key Vault endpoint.
string keyVaultUrl = TestEnvironment.KeyVaultUrl;
// Instantiate a key client that will be used to call the service. Notice that the client is using default Azure
// credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
// 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials.
var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
// Let's create a RSA key valid for 1 year. If the key
// already exists in the Key Vault, then a new version of the key is created.
string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}";
var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false)
{
KeySize = 2048,
ExpiresOn = DateTimeOffset.Now.AddYears(1)
};
KeyVaultKey storedKey = await client.CreateRsaKeyAsync(rsaKey);
// You might make backups in case keys get accidentally deleted.
// For long term storage, it is ideal to write the backup to a file, disk, database, etc.
// For the purposes of this sample, we are storing the back up in a temporary memory area.
byte[] byteKey = await client.BackupKeyAsync(rsaKeyName);
using (var memoryStream = new MemoryStream())
{
memoryStream.Write(byteKey, 0, byteKey.Length);
// The storage account key is no longer in use, so you delete it.
DeleteKeyOperation operation = await client.StartDeleteKeyAsync(rsaKeyName);
// To ensure the key is deleted on server before we try to purge it.
await operation.WaitForCompletionAsync();
// If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged.
await client.PurgeDeletedKeyAsync(rsaKeyName);
// After sometime, the key is required again. We can use the backup value to restore it in the Key Vault.
KeyVaultKey restoredKey = await client.RestoreKeyBackupAsync(memoryStream.ToArray());
AssertKeysEqual(storedKey.Properties, restoredKey.Properties);
// Delete and purge the restored key.
operation = await client.StartDeleteKeyAsync(rsaKeyName);
// You only need to wait for completion if you want to purge or recover the key.
await operation.WaitForCompletionAsync();
await client.PurgeDeletedKeyAsync(rsaKeyName);
}
}
private string BackupKey(KeyClient client, string keyName, string outputBlobPath)
{
BackupKeyResult backupKeyResult;
try
{
backupKeyResult = new BackupKeyResult(client.BackupKeyAsync(keyName).GetAwaiter().GetResult());
}
catch (Exception ex)
{
throw GetInnerException(ex);
}
File.WriteAllBytes(outputBlobPath, backupKeyResult.Value);
return(outputBlobPath);
}
public async Task BackupAndRestoreAsync()
{
// Environment variable with the Key Vault endpoint.
string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL");
// Instantiate a key client that will be used to call the service. Notice that the client is using default Azure
// credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
// 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials.
var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
// Let's create a RSA key valid for 1 year. If the key
// already exists in the Key Vault, then a new version of the key is created.
string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}";
var rsaKey = new RsaKeyCreateOptions(rsaKeyName, hsm: false, keySize: 2048)
{
Expires = DateTimeOffset.Now.AddYears(1)
};
Key storedKey = await client.CreateRsaKeyAsync(rsaKey);
// Backups are good to have if in case keys get accidentally deleted by you.
// For long term storage, it is ideal to write the backup to a file, disk, database, etc.
// For the purposes of this sample, we are storing the bakup in a temporary memory area.
byte[] byteKey = await client.BackupKeyAsync(rsaKeyName);
using (var memoryStream = new MemoryStream())
{
memoryStream.Write(byteKey, 0, byteKey.Length);
// The storage account key is no longer in use, so you delete it.
await client.DeleteKeyAsync(rsaKeyName);
// To ensure the key is deleted on server side.
Assert.IsTrue(await WaitForDeletedKeyAsync(client, rsaKeyName));
// If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged.
await client.PurgeDeletedKeyAsync(rsaKeyName);
// After sometime, the key is required again. We can use the backup value to restore it in the Key Vault.
Key restoredKey = await client.RestoreKeyAsync(memoryStream.ToArray());
AssertKeysEqual(storedKey.Properties, restoredKey.Properties);
}
}
