Current version is 4.1.0-beta.4, click here for the index

Azure Key Vault Administration library for Java

Azure Key Vault Managed HSM is a fully-managed, highly-available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications using FIPS 140-2 Level 3 validated HSMs.

The Azure Key Vault Administration library clients support administrative tasks such as full backup/restore and key-level role-based access control (RBAC).

Source code | API reference documentation | Product documentation | Samples

Getting started

Adding the package to your project

Maven dependency for the Azure Key Vault Administration library. Add it to your project's POM file.

<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-security-keyvault-administration</artifactId>
    <version>4.1.0-beta.4</version>
</dependency>

Prerequisites

az keyvault create --hsm-name <your-key-vault-mhsm-name> --resource-group <your-resource-group-name> --administrators <your-service-principal-object-id> --location <your-azure-location>

Authenticate the client

In order to interact with the Azure Key Vault service, you'll need to either create an instance of the KeyVaultAccessControlClient or an instance of the class KeyVaultBackupClient. You would need a vault url, which you may see as "DNS Name" in the portal, and client secret credentials (client id, client secret, tenant id) to instantiate a client object using the default DefaultAzureCredential examples shown in this document.

The DefaultAzureCredential way of authentication by providing client secret credentials is being used in this getting started section but you can find more ways to authenticate with azure-identity.

Create/Get credentials

To create/get client secret credentials you can use the Azure Portal, Azure CLI or Azure Cloud Shell.

Here is an Azure Cloud Shell snippet below to

  • Create a service principal and configure its access to Azure resources:
az ad sp create-for-rbac -n <your-application-name> --skip-assignment

Output:

{
    "appId": "generated-app-ID",
    "displayName": "some-app-name",
    "name": "https://some-app-name",
    "password": "random-password",
    "tenant": "tenant-ID"
}
  • Take note of the service principal objectId
az ad sp show --id <appId> --query objectId

Output:

"<your-service-principal-object-id>"
  • Use the returned credentials above to set the AZURECLIENTID (appId), AZURECLIENTSECRET (password), and AZURETENANTID (tenantId) environment variables. The following example shows a way to do this in Bash:
export AZURE_CLIENT_ID="generated-app-ID"
export AZURE_CLIENT_SECRET="random-password"
export AZURE_TENANT_ID="tenant-ID"
  • Create the Managed HSM and grant the above mentioned service principal authorization to perform administrative operations on the Managed HSM (replace <your-resource-group-name> and <your-key-vault-mhsm-name> with your own, unique names and <your-service-principal-object-id> with the value from above):
az keyvault create --hsm-name <your-key-vault-mhsm-name> --resource-group <your-resource-group-name> --administrators <your-service-principal-object-id> --location <your-azure-location>

This service principal is automatically added to the "Managed HSM Administrators" built-in role.

  • Use the aforementioned Azure Key Vault name to retrieve details of your Key Vault, which also contain your Azure Key Vault URL:
az keyvault show --name <your-key-vault-mhsm-name>

Activate your managed HSM

All data plane commands are disabled until the HSM is activated. You will not be able to create keys or assign roles. Only the designated administrators that were assigned during the create command can activate the HSM. To activate the HSM you must download the security domain.

To activate your HSM you need: - Minimum 3 RSA key-pairs (maximum 10). - Specify minimum number of keys required to decrypt the security domain (quorum).

To activate the HSM you send at least 3 (maximum 10) RSA public keys to the HSM, the HSM encrypts the security domain with these keys and sends it back. Once this security domain is successfully downloaded, your HSM is ready to use. You also need to specify quorum, which is the minimum number of private keys required to decrypt the security domain.

The example below shows how to use openssl to generate 3 self signed certificate.

openssl req -newkey rsa:2048 -nodes -keyout cert_0.key -x509 -days 365 -out cert_0.cer
openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer
openssl req -newkey rsa:2048 -nodes -keyout cert_2.key -x509 -days 365 -out cert_2.cer

Use the az keyvault security-domain download command to download the security domain and activate your managed HSM.

The example below, uses 3 RSA key pairs (only public keys are needed for this command) and sets the quorum to 2.

az keyvault security-domain download --hsm-name <your-key-vault-mhsm-name> --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file ContosoMHSM-SD.json

Controlling access to your managed HSM

The designated administrators assigned during creation are automatically added to the "Managed HSM Administrators" built-in role, who are able to download a security domain and manage roles for data plane access, among other limited permissions.

To perform other actions on keys, you need to assign principals to other roles such as "Managed HSM Crypto User", which can perform non-destructive key operations:

az keyvault role assignment create --hsm-name <your-key-vault-mhsm-name> --role "Managed HSM Crypto User" --scope / --assignee-object-id <principal-or-user-object-ID> --assignee-principal-type <principal-type>

Please read best practices for properly securing your managed HSM.

Key concepts

Key Vault Access Control client:

The Key Vault Access Control client performs the interactions with the Azure Key Vault service for getting, setting, deleting, and listing role assignments, as well as listing role definitions. Asynchronous (KeyVaultAccessControlAsyncClient) and synchronous (KeyVaultAccessControlClient) clients exist in the SDK allowing for the selection of a client based on an application's use case. Once you've initialized a role assignment, you can interact with the primary resource types in Key Vault.

Role Definition

A role definition is a collection of permissions. It defines the operations that can be performed, such as read, write, and delete. It can also define the operations that are excluded from allowed operations.

Role definitions can be listed and specified as part of a role assignment.

Role Assignment

A role assignment is the association of a role definition to a service principal. They can be created, listed, fetched individually, and deleted.

Key Vault Backup client

The Key Vault Backup Client provides both synchronous and asynchronous operations for performing full key backups, full key restores, and selective key restores. Asynchronous (KeyVaultBackupAsyncClient) and synchronous (KeyVaultBackupClient) clients exist in the SDK allowing for the selection of a client based on an application's use case.

NOTE: The backing store for key backups is a blob storage container using Shared Access Signature authentication. For more details on creating a SAS token using the BlobServiceClient, see the Azure Storage Blobs client README. Alternatively, it is possible to generate a SAS token in Storage Explorer.

Backup Operation

A backup operation represents a long-running operation for a full key backup.

Restore Operation

A restore operation represents a long-running operation for both a full key and selective key restore.

Create an Access Control client

Once you've populated the AZURECLIENTID, AZURECLIENTSECRET, and AZURETENANTID environment variables and replaced your-key-vault-url with the URI returned above, you can create the KeyVaultAccessControlClient:

KeyVaultAccessControlClient keyVaultAccessControlClient = new KeyVaultAccessControlClientBuilder()
    .vaultUrl("<your-key-vault-url>")
    .credential(new DefaultAzureCredentialBuilder().build())
    .buildClient();

NOTE: For using an asynchronous client use KeyVaultAccessControlAsyncClient instead of KeyVaultAccessControlClient and call buildAsyncClient()

Examples

Sync API

The following sections provide several code snippets covering some of the most common Azure Key Vault Access Control service tasks, including: - List role definitions - Create or update a role definition - Retrieve a role definition - List role assignments - Create a role assignment - Retrieve a role assignment - Delete a role assignment

List role definitions

List the role definitions in the key vault by calling listRoleDefinitions().

PagedIterable<KeyVaultRoleDefinition> roleDefinitions =
    keyVaultAccessControlClient.listRoleDefinitions(KeyVaultRoleScope.GLOBAL);

roleDefinitions.forEach(roleDefinition ->
    System.out.printf("Retrieved role definition with name '%s'.%n", roleDefinition.getName()));

Create or update a role definition

Create or update a role definition in the key vault. The following example shows how to create a role definition with a randomly generated name.

KeyVaultRoleDefinition roleDefinition = keyVaultAccessControlClient.setRoleDefinition(KeyVaultRoleScope.GLOBAL);

System.out.printf("Created role definition with randomly generated name '%s' and role name '%s'.%n",
    roleDefinition.getName(), roleDefinition.getRoleName());

Retrieve a role definition

Get an existing role definition. To do this, the scope and 'name' property from an existing role definition are required.

String roleDefinitionName = "<role-definition-name>";
KeyVaultRoleDefinition roleDefinition =
    keyVaultAccessControlClient.getRoleDefinition(KeyVaultRoleScope.GLOBAL, roleDefinitionName);

System.out.printf("Retrieved role definition with name '%s' and role name '%s'.%n", roleDefinition.getName(),
    roleDefinition.getRoleName());

Delete a role definition

Delete a role definition. To do this, the scope and 'name' property property from an existing role definition are required.

String roleDefinitionName = "<role-definition-name>";

keyVaultAccessControlClient.deleteRoleDefinition(KeyVaultRoleScope.GLOBAL, roleDefinitionName);

System.out.printf("Deleted role definition with name '%s'.%n", roleDefinitionName);

List role assignments

List the role assignments in the key vault by calling listRoleAssignments().

PagedIterable<KeyVaultRoleAssignment> roleAssignments =
    keyVaultAccessControlClient.listRoleAssignments(KeyVaultRoleScope.GLOBAL);

roleAssignments.forEach(roleAssignment ->
    System.out.printf("Retrieved role assignment with name '%s'.%n", roleAssignment.getName()));

Create a role assignment

Create a role assignment in the key vault. To do this a role definition ID and a service principal object ID are required.

A role definition ID can be obtained from the 'id' property of one of the role definitions returned from listRoleDefinitions().

See the Create/Get Credentials section for links and instructions on how to generate a new service principal and obtain it's object ID. You can also get the object ID for your currently signed in account by running the following Azure CLI command:

az ad signed-in-user show --query objectId
String roleDefinitionId = "<role-definition-id>";
String servicePrincipalId = "<service-principal-id>";
KeyVaultRoleAssignment roleAssignment =
    keyVaultAccessControlClient.createRoleAssignment(KeyVaultRoleScope.GLOBAL, roleDefinitionId,
        servicePrincipalId);

System.out.printf("Created role assignment with randomly generated name '%s' for principal with id '%s'.%n",
    roleAssignment.getName(), roleAssignment.getProperties().getPrincipalId());

Retrieve a role assignment

Get an existing role assignment. To do this, the 'name' property from an existing role assignment is required.

String roleAssignmentName = "<role-assignment-name>";
KeyVaultRoleAssignment roleAssignment =
    keyVaultAccessControlClient.getRoleAssignment(KeyVaultRoleScope.GLOBAL, roleAssignmentName);

System.out.printf("Retrieved role assignment with name '%s'.%n", roleAssignment.getName());

Delete a role assignment

To remove a role assignment from a service principal, the role assignment must be deleted. To do this, the 'name' property from an existing role assignment is required.

String roleAssignmentName = "<role-assignment-name>";

keyVaultAccessControlClient.deleteRoleAssignment(KeyVaultRoleScope.GLOBAL, roleAssignmentName);

System.out.printf("Deleted role assignment with name '%s'.%n", roleAssignmentName);

Async API

The following sections provide several code snippets covering some of the most common asynchronous Azure Key Vault Access Control service tasks, including: - List role definitions asynchronously - Create or update a role definition asynchronously - Retrieve a role definition asynchronously - Delete a role definition asynchronously - List role assignments asynchronously - Create a role assignment asynchronously - Retrieve a role assignment asynchronously - Delete a role assignment asynchronously

Note : You should add System.in.read() or Thread.sleep() after the function calls in the main class/thread to allow async functions/operations to execute and finish before the main application/thread exits.

List role definitions asynchronously

List the role definitions in the key vault by calling listRoleDefinitions().

keyVaultAccessControlAsyncClient.listRoleDefinitions(KeyVaultRoleScope.GLOBAL)
    .subscribe(roleDefinition ->
        System.out.printf("Retrieved role definition with name '%s'.%n", roleDefinition.getName()));

Create or update a role definition asynchronously

Create or update a role definition in the key vault. The following example shows how to create a role definition with a randomly generated name.

keyVaultAccessControlAsyncClient.setRoleDefinition(KeyVaultRoleScope.GLOBAL)
    .subscribe(roleDefinition ->
        System.out.printf("Created role definition with randomly generated name '%s' and role name '%s'.%n",
            roleDefinition.getName(), roleDefinition.getRoleName()));

Retrieve a role definition asynchronously

Get an existing role definition. To do this, the 'name' property from an existing role definition is required.

String roleDefinitionName = "<role-definition-name>";

keyVaultAccessControlAsyncClient.getRoleDefinition(KeyVaultRoleScope.GLOBAL, roleDefinitionName)
    .subscribe(roleDefinition ->
        System.out.printf("Retrieved role definition with name '%s' and role name '%s'.%n",
            roleDefinition.getName(), roleDefinition.getRoleName()));

Delete a role definition asynchronously

Delete a role definition. To do this, the 'name' property from an existing role definition is required.

String roleDefinitionName = "<role-definition-name>";

keyVaultAccessControlAsyncClient.deleteRoleDefinition(KeyVaultRoleScope.GLOBAL, roleDefinitionName)
    .subscribe(unused -> System.out.printf("Deleted role definition with name '%s'.%n", roleDefinitionName));

List role assignments asynchronously

List the role assignments in the key vault by calling listRoleAssignments().

keyVaultAccessControlAsyncClient.listRoleAssignments(KeyVaultRoleScope.GLOBAL)
    .subscribe(roleAssignment ->
        System.out.printf("Retrieved role assignment with name '%s'.%n", roleAssignment.getName()));

Create a role assignment asynchronously

Create a role assignment in the key vault. To do this a role definition ID and a service principal object ID are required.

A role definition ID can be obtained from the 'id' property of one of the role definitions returned from listRoleDefinitions().

See the Create/Get Credentials section for links and instructions on how to generate a new service principal and obtain it's object ID. You can also get the object ID for your currently signed in account by running the following Azure CLI command:

az ad signed-in-user show --query objectId
String roleDefinitionId = "<role-definition-id>";
String servicePrincipalId = "<service-principal-id>";

keyVaultAccessControlAsyncClient.createRoleAssignment(KeyVaultRoleScope.GLOBAL, roleDefinitionId,
    servicePrincipalId).subscribe(roleAssignment ->
        System.out.printf("Created role assignment with randomly generated name '%s' for principal with id"
            + "'%s'.%n", roleAssignment.getName(), roleAssignment.getProperties().getPrincipalId()));

Retrieve a role assignment asynchronously

Get an existing role assignment. To do this, the 'name' property from an existing role assignment is required.

String roleAssignmentName = "<role-assignment-name>";

keyVaultAccessControlAsyncClient.getRoleAssignment(KeyVaultRoleScope.GLOBAL, roleAssignmentName)
    .subscribe(roleAssignment ->
        System.out.printf("Retrieved role assignment with name '%s'.%n", roleAssignment.getName()));

Delete a role assignment asynchronously

To remove a role assignment from a service principal, the role assignment must be deleted. To do this, the 'name' property from an existing role assignment is required.

String roleAssignmentName = "<role-assignment-name>";

keyVaultAccessControlAsyncClient.deleteRoleAssignment(KeyVaultRoleScope.GLOBAL, roleAssignmentName)
    .subscribe(unused ->
        System.out.printf("Deleted role assignment with name '%s'.%n", roleAssignmentName));

Create a Backup client

Once you've populated the AZURECLIENTID, AZURECLIENTSECRET, and AZURETENANTID environment variables and replaced your-key-vault-url with the URI returned above, you can create the KeyVaultBackupClient:

KeyVaultBackupClient keyVaultBackupClient = new KeyVaultBackupClientBuilder()
    .vaultUrl("<your-key-vault-url>")
    .credential(new DefaultAzureCredentialBuilder().build())
    .buildClient();

NOTE: For using an asynchronous client use KeyVaultBackupAsyncClient instead of KeyVaultBackupClient and call buildAsyncClient()

Examples

Sync API

The following sections provide several code snippets covering some of the most common Azure Key Vault Backup client tasks, including: - Backup a Key Vault - Restore a Key Vault - Restore a key

Backup a collection of keys

Back up an entire collection of keys using beginBackup().

String blobStorageUrl = "https://myaccount.blob.core.windows.net/myContainer";
String sasToken = "sv=2020-02-10&ss=b&srt=o&sp=rwdlactfx&se=2021-06-17T07:13:07Z&st=2021-06-16T23:13:07Z&spr=https&sig=n5V6fnlkViEF9b7ij%2FttTHNwO2BdFIHKHppRxGAyJdc%3D";

SyncPoller<KeyVaultBackupOperation, String> backupPoller =
    keyVaultBackupClient.beginBackup(blobStorageUrl, sasToken);

PollResponse<KeyVaultBackupOperation> pollResponse = backupPoller.poll();

System.out.printf("The current status of the operation is: %s.%n", pollResponse.getStatus());

PollResponse<KeyVaultBackupOperation> finalPollResponse = backupPoller.waitForCompletion();

if (finalPollResponse.getStatus() == LongRunningOperationStatus.SUCCESSFULLY_COMPLETED) {
    String folderUrl = backupPoller.getFinalResult();

    System.out.printf("Backup completed. The storage location of this backup is: %s.%n", folderUrl);
} else {
    KeyVaultBackupOperation operation = backupPoller.poll().getValue();

    System.out.printf("Backup failed with error: %s.%n", operation.getError().getMessage());
}

Restore a collection of keys

Restore an entire collection of keys from a backup using beginRestore().

String folderUrl = "https://myaccount.blob.core.windows.net/myContainer/mhsm-myaccount-2020090117323313";
String sasToken = "sv=2020-02-10&ss=b&srt=o&sp=rwdlactfx&se=2021-06-17T07:13:07Z&st=2021-06-16T23:13:07Z&spr=https&sig=n5V6fnlkViEF9b7ij%2FttTHNwO2BdFIHKHppRxGAyJdc%3D";

SyncPoller<KeyVaultRestoreOperation, KeyVaultRestoreResult> backupPoller =
    keyVaultBackupClient.beginRestore(folderUrl, sasToken);

PollResponse<KeyVaultRestoreOperation> pollResponse = backupPoller.poll();

System.out.printf("The current status of the operation is: %s.%n", pollResponse.getStatus());

PollResponse<KeyVaultRestoreOperation> finalPollResponse = backupPoller.waitForCompletion();

if (finalPollResponse.getStatus() == LongRunningOperationStatus.SUCCESSFULLY_COMPLETED) {
    System.out.printf("Backup restored successfully.%n");
} else {
    KeyVaultRestoreOperation operation = backupPoller.poll().getValue();

    System.out.printf("Restore failed with error: %s.%n", operation.getError().getMessage());
}

Selectively restore a key

Restore a specific key from a backup using beginSelectiveRestore().

String folderUrl = "https://myaccount.blob.core.windows.net/myContainer/mhsm-myaccount-2020090117323313";
String sasToken = "sv=2020-02-10&ss=b&srt=o&sp=rwdlactfx&se=2021-06-17T07:13:07Z&st=2021-06-16T23:13:07Z&spr=https&sig=n5V6fnlkViEF9b7ij%2FttTHNwO2BdFIHKHppRxGAyJdc%3D";
String keyName = "myKey";

SyncPoller<KeyVaultSelectiveKeyRestoreOperation, KeyVaultSelectiveKeyRestoreResult> backupPoller =
    keyVaultBackupClient.beginSelectiveKeyRestore(folderUrl, sasToken, keyName);

PollResponse<KeyVaultSelectiveKeyRestoreOperation> pollResponse = backupPoller.poll();

System.out.printf("The current status of the operation is: %s.%n", pollResponse.getStatus());

PollResponse<KeyVaultSelectiveKeyRestoreOperation> finalPollResponse = backupPoller.waitForCompletion();

if (finalPollResponse.getStatus() == LongRunningOperationStatus.SUCCESSFULLY_COMPLETED) {
    System.out.printf("Key restored successfully.%n");
} else {
    KeyVaultSelectiveKeyRestoreOperation operation = backupPoller.poll().getValue();

    System.out.printf("Key restore failed with error: %s.%n", operation.getError().getMessage());
}

Async API

The following sections provide several code snippets covering some of the most common asynchronous Azure Key Vault Backup client tasks, including: - Backup a Key Vault asynchronously - Restore a Key Vault asynchronously - Restore a key asynchronously

Note : You should add System.in.read() or Thread.sleep() after the function calls in the main class/thread to allow async functions/operations to execute and finish before the main application/thread exits.

Backup a collection of keys asynchronously

Back up an entire collection of keys using beginBackup().

String blobStorageUrl = "https://myaccount.blob.core.windows.net/myContainer";
String sasToken = "sv=2020-02-10&ss=b&srt=o&sp=rwdlactfx&se=2021-06-17T07:13:07Z&st=2021-06-16T23:13:07Z&spr=https&sig=n5V6fnlkViEF9b7ij%2FttTHNwO2BdFIHKHppRxGAyJdc%3D";

keyVaultBackupAsyncClient.beginBackup(blobStorageUrl, sasToken)
    .setPollInterval(Duration.ofSeconds(1)) // You can set a custom polling interval.
    .doOnError(e -> System.out.printf("Backup failed with error: %s.%n", e.getMessage()))
    .doOnNext(pollResponse ->
        System.out.printf("The current status of the operation is: %s.%n", pollResponse.getStatus()))
    .filter(pollResponse -> pollResponse.getStatus() == LongRunningOperationStatus.SUCCESSFULLY_COMPLETED)
    .flatMap(AsyncPollResponse::getFinalResult)
    .subscribe(folderUrl ->
        System.out.printf("Backup completed. The storage location of this backup is: %s.%n", folderUrl));

Restore a collection of keys asynchronously

Restore an entire collection of keys from a backup using beginRestore().

String folderUrl = "https://myaccount.blob.core.windows.net/myContainer/mhsm-myaccount-2020090117323313";
String sasToken = "sv=2020-02-10&ss=b&srt=o&sp=rwdlactfx&se=2021-06-17T07:13:07Z&st=2021-06-16T23:13:07Z&spr=https&sig=n5V6fnlkViEF9b7ij%2FttTHNwO2BdFIHKHppRxGAyJdc%3D";

keyVaultBackupAsyncClient.beginRestore(folderUrl, sasToken)
    .setPollInterval(Duration.ofSeconds(1)) // You can set a custom polling interval.
    .doOnError(e -> System.out.printf("Restore failed with error: %s.%n", e.getMessage()))
    .doOnNext(pollResponse ->
        System.out.printf("The current status of the operation is: %s.%n", pollResponse.getStatus()))
    .filter(pollResponse -> pollResponse.getStatus() == LongRunningOperationStatus.SUCCESSFULLY_COMPLETED)
    .flatMap(AsyncPollResponse::getFinalResult)
    .subscribe(unused -> System.out.printf("Backup restored successfully.%n"));

Selectively restore a key asynchronously

Restore an entire collection of keys from a backup using beginSelectiveRestore().

String folderUrl = "https://myaccount.blob.core.windows.net/myContainer/mhsm-myaccount-2020090117323313";
String sasToken = "sv=2020-02-10&ss=b&srt=o&sp=rwdlactfx&se=2021-06-17T07:13:07Z&st=2021-06-16T23:13:07Z&spr=https&sig=n5V6fnlkViEF9b7ij%2FttTHNwO2BdFIHKHppRxGAyJdc%3D";
String keyName = "myKey";

keyVaultBackupAsyncClient.beginSelectiveKeyRestore(folderUrl, sasToken, keyName)
    .setPollInterval(Duration.ofSeconds(1)) // You can set a custom polling interval.
    .doOnError(e -> System.out.printf("Key restoration failed with error: %s.%n", e.getMessage()))
    .doOnNext(pollResponse ->
        System.out.printf("The current status of the operation is: %s.%n", pollResponse.getStatus()))
    .filter(pollResponse -> pollResponse.getStatus() == LongRunningOperationStatus.SUCCESSFULLY_COMPLETED)
    .flatMap(AsyncPollResponse::getFinalResult)
    .subscribe(unused -> System.out.printf("Key restored successfully.%n"));

Troubleshooting

General

Azure Key Vault Access Control clients raise exceptions. For example, if you try to retrieve a role assignment after it is deleted a 404 error is returned, indicating the resource was not found. In the following snippet, the error is handled gracefully by catching the exception and displaying additional information about the error.

try {
    keyVaultAccessControlClient.getRoleAssignment(KeyVaultRoleScope.GLOBAL, "<role-assginment-name>");
} catch (HttpResponseException e) {
    System.out.println(e.getMessage());
}

Default HTTP client

All client libraries by default use the Netty HTTP client. Adding the above dependency will automatically configure the client library to use the Netty HTTP client. Configuring or changing the HTTP client is detailed in the HTTP clients wiki.

Default SSL library

All client libraries, by default, use the Tomcat-native Boring SSL library to enable native-level performance for SSL operations. The Boring SSL library is an Uber JAR containing native libraries for Linux / macOS / Windows, and provides better performance compared to the default SSL implementation within the JDK. For more information, including how to reduce the dependency size, refer to the performance tuning section of the wiki.

Next steps

Several Key Vault Java SDK samples are available to you in the SDK's GitHub repository. These samples provide example code for additional scenarios commonly encountered while working with Azure Key Vault.

Additional documentation

For more extensive documentation on Azure Key Vault, see the API reference documentation.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Packages 
Package Description
com.azure.security.keyvault.administration
Package containing classes for creating clients KeyVaultAccessControlAsyncClient and KeyVaultAccessControlClient that perform access control operations on Azure Key Vault resources, as well as clients KeyVaultBackupAsyncClient and KeyVaultBackupClient that perform backup and restore operations on Azure Key Vault keys.
com.azure.security.keyvault.administration.models
Package containing classes used by KeyVaultAccessControlAsyncClient and KeyVaultAccessControlClient to perform access control operations on Azure Key Vault resources, as well as classes used by KeyVaultBackupAsyncClient and KeyVaultBackupClient to perform backup and restore operations on on Azure Key Vault keys.