public final class KeyClient extends Object
KeyClient
provides synchronous methods to manage keys
in the Azure Key Vault. The
client supports creating, retrieving, updating, deleting, purging, backing up, restoring, listing, releasing and
rotating the keys
. The client also supports listing deleted keys
for a
soft-delete enabled Azure Key Vault.
Samples to construct the sync client
KeyClient keyClient = new KeyClientBuilder() .vaultUrl("https://myvault.azure.net/") .credential(new DefaultAzureCredentialBuilder().build()) .buildClient();
KeyClientBuilder
,
PagedIterable
Modifier and Type | Method and Description |
---|---|
byte[] |
backupKey(String name)
Requests a backup of the specified
key be downloaded to the client. |
com.azure.core.http.rest.Response<byte[]> |
backupKeyWithResponse(String name,
com.azure.core.util.Context context)
Requests a backup of the specified
key be downloaded to the client. |
com.azure.core.util.polling.SyncPoller<DeletedKey,Void> |
beginDeleteKey(String name)
Deletes a
key of any type from the key vault. |
com.azure.core.util.polling.SyncPoller<KeyVaultKey,Void> |
beginRecoverDeletedKey(String name)
Recovers the
deleted key in the key vault to its latest version and can only be performed
on a soft-delete enabled vault. |
KeyVaultKey |
createEcKey(CreateEcKeyOptions createEcKeyOptions)
Creates a new
EC key and stores it in the key vault. |
com.azure.core.http.rest.Response<KeyVaultKey> |
createEcKeyWithResponse(CreateEcKeyOptions createEcKeyOptions,
com.azure.core.util.Context context)
Creates a new
EC key and stores it in the key vault. |
KeyVaultKey |
createKey(CreateKeyOptions createKeyOptions)
Creates a new
key and stores it in the key vault. |
KeyVaultKey |
createKey(String name,
KeyType keyType)
Creates a new
key and stores it in the key vault. |
com.azure.core.http.rest.Response<KeyVaultKey> |
createKeyWithResponse(CreateKeyOptions createKeyOptions,
com.azure.core.util.Context context)
Creates a new
key and stores it in the key vault. |
KeyVaultKey |
createOctKey(CreateOctKeyOptions createOctKeyOptions)
Creates and stores a new
symmetric key in the key vault. |
com.azure.core.http.rest.Response<KeyVaultKey> |
createOctKeyWithResponse(CreateOctKeyOptions createOctKeyOptions,
com.azure.core.util.Context context)
Creates and stores a new
symmetric key in the key vault. |
KeyVaultKey |
createRsaKey(CreateRsaKeyOptions createRsaKeyOptions)
Creates a new
RSA key and stores it in the key vault. |
com.azure.core.http.rest.Response<KeyVaultKey> |
createRsaKeyWithResponse(CreateRsaKeyOptions createRsaKeyOptions,
com.azure.core.util.Context context)
Creates a new
RSA key and stores it in the key vault. |
CryptographyClient |
getCryptographyClient(String keyName)
Creates a
CryptographyClient for the latest version of a given key. |
CryptographyClient |
getCryptographyClient(String keyName,
String keyVersion)
Creates a
CryptographyClient for a given key version. |
DeletedKey |
getDeletedKey(String name)
Gets the public part of a
deleted key . |
com.azure.core.http.rest.Response<DeletedKey> |
getDeletedKeyWithResponse(String name,
com.azure.core.util.Context context)
Gets the public part of a
deleted key . |
KeyVaultKey |
getKey(String name)
Gets the public part of the specified
key and key version. |
KeyVaultKey |
getKey(String name,
String version)
Gets the public part of the specified
key and key version. |
KeyRotationPolicy |
getKeyRotationPolicy(String name)
Gets the
KeyRotationPolicy for the key with the provided name. |
com.azure.core.http.rest.Response<KeyRotationPolicy> |
getKeyRotationPolicyWithResponse(String name,
com.azure.core.util.Context context)
Gets the
KeyRotationPolicy for the key with the provided name. |
com.azure.core.http.rest.Response<KeyVaultKey> |
getKeyWithResponse(String name,
String version,
com.azure.core.util.Context context)
Gets the public part of the specified
key and key version. |
RandomBytes |
getRandomBytes(int count)
Get the requested number of bytes containing random values from a managed HSM.
|
com.azure.core.http.rest.Response<RandomBytes> |
getRandomBytesWithResponse(int count,
com.azure.core.util.Context context)
Get the requested number of bytes containing random values from a managed HSM.
|
String |
getVaultUrl()
Get the vault endpoint url to which service requests are sent to.
|
KeyVaultKey |
importKey(ImportKeyOptions importKeyOptions)
Imports an externally created
key and stores it in the key vault. |
KeyVaultKey |
importKey(String name,
JsonWebKey keyMaterial)
Imports an externally created
key and stores it in the key vault. |
com.azure.core.http.rest.Response<KeyVaultKey> |
importKeyWithResponse(ImportKeyOptions importKeyOptions,
com.azure.core.util.Context context)
Imports an externally created
key and stores it in the key vault. |
com.azure.core.http.rest.PagedIterable<DeletedKey> |
listDeletedKeys()
Lists
deleted keys of the key vault. |
com.azure.core.http.rest.PagedIterable<DeletedKey> |
listDeletedKeys(com.azure.core.util.Context context)
Lists
deleted keys of the key vault. |
com.azure.core.http.rest.PagedIterable<KeyProperties> |
listPropertiesOfKeys()
List
keys in the key vault. |
com.azure.core.http.rest.PagedIterable<KeyProperties> |
listPropertiesOfKeys(com.azure.core.util.Context context)
List
keys in the key vault. |
com.azure.core.http.rest.PagedIterable<KeyProperties> |
listPropertiesOfKeyVersions(String name)
List all versions of the specified
keys . |
com.azure.core.http.rest.PagedIterable<KeyProperties> |
listPropertiesOfKeyVersions(String name,
com.azure.core.util.Context context)
List all versions of the specified
keys . |
void |
purgeDeletedKey(String name)
Permanently deletes the specified
key without the possibility of recovery. |
com.azure.core.http.rest.Response<Void> |
purgeDeletedKeyWithResponse(String name,
com.azure.core.util.Context context)
Permanently deletes the specified
key without the possibility of recovery. |
ReleaseKeyResult |
releaseKey(String name,
String target)
Releases the latest version of a
key . |
ReleaseKeyResult |
releaseKey(String name,
String version,
String target)
Releases a specific version of a
key . |
com.azure.core.http.rest.Response<ReleaseKeyResult> |
releaseKeyWithResponse(String name,
String version,
String target,
ReleaseKeyOptions options,
com.azure.core.util.Context context)
Releases a
key . |
KeyVaultKey |
restoreKeyBackup(byte[] backup)
Restores a backed up
key to a vault. |
com.azure.core.http.rest.Response<KeyVaultKey> |
restoreKeyBackupWithResponse(byte[] backup,
com.azure.core.util.Context context)
Restores a backed up
key to a vault. |
KeyVaultKey |
rotateKey(String name)
Rotates a
key . |
com.azure.core.http.rest.Response<KeyVaultKey> |
rotateKeyWithResponse(String name,
com.azure.core.util.Context context)
Rotates a
key . |
KeyVaultKey |
updateKeyProperties(KeyProperties keyProperties,
KeyOperation... keyOperations)
Updates the
attributes and key operations associated with the
specified key , but not the cryptographic key material of the specified
key in the key vault. |
com.azure.core.http.rest.Response<KeyVaultKey> |
updateKeyPropertiesWithResponse(KeyProperties keyProperties,
com.azure.core.util.Context context,
KeyOperation... keyOperations)
Updates the
attributes and key operations associated with the
specified key , but not the cryptographic key material of the specified
key in the key vault. |
KeyRotationPolicy |
updateKeyRotationPolicy(String name,
KeyRotationPolicyProperties keyRotationPolicyProperties)
Updates the
KeyRotationPolicy of the key with the provided name. |
com.azure.core.http.rest.Response<KeyRotationPolicy> |
updateKeyRotationPolicyWithResponse(String name,
KeyRotationPolicyProperties keyRotationPolicyProperties,
com.azure.core.util.Context context)
Updates the
KeyRotationPolicy of the key with the provided name. |
public String getVaultUrl()
public CryptographyClient getCryptographyClient(String keyName)
CryptographyClient
for the latest version of a given key.
To ensure correct behavior when performing operations such as Decrypt
, Unwrap
and
Verify
, it is recommended to use a CryptographyClient
created for the specific key
version that was used for the corresponding inverse operation: Encrypt
, Wrap
, or
Sign
, respectively.
You can provide a key version either via KeyClient.getCryptographyClient(String, String)
or by
ensuring it is included in the keyIdentifier
passed to
CryptographyClientBuilder.keyIdentifier(String)
before building a client.
keyName
- The name of the key.CryptographyClient
associated with the latest version of a key with the
provided name.IllegalArgumentException
- If keyName
is null
or empty.public CryptographyClient getCryptographyClient(String keyName, String keyVersion)
CryptographyClient
for a given key version.keyName
- The name of the key.keyVersion
- The key version.CryptographyClient
associated with a key with the provided name and version.
If keyVersion
is null
or empty, the client will use the latest version of the key.IllegalArgumentException
- If keyName
is null
or empty.public KeyVaultKey createKey(String name, KeyType keyType)
key
and stores it in the key vault. The create key operation can be used to
create any keyType
in Azure Key Vault. If a key
with the provided name
already exists, Azure Key Vault creates a new version of the key
. It requires the
keys/create
permission.
The keyType
indicates the type of key
to create. Possible values include:
EC
, EC-HSM
, RSA
, RSA-HSM
,
OCT
and OCT-HSM
.
Code Samples
Creates a new EC key
. Prints out the details of the created key
.
KeyVaultKey key = keyClient.createKey("keyName", KeyType.EC); System.out.printf("Created key with name: %s and id: %s%n", key.getName(), key.getId());
name
- The name of the key
being created.keyType
- The type of key
to create. For valid values, see KeyType
.created key
.com.azure.core.exception.ResourceModifiedException
- If name
or keyType
are null
.com.azure.core.exception.HttpResponseException
- If name
is an empty string.public KeyVaultKey createKey(CreateKeyOptions createKeyOptions)
key
and stores it in the key vault. The create key operation can be used to
create any keyType
in Azure Key Vault. If a key
with the provided name
already exists, Azure Key Vault creates a new version of the key
. It requires the
keys/create
permission.
The CreateKeyOptions
parameter is required. The expires
and
notBefore
values are optional. The
CreateKeyOptions.isEnabled()
enabled} field is set to true
by Azure Key Vault, if not specified.
The keyType
indicates the type of key
to create.
Possible values include: EC
, EC-HSM
, RSA
,
RSA-HSM
, OCT
and OCT-HSM
.
Code Samples
Creates a new RSA key
which activates in one day and expires in one year. Prints out the
details of the created key
.
CreateKeyOptions createKeyOptions = new CreateKeyOptions("keyName", KeyType.RSA) .setNotBefore(OffsetDateTime.now().plusDays(1)) .setExpiresOn(OffsetDateTime.now().plusYears(1)); KeyVaultKey optionsKey = keyClient.createKey(createKeyOptions); System.out.printf("Created key with name: %s and id: %s%n", optionsKey.getName(), optionsKey.getId());
createKeyOptions
- The options object
containing information about the
key
being created.created key
.com.azure.core.exception.HttpResponseException
- If CreateKeyOptions.getName()
is an empty string.NullPointerException
- If createKeyOptions
is null
.com.azure.core.exception.HttpResponseException
- If name
is an empty string.public com.azure.core.http.rest.Response<KeyVaultKey> createKeyWithResponse(CreateKeyOptions createKeyOptions, com.azure.core.util.Context context)
key
and stores it in the key vault. The create key operation can be used to
create any keyType
in Azure Key Vault. If a key
with the provided name
already exists, Azure Key Vault creates a new version of the key
. It requires the
keys/create
permission.
The CreateKeyOptions
parameter is required. The expires
and
notBefore
values are optional. The
enabled
field is set to true
by Azure Key Vault, if not specified.
The keyType
indicates the type of key
to create.
Possible values include: EC
, EC-HSM
, RSA
,
RSA-HSM
, OCT
and OCT-HSM
.
Code Samples
Creates a new RSA key
which activates in one day and expires in one year. Prints out the
details of the created key
.
CreateKeyOptions createKeyOptions = new CreateKeyOptions("keyName", KeyType.RSA) .setNotBefore(OffsetDateTime.now().plusDays(1)) .setExpiresOn(OffsetDateTime.now().plusYears(1)); Response<KeyVaultKey> createKeyResponse = keyClient.createKeyWithResponse(createKeyOptions, new Context("key1", "value1")); System.out.printf("Created key with name: %s and: id %s%n", createKeyResponse.getValue().getName(), createKeyResponse.getValue().getId());
createKeyOptions
- The options object
containing information about the
key
being created.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.Response
whose value
contains the created key
.com.azure.core.exception.HttpResponseException
- If CreateKeyOptions.getName()
is an empty string.NullPointerException
- If createKeyOptions
is null
.com.azure.core.exception.ResourceModifiedException
- If createKeyOptions
is malformed.public KeyVaultKey createRsaKey(CreateRsaKeyOptions createRsaKeyOptions)
RSA key
and stores it in the key vault. The create RSA key operation can be
used to create any RSA key type in Azure Key Vault. If a key
with the provided name already
exists, Azure Key Vault creates a new version of the key
. It requires the
keys/create
permission.
The CreateRsaKeyOptions
parameter is required. The keySize
can be optionally specified. The expires
and
notBefore
values are optional. The
enabled
field is set to true
by Azure Key Vault, if not
specified.
The keyType
indicates the type of key
to create.
Possible values include: RSA
and RSA-HSM
.
Code Samples
Creates a new RSA key
with size 2048 which activates in one day and expires in one year.
Prints out the details of the created key
.
CreateRsaKeyOptions createRsaKeyOptions = new CreateRsaKeyOptions("keyName") .setKeySize(2048) .setNotBefore(OffsetDateTime.now().plusDays(1)) .setExpiresOn(OffsetDateTime.now().plusYears(1)); KeyVaultKey rsaKey = keyClient.createRsaKey(createRsaKeyOptions); System.out.printf("Created key with name: %s and id: %s%n", rsaKey.getName(), rsaKey.getId());
createRsaKeyOptions
- The options object
containing information about the
RSA key
being created.created key
.com.azure.core.exception.HttpResponseException
- If CreateKeyOptions.getName()
is an empty string.NullPointerException
- If createRsaKeyOptions
is null
.com.azure.core.exception.ResourceModifiedException
- If createRsaKeyOptions
is malformed.public com.azure.core.http.rest.Response<KeyVaultKey> createRsaKeyWithResponse(CreateRsaKeyOptions createRsaKeyOptions, com.azure.core.util.Context context)
RSA key
and stores it in the key vault. The create RSA key operation can be
used to create any RSA key type in Azure Key Vault. If a key
with the provided name already
exists, Azure Key Vault creates a new version of the key
. It requires the
keys/create
permission.
The CreateRsaKeyOptions
parameter is required. The keySize
can be optionally specified. The expires
and
notBefore
values are optional. The
enabled
field is set to true
by Azure Key Vault, if not
specified.
The keyType
indicates the type of key
to create.
Possible values include: RSA
and RSA-HSM
.
Code Samples
Creates a new RSA key
with size 2048 which activates in one day and expires in one year.
Prints out the details of the created key
.
CreateRsaKeyOptions createRsaKeyOptions = new CreateRsaKeyOptions("keyName") .setKeySize(2048) .setNotBefore(OffsetDateTime.now().plusDays(1)) .setExpiresOn(OffsetDateTime.now().plusYears(1)); Response<KeyVaultKey> createRsaKeyResponse = keyClient.createRsaKeyWithResponse(createRsaKeyOptions, new Context("key1", "value1")); System.out.printf("Created key with name: %s and: id %s%n", createRsaKeyResponse.getValue().getName(), createRsaKeyResponse.getValue().getId());
createRsaKeyOptions
- The options object
containing information about the
RSA key
being created.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.Response
whose value
contains the created key
.com.azure.core.exception.HttpResponseException
- If CreateKeyOptions.getName()
is an empty string.NullPointerException
- If createRsaKeyOptions
is null
.com.azure.core.exception.ResourceModifiedException
- If createRsaKeyOptions
is malformed.public KeyVaultKey createEcKey(CreateEcKeyOptions createEcKeyOptions)
EC key
and stores it in the key vault. The create EC key operation can be
used to create any EC key type
in Azure Key Vault. If a key
with the
provided name already exists, Azure Key Vault creates a new version of the key
. It requires
the keys/create
permission.
The CreateEcKeyOptions
parameter is required. The key curve
can be optionally specified. If not specified, the default value P-256
is used by
Azure Key Vault. The expires
and
notBefore
values are optional. The
enabled
field is set to true
by Azure Key Vault, if not specified.
The keyType
indicates the type of KeyVaultKey
key to create.
Possible values include: EC
and EC-HSM
.
Code Samples
Creates a new EC key
with a P-384
web key curve. The key
activates in one day and expires in one year. Prints out the details of the created key
.
CreateEcKeyOptions createEcKeyOptions = new CreateEcKeyOptions("keyName") .setCurveName(KeyCurveName.P_384) .setNotBefore(OffsetDateTime.now().plusDays(1)) .setExpiresOn(OffsetDateTime.now().plusYears(1)); KeyVaultKey ecKey = keyClient.createEcKey(createEcKeyOptions); System.out.printf("Created key with name: %s and id: %s%n", ecKey.getName(), ecKey.getId());
createEcKeyOptions
- The options object
containing information about the
EC key
being created.created key
.com.azure.core.exception.HttpResponseException
- If CreateKeyOptions.getName()
is an empty string.NullPointerException
- If createEcKeyOptions
is null
.com.azure.core.exception.ResourceModifiedException
- If createEcKeyOptions
is malformed.public com.azure.core.http.rest.Response<KeyVaultKey> createEcKeyWithResponse(CreateEcKeyOptions createEcKeyOptions, com.azure.core.util.Context context)
EC key
and stores it in the key vault. The create EC key operation can be
used to create any EC key type
in Azure Key Vault. If a key
with the
provided name already exists, Azure Key Vault creates a new version of the key
. It requires
the keys/create
permission.
The CreateEcKeyOptions
parameter is required. The key curve
can be optionally specified. If not specified, the default value P-256
is used by
Azure Key Vault. The expires
and
notBefore
values are optional. The
enabled
field is set to true
by Azure Key Vault, if not
specified.
The keyType
indicates the type of KeyVaultKey
key to create.
Possible values include: EC
and EC-HSM
.
Code Samples
Creates a new EC key
with a P-384
web key curve. The key
activates in one day and expires in one year. Prints out the details of the created key
.
CreateEcKeyOptions createEcKeyOptions = new CreateEcKeyOptions("keyName") .setCurveName(KeyCurveName.P_384) .setNotBefore(OffsetDateTime.now().plusDays(1)) .setExpiresOn(OffsetDateTime.now().plusYears(1)); Response<KeyVaultKey> createEcKeyResponse = keyClient.createEcKeyWithResponse(createEcKeyOptions, new Context("key1", "value1")); System.out.printf("Created key with name: %s and: id %s%n", createEcKeyResponse.getValue().getName(), createEcKeyResponse.getValue().getId());
createEcKeyOptions
- The options object
containing information about the
EC key
being created.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.Response
whose value
contains the created key
.com.azure.core.exception.HttpResponseException
- If CreateKeyOptions.getName()
is an empty string.NullPointerException
- If createEcKeyOptions
is null
.com.azure.core.exception.ResourceModifiedException
- If createEcKeyOptions
is malformed.public KeyVaultKey createOctKey(CreateOctKeyOptions createOctKeyOptions)
symmetric key
in the key vault. If a key
with
the provided name already exists, Azure Key Vault creates a new version of the key. This operation requires
the keys/create
permission.
The CreateOctKeyOptions
parameter is required. The expires
and notBefore
values are optional. The
enabled
field is set to true
by Azure Key Vault, if not
specified.
The keyType
indicates the type of KeyVaultKey
key to create.
Possible values include: OCT
and OCT-HSM
.
Code Samples
Creates a new symmetric key
. The key
activates in one day and expires
in one year. Prints out the details of the newly created key
.
CreateOctKeyOptions createOctKeyOptions = new CreateOctKeyOptions("keyName") .setNotBefore(OffsetDateTime.now().plusDays(1)) .setExpiresOn(OffsetDateTime.now().plusYears(1)); KeyVaultKey octKey = keyClient.createOctKey(createOctKeyOptions); System.out.printf("Created key with name: %s and id: %s%n", octKey.getName(), octKey.getId());
createOctKeyOptions
- The options object
containing information about the
symmetric key
being created.created key
.com.azure.core.exception.HttpResponseException
- If CreateKeyOptions.getName()
is an empty string.NullPointerException
- If createOctKeyOptions
is null
.com.azure.core.exception.ResourceModifiedException
- If createOctKeyOptions
is malformed.public com.azure.core.http.rest.Response<KeyVaultKey> createOctKeyWithResponse(CreateOctKeyOptions createOctKeyOptions, com.azure.core.util.Context context)
symmetric key
in the key vault. If a key
with
the provided name already exists, Azure Key Vault creates a new version of the key. This operation requires
the keys/create
permission.
The CreateOctKeyOptions
parameter is required. The expires
and notBefore
values are optional. The
enabled
field is set to true
by Azure Key Vault, if not
specified.
The keyType
indicates the type of KeyVaultKey
key to create.
Possible values include: OCT
and OCT-HSM
.
Code Samples
Creates a new symmetric key
. The key
activates in one day and expires
in one year. Prints out the details of the newly created key
.
CreateOctKeyOptions createOctKeyOptions = new CreateOctKeyOptions("keyName") .setNotBefore(OffsetDateTime.now().plusDays(1)) .setExpiresOn(OffsetDateTime.now().plusYears(1)); Response<KeyVaultKey> createOctKeyResponse = keyClient.createOctKeyWithResponse(createOctKeyOptions, new Context("key1", "value1")); System.out.printf("Created key with name: %s and: id %s%n", createOctKeyResponse.getValue().getName(), createOctKeyResponse.getValue().getId());
createOctKeyOptions
- The options object
containing information about the
symmetric key
being created.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.Response
whose value
contains the created key
.com.azure.core.exception.HttpResponseException
- If CreateKeyOptions.getName()
is an empty string.NullPointerException
- If createOctKeyOptions
is null
.com.azure.core.exception.ResourceModifiedException
- If createOctKeyOptions
is malformed.public KeyVaultKey importKey(String name, JsonWebKey keyMaterial)
key
and stores it in the key vault. The import key operation
may be used to import any key type
into Azure Key Vault. If a key
with
the provided name already exists, Azure Key Vault creates a new version of the key
. This
operation requires the keys/import
permission.
Code Samples
Imports a new key
into the key vault. Prints out the details of the
imported key
.
KeyVaultKey key = keyClient.importKey("keyName", jsonWebKeyToImport); System.out.printf("Imported key with name: %s and id: %s%n", key.getName(), key.getId());
name
- The name for the imported key
.keyMaterial
- The JsonWebKey
being imported.imported key
.com.azure.core.exception.HttpResponseException
- If name
is an empty string.public KeyVaultKey importKey(ImportKeyOptions importKeyOptions)
key
and stores it in the key vault. The import key operation
may be used to import any key type
into Azure Key Vault. If a key
with
the provided name already exists, Azure Key Vault creates a new version of the key
. This
operation requires the keys/import
permission.
ImportKeyOptions
is required and its fields name
and
key material
cannot be null
. The
expires
and notBefore
values
in keyImportOptions
are optional. If not specified, no values are set for the fields. The
enabled
field is set to true
and the
hsm
field is set to false
by Azure Key Vault, if they are
not specified.
Code Samples
Imports a new key
into the key vault. Prints out the details of the
imported key
.
ImportKeyOptions options = new ImportKeyOptions("keyName", jsonWebKeyToImport) .setHardwareProtected(false); KeyVaultKey importedKey = keyClient.importKey(options); System.out.printf("Imported key with name: %s and id: %s%n", importedKey.getName(), importedKey.getId());
importKeyOptions
- The options object
containing information about the
JsonWebKey
being imported.imported key
.com.azure.core.exception.HttpResponseException
- If KeyProperties.getName()
is an empty string.NullPointerException
- If importKeyOptions
is null
.public com.azure.core.http.rest.Response<KeyVaultKey> importKeyWithResponse(ImportKeyOptions importKeyOptions, com.azure.core.util.Context context)
key
and stores it in the key vault. The import key operation
may be used to import any key type
into Azure Key Vault. If a key
with
the provided name already exists, Azure Key Vault creates a new version of the key
. This
operation requires the keys/import
permission.
ImportKeyOptions
is required and its fields name
and
key material
cannot be null
. The
expires
and notBefore
values
in keyImportOptions
are optional. If not specified, no values are set for the fields. The
enabled
field is set to true
and the
hsm
field is set to false
by Azure Key Vault, if they are
not specified.
Code Samples
Imports a new key
into the key vault. Prints out the details of the
imported key
.
ImportKeyOptions importKeyOptions = new ImportKeyOptions("keyName", jsonWebKeyToImport) .setHardwareProtected(false); Response<KeyVaultKey> response = keyClient.importKeyWithResponse(importKeyOptions, new Context("key1", "value1")); System.out.printf("Imported key with name: %s and id: %s%n", response.getValue().getName(), response.getValue().getId());
importKeyOptions
- The options object
containing information about the
JsonWebKey
being imported.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.Response
whose value
contains the imported key
.com.azure.core.exception.HttpResponseException
- If KeyProperties.getName()
is an empty string.NullPointerException
- If keyImportOptions
is null
.public KeyVaultKey getKey(String name, String version)
key
and key version. The get key operation is
applicable to all key types
and it requires the keys/get
permission.
Code Samples
Gets a specific version of the key
in the key vault. Prints out the details of the
retrieved key
.
String keyVersion = "6A385B124DEF4096AF1361A85B16C204"; KeyVaultKey keyWithVersion = keyClient.getKey("keyName", keyVersion); System.out.printf("Retrieved key with name: %s and: id %s%n", keyWithVersion.getName(), keyWithVersion.getId());
name
- The name of the key
, cannot be null
.version
- The version of the key
to retrieve. If this is an empty string or
null
, this call is equivalent to calling KeyClient.getKey(String)
, with the latest version
being retrieved.key
. The content of the key
is null
if
both name
and version
are null
or empty.com.azure.core.exception.HttpResponseException
- If a valid name
and a non-null/empty version
is specified.com.azure.core.exception.ResourceNotFoundException
- When a key
with the provided name
doesn't exist in
the key vault or an empty/null
name
and a non-null/empty version
is provided.public com.azure.core.http.rest.Response<KeyVaultKey> getKeyWithResponse(String name, String version, com.azure.core.util.Context context)
key
and key version. The get key operation is
applicable to all key types
and it requires the keys/get
permission.
Code Samples
Gets a specific version of the key
in the key vault. Prints out the details of the
retrieved key
.
String keyVersion = "6A385B124DEF4096AF1361A85B16C204"; Response<KeyVaultKey> getKeyResponse = keyClient.getKeyWithResponse("keyName", keyVersion, new Context("key1", "value1")); System.out.printf("Retrieved key with name: %s and: id %s%n", getKeyResponse.getValue().getName(), getKeyResponse.getValue().getId());
name
- The name of the key
, cannot be null
.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.version
- The version of the key
to retrieve. If this is an empty string or
null
, this call is equivalent to calling KeyClient.getKey(String)
, with the latest version
being retrieved.Response
whose value
contains the requested
key
. The content of the key
is null
if both name
and
version
are null
or empty.com.azure.core.exception.HttpResponseException
- If a valid name
and a non-null/empty version
is specified.com.azure.core.exception.ResourceNotFoundException
- When a key
with the provided name
doesn't exist in
the key vault or an empty/null
name
and a non-null/empty version
is provided.public KeyVaultKey getKey(String name)
key
and key version. The get key operation is
applicable to all key types
and it requires the keys/get
permission.
Code Samples
Gets a specific version of the key
in the key vault. Prints out the details of the
retrieved key
.
KeyVaultKey keyWithVersionValue = keyClient.getKey("keyName"); System.out.printf("Retrieved key with name: %s and: id %s%n", keyWithVersionValue.getName(), keyWithVersionValue.getId());
name
- The name of the key
, cannot be null
.key
. The content of the key is null
if name
is
null
or empty.com.azure.core.exception.HttpResponseException
- If a non null/empty and an invalid name
is specified.com.azure.core.exception.ResourceNotFoundException
- When a key with non null/empty name
doesn't exist in the key vault.public KeyVaultKey updateKeyProperties(KeyProperties keyProperties, KeyOperation... keyOperations)
attributes
and key operations
associated with the
specified key
, but not the cryptographic key material of the specified
key
in the key vault. The update operation changes specified
attributes
of an existing stored key
and
attributes
that are not specified in the request are left unchanged. The cryptographic
key material of a key
itself cannot be changed. This operation requires the
keys/set
permission.
Code Samples
Gets the latest version of the key
, changes its expiry time and
key operations
and the updates the key
in the key vault.
KeyVaultKey key = keyClient.getKey("keyName"); key.getProperties().setExpiresOn(OffsetDateTime.now().plusDays(60)); KeyVaultKey updatedKey = keyClient.updateKeyProperties(key.getProperties(), KeyOperation.ENCRYPT, KeyOperation.DECRYPT); System.out.printf("Key is updated with name %s and id %s %n", updatedKey.getName(), updatedKey.getId());
keyProperties
- The key properties
object with updated properties.keyOperations
- The updated key operations
to associate with the key.Response
whose value
contains the updated key
.com.azure.core.exception.HttpResponseException
- If name
or
version
is an empty string.NullPointerException
- If key
is null
.com.azure.core.exception.ResourceNotFoundException
- When a key with name
and
version
doesn't exist in the key vault.public com.azure.core.http.rest.Response<KeyVaultKey> updateKeyPropertiesWithResponse(KeyProperties keyProperties, com.azure.core.util.Context context, KeyOperation... keyOperations)
attributes
and key operations
associated with the
specified key
, but not the cryptographic key material of the specified
key
in the key vault. The update operation changes specified
attributes
of an existing stored key
and
attributes
that are not specified in the request are left unchanged. The cryptographic
key material of a key
itself cannot be changed. This operation requires the
keys/set
permission.
Code Samples
Gets the latest version of the key
, changes its expiry time and
key operations
and the updates the key
in the key vault.
KeyVaultKey key = keyClient.getKey("keyName"); key.getProperties().setExpiresOn(OffsetDateTime.now().plusDays(60)); Response<KeyVaultKey> updateKeyResponse = keyClient.updateKeyPropertiesWithResponse(key.getProperties(), new Context("key1", "value1"), KeyOperation.ENCRYPT, KeyOperation.DECRYPT); System.out.printf("Updated key with name: %s and id: %s%n", updateKeyResponse.getValue().getName(), updateKeyResponse.getValue().getId());
keyProperties
- The key properties
object with updated properties.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.keyOperations
- The updated key operations
to associate with the key.Response
whose value
contains the updated key
.com.azure.core.exception.HttpResponseException
- If name
or
version
is an empty string.NullPointerException
- If key
is null
.com.azure.core.exception.ResourceNotFoundException
- When a key with name
and
version
doesn't exist in the key vault.public com.azure.core.util.polling.SyncPoller<DeletedKey,Void> beginDeleteKey(String name)
key
of any type from the key vault. If soft-delete is enabled on the key vault then
the key
is placed in the deleted state and requires to be purged for permanent deletion
else the key
is permanently deleted. The delete operation applies to any
key
stored in Azure Key Vault but it cannot be applied to an individual version
of a key
. This operation removes the cryptographic material associated with the
key
, which means the key
is not usable for Sign/Verify
,
Wrap/Unwrap
or Encrypt/Decrypt
operations. This operation requires the keys/delete
permission.
Code Samples
Deletes the key
from the key vault. Prints out the recovery id of the
deleted key
.
SyncPoller<DeletedKey, Void> deleteKeyPoller = keyClient.beginDeleteKey("keyName"); PollResponse<DeletedKey> deleteKeyPollResponse = deleteKeyPoller.poll(); // Deleted date only works for SoftDelete Enabled Key Vault. DeletedKey deletedKey = deleteKeyPollResponse.getValue(); System.out.printf("Key delete date: %s%n" + deletedKey.getDeletedOn()); System.out.printf("Deleted key's recovery id: %s%n", deletedKey.getRecoveryId()); // Key is being deleted on server. deleteKeyPoller.waitForCompletion(); // Key is deleted
name
- The name of the key
to be deleted.SyncPoller
to poll on and retrieve deleted key
com.azure.core.exception.HttpResponseException
- When a key with name
is an empty string.com.azure.core.exception.ResourceNotFoundException
- When a key with name
doesn't exist in the key vault.public DeletedKey getDeletedKey(String name)
deleted key
. The get deleted Key operation is applicable for
soft-delete enabled vaults. This operation requires the keys/get
permission.
Code Samples
Gets the deleted key
from the key vault enabled for soft-delete. Prints out the details
of the deleted key
.
DeletedKey deletedKey = keyClient.getDeletedKey("keyName"); System.out.printf("Deleted key's recovery id: %s%n", deletedKey.getRecoveryId());
name
- The name of the deleted key
.deleted key
.com.azure.core.exception.HttpResponseException
- When a key with name
is an empty string.com.azure.core.exception.ResourceNotFoundException
- When a key with name
doesn't exist in the key vault.public com.azure.core.http.rest.Response<DeletedKey> getDeletedKeyWithResponse(String name, com.azure.core.util.Context context)
deleted key
. The get deleted Key operation is applicable for
soft-delete enabled vaults. This operation requires the keys/get
permission.
Code Samples
Gets the deleted key
from the key vault enabled for soft-delete. Prints out the details
of the deleted key
returned in the HTTPresponse
.
Response<DeletedKey> deletedKeyResponse = keyClient.getDeletedKeyWithResponse("keyName", new Context("key1", "value1")); System.out.printf("Deleted key with recovery id: %s%n", deletedKeyResponse.getValue().getRecoveryId());
name
- The name of the deleted key
.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.Response
whose value
contains the deleted key
.com.azure.core.exception.HttpResponseException
- When a key with name
is an empty string.com.azure.core.exception.ResourceNotFoundException
- When a key with name
doesn't exist in the key vault.public void purgeDeletedKey(String name)
key
without the possibility of recovery. The purge
deleted key operation is applicable for soft-delete enabled vaults. This operation requires the
keys/purge
permission.
Code Samples
Purges the deleted key
from the key vault enabled for soft-delete.
keyClient.purgeDeletedKey("deletedKeyName");
name
- The name of the deleted key
.com.azure.core.exception.HttpResponseException
- When a key with name
is an empty string.com.azure.core.exception.ResourceNotFoundException
- When a key with name
doesn't exist in the key vault.public com.azure.core.http.rest.Response<Void> purgeDeletedKeyWithResponse(String name, com.azure.core.util.Context context)
key
without the possibility of recovery. The purge
deleted key operation is applicable for soft-delete enabled vaults. This operation requires the
keys/purge
permission.
Code Samples
Purges the deleted key
from the key vault enabled for soft-delete.
Response<Void> purgeDeletedKeyResponse = keyClient.purgeDeletedKeyWithResponse("deletedKeyName", new Context("key1", "value1")); System.out.printf("Purge response status code: %d%n", purgeDeletedKeyResponse.getStatusCode());
name
- The name of the deleted key
.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.Response
containing status code and HTTP headers.com.azure.core.exception.HttpResponseException
- When a key with name
is an empty string.com.azure.core.exception.ResourceNotFoundException
- When a key with name
doesn't exist in the key vault.public com.azure.core.util.polling.SyncPoller<KeyVaultKey,Void> beginRecoverDeletedKey(String name)
deleted key
in the key vault to its latest version and can only be performed
on a soft-delete enabled vault. An attempt to recover an non-deleted key
will return an
error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation
requires the keys/recover
permission.
Code Samples
Recovers the deleted key
from the key vault enabled for soft-delete.
SyncPoller<KeyVaultKey, Void> recoverKeyPoller = keyClient.beginRecoverDeletedKey("deletedKeyName"); PollResponse<KeyVaultKey> recoverKeyPollResponse = recoverKeyPoller.poll(); KeyVaultKey recoveredKey = recoverKeyPollResponse.getValue(); System.out.printf("Recovered key name: %s%n", recoveredKey.getName()); System.out.printf("Recovered key id: %s%n", recoveredKey.getId()); // Key is being recovered on server. recoverKeyPoller.waitForCompletion(); // Key is recovered
name
- The name of the deleted key
to be recovered.SyncPoller
to poll on and retrieve recovered key
.com.azure.core.exception.HttpResponseException
- When a key with name
is an empty string.com.azure.core.exception.ResourceNotFoundException
- When a key with name
doesn't exist in the key vault.public byte[] backupKey(String name)
key
be downloaded to the client. The key backup
operation exports a key
from Azure Key Vault in a protected form. Note that this operation
does not return key material in a form that can be used outside the Azure Key Vault system, the returned key
material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this
operation is to allow a client to generate a key
in one Azure Key Vault instance, backup the
key
, and then restore it into another Azure Key Vault instance. The backup operation may
be used to export, in protected form, any key type
from Azure Key Vault. Individual versions
of a key
cannot be backed up. Backup/Restore
can be performed within geographical
boundaries only; meaning that a backup from one geographical area cannot be restored to another geographical
area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This
operation requires the key/backup
permission.
Code Samples
Backs up the key
from the key vault.
byte[] keyBackup = keyClient.backupKey("keyName"); System.out.printf("Key backup byte array length: %s%n", keyBackup.length);
name
- The name of the key
.com.azure.core.exception.HttpResponseException
- When a key with name
is an empty string.com.azure.core.exception.ResourceNotFoundException
- When a key with name
doesn't exist in the key vault.public com.azure.core.http.rest.Response<byte[]> backupKeyWithResponse(String name, com.azure.core.util.Context context)
key
be downloaded to the client. The key backup
operation exports a key
from Azure Key Vault in a protected form. Note that this operation
does not return key material in a form that can be used outside the Azure Key Vault system, the returned key
material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this
operation is to allow a client to generate a key
in one Azure Key Vault instance, backup the
key
, and then restore it into another Azure Key Vault instance. The backup operation may
be used to export, in protected form, any key type
from Azure Key Vault. Individual versions
of a key
cannot be backed up. Backup/Restore
can be performed within geographical
boundaries only; meaning that a backup from one geographical area cannot be restored to another geographical
area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This
operation requires the key/backup
permission.
Code Samples
Backs up the key
from the key vault and prints out the length of the key's backup byte
array returned in the HTTPresponse
.
Response<byte[]> backupKeyResponse = keyClient.backupKeyWithResponse("keyName", new Context("key1", "value1")); System.out.printf("Key backup byte array length: %s%n", backupKeyResponse.getValue().length);
name
- The name of the key
.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.Response
whose value
contains the backed up key blob.com.azure.core.exception.HttpResponseException
- When a key with name
is an empty string.com.azure.core.exception.ResourceNotFoundException
- When a key with name
doesn't exist in the key vault.public KeyVaultKey restoreKeyBackup(byte[] backup)
key
to a vault. Imports a previously backed up key
into Azure Key Vault, restoring the key
, its key identifier, attributes and access control
policies. The restore operation may be used to import a previously backed up key
. Individual
versions of a key
cannot be restored. The key
is restored in its entirety
with the same key name as it had when it was backed up. If the key name is not available in the target key vault,
the restore operation will be rejected. While the key name is retained during restore, the final key identifier
will change if the key
is restored to a different vault. Restore will restore all versions
and preserve version identifiers. The restore operation is subject to security constraints: The target key
vault must be owned by the same Microsoft Azure Subscription as the source key vault. The user must have
the restore
permission in the target key vault. This operation requires the keys/restore
permission.
Code Samples
Restores the key
in the key vault from its backup.
byte[] keyBackupByteArray = {}; KeyVaultKey keyResponse = keyClient.restoreKeyBackup(keyBackupByteArray); System.out.printf("Restored key with name: %s and: id %s%n", keyResponse.getName(), keyResponse.getId());
backup
- The backup blob associated with the key
.restored key
.com.azure.core.exception.ResourceModifiedException
- When the backup
blob is malformed.public com.azure.core.http.rest.Response<KeyVaultKey> restoreKeyBackupWithResponse(byte[] backup, com.azure.core.util.Context context)
key
to a vault. Imports a previously backed up key
into Azure Key Vault, restoring the key
, its key identifier, attributes and access control
policies. The restore operation may be used to import a previously backed up key
. Individual
versions of a key
cannot be restored. The key
is restored in its entirety
with the same key name as it had when it was backed up. If the key name is not available in the target key vault,
the restore operation will be rejected. While the key name is retained during restore, the final key identifier
will change if the key
is restored to a different vault. Restore will restore all versions
and preserve version identifiers. The restore operation is subject to security constraints: The target key
vault must be owned by the same Microsoft Azure Subscription as the source key vault. The user must have
the restore
permission in the target key vault. This operation requires the keys/restore
permission.
Code Samples
Restores the key
in the key vault from its backup. Prints out the details of the
restored key
returned in the HTTPresponse
.
Response<KeyVaultKey> keyResponse = keyClient.restoreKeyBackupWithResponse(keyBackupByteArray, new Context("key1", "value1")); System.out.printf("Restored key with name: %s and: id %s%n", keyResponse.getValue().getName(), keyResponse.getValue().getId());
backup
- The backup blob associated with the key
.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.Response
whose value
contains the restored key
.com.azure.core.exception.ResourceModifiedException
- When the backup
blob is malformed.public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeys()
keys
in the key vault. Retrieves a list of the keys
in the key
vault as JsonWebKey
structures that contain the public part of a stored key
. The list
operation is applicable to all key types
and the individual key
response
in the list is represented by KeyProperties
as only the key identifier, attributes and tags are
provided in the response. The key material and individual key versions are not listed in the response. This
operation requires the keys/list
permission.
It is possible to get full keys
with key material from this information. Loop over the
KeyProperties
and call KeyClient.getKey(String, String)
. This will return the
key
with key material included as of its latest version.
for (KeyProperties keyProperties : keyClient.listPropertiesOfKeys()) { KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion()); System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(), key.getKeyType()); }
Code Samples to iterate keys by page
It is possible to get full keys
with key material from this information. Iterate over all
the KeyProperties
by page and call KeyClient.getKey(String, String)
. This will return the
key
with key material included as of its latest version.
keyClient.listPropertiesOfKeys().iterableByPage().forEach(pagedResponse -> { System.out.printf("Got response details. Url: %s. Status code: %d.%n", pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode()); pagedResponse.getElements().forEach(keyProperties -> { KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion()); System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(), key.getKeyType()); }); });
public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeys(com.azure.core.util.Context context)
keys
in the key vault. Retrieves a list of the keys
in the key
vault as JsonWebKey
structures that contain the public part of a stored key
. The list
operation is applicable to all key types
and the individual key
response
in the list is represented by KeyProperties
as only the key identifier, attributes and tags are
provided in the response. The key material and individual key versions are not listed in the response. This
operation requires the keys/list
permission.
It is possible to get full keys
with key material from this information. Loop over the
KeyProperties
and call KeyClient.getKey(String, String)
. This will return the
key
with key material included as of its latest version.
for (KeyProperties keyProperties : keyClient.listPropertiesOfKeys(new Context("key1", "value1"))) { KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion()); System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(), key.getKeyType()); }
Code Samples to iterate keys by page
It is possible to get full keys
with key material from this information. Iterate over all
the KeyProperties
by page and call KeyClient.getKey(String, String)
. This will return the
key
with key material included as of its latest version.
keyClient.listPropertiesOfKeys().iterableByPage().forEach(pagedResponse -> { System.out.printf("Got response details. Url: %s. Status code: %d.%n", pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode()); pagedResponse.getElements().forEach(keyProperties -> { KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion()); System.out.printf("Retrieved key with name: %s and type: %s%n", key.getName(), key.getKeyType()); }); });
public com.azure.core.http.rest.PagedIterable<DeletedKey> listDeletedKeys()
deleted keys
of the key vault. The deleted keys
are retrieved as
JsonWebKey
structures that contain the public part of a deleted key
. The get deleted
keys operation is applicable for vaults enabled for soft-delete. This operation requires the keys/list
permission.
Code Samples
Lists the deleted keys
in the key vault and for each deleted key
prints
out its recovery id.
for (DeletedKey deletedKey : keyClient.listDeletedKeys()) { System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId()); }
Code Samples to iterate over deleted keys by page
Iterates over the deleted keys
by page in the key vault and for each deleted key prints out
its recovery id.
keyClient.listDeletedKeys().iterableByPage().forEach(pagedResponse -> { System.out.printf("Got response details. Url: %s. Status code: %d.%n", pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode()); pagedResponse.getElements().forEach(deletedKey -> System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId())); });
PagedIterable
of all of the deleted keys
in the vault.public com.azure.core.http.rest.PagedIterable<DeletedKey> listDeletedKeys(com.azure.core.util.Context context)
deleted keys
of the key vault. The deleted keys
are retrieved as
JsonWebKey
structures that contain the public part of a deleted key
. The get deleted
keys operation is applicable for vaults enabled for soft-delete. This operation requires the keys/list
permission.
Code Samples
Lists the deleted keys
in the key vault and for each deleted key
prints
out its recovery id.
for (DeletedKey deletedKey : keyClient.listDeletedKeys(new Context("key1", "value1"))) { System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId()); }
Code Samples to iterate over deleted keys by page
Iterates over the deleted keys
by page in the key vault and for each deleted key prints out
its recovery id.
keyClient.listDeletedKeys().iterableByPage().forEach(pagedResponse -> { System.out.printf("Got response details. Url: %s. Status code: %d.%n", pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode()); pagedResponse.getElements().forEach(deletedKey -> System.out.printf("Deleted key's recovery id:%s%n", deletedKey.getRecoveryId())); });
context
- Additional Context
that is passed through the HttpPipeline
during the service
call.PagedIterable
of all of the deleted keys
in the vault.public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeyVersions(String name)
keys
. The individual key response in the flux is
represented by KeyProperties
as only the key identifier, attributes and tags are provided in the
response. The key material values are not provided in the response. This operation requires the
keys/list
permission.
It is possible to get full keys
with key material for each version from this information.
Loop over the key
and call KeyClient.getKey(String, String)
. This will return the
keys
with key material included of the specified versions.
for (KeyProperties keyProperties : keyClient.listPropertiesOfKeyVersions("keyName")) { KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion()); System.out.printf("Retrieved key version: %s with name: %s and type: %s%n", key.getProperties().getVersion(), key.getName(), key.getKeyType()); }
Code Samples to iterate over key versions by page
It is possible to get full keys
with key material for each version from this information.
Iterate over all the key
by page and call KeyClient.getKey(String, String)
. This
will return the keys
with key material included of the specified versions.
keyClient.listPropertiesOfKeyVersions("keyName").iterableByPage().forEach(pagedResponse -> { System.out.printf("Got response details. Url: %s. Status code: %d.%n", pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode()); pagedResponse.getElements().forEach(keyProperties -> System.out.printf("Key name: %s. Key version: %s.%n", keyProperties.getName(), keyProperties.getVersion())); });
name
- The name of the key
.PagedIterable
of key
of all the versions of the specified key in the vault.
The list is empty if a key
with the provided name
does not exist in the key vault.com.azure.core.exception.ResourceNotFoundException
- When a given key name
is null
or an empty string.public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeyVersions(String name, com.azure.core.util.Context context)
keys
. The individual key response in the flux is
represented by KeyProperties
as only the key identifier, attributes and tags are provided in the
response. The key material values are not provided in the response. This operation requires the
keys/list
permission.
It is possible to get full keys
with key material for each version from this information.
Loop over the key
and call KeyClient.getKey(String, String)
. This will return the
keys
with key material included of the specified versions.
for (KeyProperties keyProperties : keyClient.listPropertiesOfKeyVersions("keyName", new Context("key1", "value1"))) { KeyVaultKey key = keyClient.getKey(keyProperties.getName(), keyProperties.getVersion()); System.out.printf("Retrieved key version: %s with name: %s and type: %s%n", key.getProperties().getVersion(), key.getName(), key.getKeyType()); }
Code Samples to iterate over key versions by page
It is possible to get full keys
with key material for each version from this information.
Iterate over all the key
by page and call KeyClient.getKey(String, String)
. This
will return the keys
with key material included of the specified versions.
keyClient.listPropertiesOfKeyVersions("keyName").iterableByPage().forEach(pagedResponse -> { System.out.printf("Got response details. Url: %s. Status code: %d.%n", pagedResponse.getRequest().getUrl(), pagedResponse.getStatusCode()); pagedResponse.getElements().forEach(keyProperties -> System.out.printf("Key name: %s. Key version: %s.%n", keyProperties.getName(), keyProperties.getVersion())); });
name
- The name of the key
.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.PagedIterable
of key
of all the versions of the specified
key
in the vault. The list is empty if a key
with the provided
name
does not exist in the key vault.com.azure.core.exception.ResourceNotFoundException
- When a given key name
is null
or an empty string.public RandomBytes getRandomBytes(int count)
Code Samples
Gets a number of bytes containing random values from a Managed HSM. Prints out the retrieved bytes in base64Url format.
int amount = 16; RandomBytes randomBytes = keyClient.getRandomBytes(amount); System.out.printf("Retrieved %d random bytes: %s%n", amount, Arrays.toString(randomBytes.getBytes()));
count
- The requested number of random bytes.public com.azure.core.http.rest.Response<RandomBytes> getRandomBytesWithResponse(int count, com.azure.core.util.Context context)
Code Samples
Gets a number of bytes containing random values from a Managed HSM. Prints out the
HTTP Response
details and the retrieved bytes in base64Url format.
int amountOfBytes = 16; Response<RandomBytes> response = keyClient.getRandomBytesWithResponse(amountOfBytes, new Context("key1", "value1")); System.out.printf("Response received successfully with status code: %d. Retrieved %d random bytes: %s%n", response.getStatusCode(), amountOfBytes, Arrays.toString(response.getValue().getBytes()));
count
- The requested number of random bytes.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.HTTP response
for this operation and the requested number of bytes containing
random values from a managed HSM.public ReleaseKeyResult releaseKey(String name, String target)
key
.
The key
must be exportable. This operation requires the keys/release
permission.
Code Samples
Releases a key
. Prints out the signed object that contains the release key.
String target = "someAttestationToken"; ReleaseKeyResult releaseKeyResult = keyClient.releaseKey("keyName", target); System.out.printf("Signed object containing released key: %s%n", releaseKeyResult);
name
- The name of the key
to release.target
- The attestation assertion for the target of the key
release.released key
.IllegalArgumentException
- If name
or target
are null
or empty.com.azure.core.exception.ResourceNotFoundException
- If the key
for the provided name
does not exist.public ReleaseKeyResult releaseKey(String name, String version, String target)
key
.
The key
must be exportable. This operation requires the keys/release
permission.
Code Samples
Releases a key
. Prints out the signed object that contains the release key.
String myKeyVersion = "6A385B124DEF4096AF1361A85B16C204"; String myTarget = "someAttestationToken"; ReleaseKeyResult releaseKeyVersionResult = keyClient.releaseKey("keyName", myKeyVersion, myTarget); System.out.printf("Signed object containing released key: %s%n", releaseKeyVersionResult);
name
- The name of the key
to release.version
- The version of the key to release. If this is empty or null
, this call is equivalent to
calling KeyAsyncClient.releaseKey(String, String)
, with the latest key version being released.target
- The attestation assertion for the target of the key
release.released key
.IllegalArgumentException
- If name
or target
are null
or empty.com.azure.core.exception.ResourceNotFoundException
- If the key
for the provided name
does not exist.public com.azure.core.http.rest.Response<ReleaseKeyResult> releaseKeyWithResponse(String name, String version, String target, ReleaseKeyOptions options, com.azure.core.util.Context context)
key
.
The key must be exportable. This operation requires the keys/release
permission.
Code Samples
Releases a key
. Prints out the
HTTP Response
details and the signed object that contains the release key.
String releaseKeyVersion = "6A385B124DEF4096AF1361A85B16C204"; String releaseTarget = "someAttestationToken"; ReleaseKeyOptions releaseKeyOptions = new ReleaseKeyOptions() .setAlgorithm(KeyExportEncryptionAlgorithm.RSA_AES_KEY_WRAP_256) .setNonce("someNonce"); Response<ReleaseKeyResult> releaseKeyResultResponse = keyClient.releaseKeyWithResponse("keyName", releaseKeyVersion, releaseTarget, releaseKeyOptions, new Context("key1", "value1")); System.out.printf("Response received successfully with status code: %d. Signed object containing" + "released key: %s%n", releaseKeyResultResponse.getStatusCode(), releaseKeyResultResponse.getValue().getValue());
name
- The name of the key
to release.version
- The version of the key
to release. If this is empty or null
, this call
is equivalent to calling KeyAsyncClient.releaseKey(String, String)
, with the latest key version being
released.target
- The attestation assertion for the target of the key release.options
- Additional options
for releasing a key
.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.HTTP response
for this operation and the ReleaseKeyResult
containing the
released key
.IllegalArgumentException
- If name
or target
are null
or empty.com.azure.core.exception.ResourceNotFoundException
- If the key
for the provided name
does not exist.public KeyVaultKey rotateKey(String name)
key
. The rotate key operation will do so based on
key's rotation policy
. This operation requires the keys/rotate
permission.
Code Samples
Rotates a key
. Prints out rotated key
details.
KeyVaultKey key = keyClient.rotateKey("keyName"); System.out.printf("Rotated key with name: %s and version:%s%n", key.getName(), key.getProperties().getVersion());
name
- The name of key
to be rotated. The system will generate a new version in the
specified key
.key
.IllegalArgumentException
- If name
is null
or empty.com.azure.core.exception.ResourceNotFoundException
- If the key
for the provided name
does not exist.public com.azure.core.http.rest.Response<KeyVaultKey> rotateKeyWithResponse(String name, com.azure.core.util.Context context)
key
. The rotate key operation will do so based on
key's rotation policy
. This operation requires the keys/rotate
permission.
Code Samples
Rotates a key
. Prints out the HTTP Response
and
rotated key
details.
Response<KeyVaultKey> keyResponse = keyClient.rotateKeyWithResponse("keyName", new Context("key1", "value1")); System.out.printf("Response received successfully with status code: %d. Rotated key with name: %s and" + "version: %s%n", keyResponse.getStatusCode(), keyResponse.getValue().getName(), keyResponse.getValue().getProperties().getVersion());
name
- The name of key
to be rotated. The system will generate a new version in the
specified key
.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.HTTP response
for this operation containing the new version of the rotated
key
.IllegalArgumentException
- If name
is null
or empty.com.azure.core.exception.ResourceNotFoundException
- If the key
for the provided name
does not exist.public KeyRotationPolicy getKeyRotationPolicy(String name)
KeyRotationPolicy
for the key
with the provided name. This operation
requires the keys/get
permission.
Code Samples
Retrieves the rotation policy
of a given key
. Prints out the
rotation policy key
details.
KeyRotationPolicy keyRotationPolicy = keyClient.getKeyRotationPolicy("keyName"); System.out.printf("Retrieved key rotation policy with id: %s%n", keyRotationPolicy.getId());
name
- The name of the key
.KeyRotationPolicy
for the key
.IllegalArgumentException
- If name
is null
or empty.com.azure.core.exception.ResourceNotFoundException
- If the key
for the provided name
does not exist.public com.azure.core.http.rest.Response<KeyRotationPolicy> getKeyRotationPolicyWithResponse(String name, com.azure.core.util.Context context)
KeyRotationPolicy
for the key
with the provided name. This operation
requires the keys/get
permission.
Code Samples
Retrieves the rotation policy
of a given key
. Prints out the
HTTP Response
and rotation policy key
details.
Response<KeyRotationPolicy> keyRotationPolicyResponse = keyClient.getKeyRotationPolicyWithResponse("keyName", new Context("key1", "value1")); System.out.printf("Response received successfully with status code: %d. Retrieved key rotation policy" + "with id: %s%n", keyRotationPolicyResponse.getStatusCode(), keyRotationPolicyResponse.getValue().getId());
name
- The name of the key
.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.HTTP response
for this operation containing the KeyRotationPolicy
for the
key
.IllegalArgumentException
- If name
is null
or empty.com.azure.core.exception.ResourceNotFoundException
- If the key
for the provided name
does not exist.public KeyRotationPolicy updateKeyRotationPolicy(String name, KeyRotationPolicyProperties keyRotationPolicyProperties)
KeyRotationPolicy
of the key
with the provided name. This operation
requires the keys/update
permission.
Code Samples
Updates the rotation policy
of a given key
. Prints out the
rotation policy key
details.
List<KeyRotationLifetimeAction> lifetimeActions = new ArrayList<>(); KeyRotationLifetimeAction rotateLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE) .setTimeAfterCreate("P90D"); KeyRotationLifetimeAction notifyLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY) .setTimeBeforeExpiry("P45D"); lifetimeActions.add(rotateLifetimeAction); lifetimeActions.add(notifyLifetimeAction); KeyRotationPolicyProperties policyProperties = new KeyRotationPolicyProperties() .setLifetimeActions(lifetimeActions) .setExpiryTime("P6M"); KeyRotationPolicy keyRotationPolicy = keyClient.updateKeyRotationPolicy("keyName", policyProperties); System.out.printf("Updated key rotation policy with id: %s%n", keyRotationPolicy.getId());
name
- The name of the key
.keyRotationPolicyProperties
- The KeyRotationPolicy
for the kekey
y.KeyRotationPolicy
for the key
.IllegalArgumentException
- If name
is null
or empty.com.azure.core.exception.ResourceNotFoundException
- If the key
for the provided name
does not exist.public com.azure.core.http.rest.Response<KeyRotationPolicy> updateKeyRotationPolicyWithResponse(String name, KeyRotationPolicyProperties keyRotationPolicyProperties, com.azure.core.util.Context context)
KeyRotationPolicy
of the key with the provided name. This operation requires the
keys/update
permission.
Code Samples
Updates the rotation policy
of a given key
. Prints out the
HTTP Response
and rotation policy key
details.
List<KeyRotationLifetimeAction> myLifetimeActions = new ArrayList<>(); KeyRotationLifetimeAction myRotateLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE) .setTimeAfterCreate("P90D"); KeyRotationLifetimeAction myNotifyLifetimeAction = new KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY) .setTimeBeforeExpiry("P45D"); myLifetimeActions.add(myRotateLifetimeAction); myLifetimeActions.add(myNotifyLifetimeAction); KeyRotationPolicyProperties myPolicyProperties = new KeyRotationPolicyProperties() .setLifetimeActions(myLifetimeActions) .setExpiryTime("P6M"); Response<KeyRotationPolicy> keyRotationPolicyResponse = keyClient.updateKeyRotationPolicyWithResponse( "keyName", myPolicyProperties, new Context("key1", "value1")); System.out.printf("Response received successfully with status code: %d. Updated key rotation policy" + "with id: %s%n", keyRotationPolicyResponse.getStatusCode(), keyRotationPolicyResponse.getValue().getId());
name
- The name of the key
.keyRotationPolicyProperties
- The KeyRotationPolicyProperties
for the key.context
- Additional Context
that is passed through the HttpPipeline
during the service
call.HTTP response
for this operation containing the KeyRotationPolicy
for the
key
.IllegalArgumentException
- If name
is null
or empty.com.azure.core.exception.ResourceNotFoundException
- If the key
for the provided name
does not exist.Visit the Azure for Java Developers site for more Java documentation, including quick starts, tutorials, and code samples.