azure.keyvault.keys.crypto.aio package

class azure.keyvault.keys.crypto.aio.CryptographyClient(key: Union[KeyVaultKey, str], credential: TokenCredential, **kwargs: Any)[source]

Performs cryptographic operations using Azure Key Vault keys.

Parameters

  • key (str or KeyVaultKey) – Either a KeyVaultKey instance as returned by get_key(), or a string. If a string, the value must be the full identifier of an Azure Key Vault key with a version.

  • credential – An object which can provide an access token for the vault, such as a credential from azure.identity.aio

Keyword arguments

  • api_version - version of the Key Vault API to use. Defaults to the most recent.

Creating a CryptographyClient:

from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.keys.crypto.aio import CryptographyClient

credential = DefaultAzureCredential()

# create a CryptographyClient using a KeyVaultKey instance
key = await key_client.get_key("mykey")
crypto_client = CryptographyClient(key, credential)

# or a key's id, which must include a version
key_id = "https://<your vault>.vault.azure.net/keys/mykey/fe4fdcab688c479a9aa80f01ffeac26"
crypto_client = CryptographyClient(key_id, credential)

You can also obtain a CryptographyClient from a KeyClient:

from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.keys.aio import KeyClient

credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=<your vault url>, credential=credential)
crypto_client = key_client.get_cryptography_client("mykey")
async decrypt(algorithm: EncryptionAlgorithm, ciphertext: bytes, **kwargs: Any) → azure.keyvault.keys.crypto._models.DecryptResult[source]

Decrypt a single block of encrypted data using the client’s key. Requires the keys/decrypt permission.

This method decrypts only a single block of data, the size of which depends on the key and encryption algorithm.

Parameters

  • algorithm (EncryptionAlgorithm) – encryption algorithm to use

  • ciphertext (bytes) – encrypted bytes to decrypt

Return type

DecryptResult

Example:

from azure.keyvault.keys.crypto import EncryptionAlgorithm

result = await client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext)
print(result.plaintext)
async encrypt(algorithm: EncryptionAlgorithm, plaintext: bytes, **kwargs: Any) → azure.keyvault.keys.crypto._models.EncryptResult[source]

Encrypt bytes using the client’s key. Requires the keys/encrypt permission.

This method encrypts only a single block of data, the size of which depends on the key and encryption algorithm.

Parameters

  • algorithm (EncryptionAlgorithm) – encryption algorithm to use

  • plaintext (bytes) – bytes to encrypt

Return type

EncryptResult

Example:

from azure.keyvault.keys.crypto import EncryptionAlgorithm

# the result holds the ciphertext and identifies the encryption key and algorithm used
result = client.encrypt(EncryptionAlgorithm.rsa_oaep, b"plaintext")
ciphertext = result.ciphertext
print(result.key_id)
print(result.algorithm)
async sign(algorithm: SignatureAlgorithm, digest: bytes, **kwargs: Any) → azure.keyvault.keys.crypto._models.SignResult[source]

Create a signature from a digest using the client’s key. Requires the keys/sign permission.

Parameters

  • algorithm (SignatureAlgorithm) – signing algorithm

  • digest (bytes) – hashed bytes to sign

Return type

SignResult

Example:

import hashlib
from azure.keyvault.keys.crypto import SignatureAlgorithm

digest = hashlib.sha256(b"plaintext").digest()

# sign returns a tuple with the signature and the metadata required to verify it
result = await client.sign(SignatureAlgorithm.rs256, digest)

# the result contains the signature and identifies the key and algorithm used
signature = result.signature
print(result.key_id)
print(result.algorithm)
async unwrap_key(algorithm: KeyWrapAlgorithm, encrypted_key: bytes, **kwargs: Any) → azure.keyvault.keys.crypto._models.UnwrapResult[source]

Unwrap a key previously wrapped with the client’s key. Requires the keys/unwrapKey permission.

Parameters

  • algorithm (KeyWrapAlgorithm) – wrapping algorithm to use

  • encrypted_key (bytes) – the wrapped key

Return type

UnwrapResult

Example:

from azure.keyvault.keys.crypto import KeyWrapAlgorithm

result = await client.unwrap_key(KeyWrapAlgorithm.rsa_oaep, wrapped_bytes)
key = result.key
async verify(algorithm: SignatureAlgorithm, digest: bytes, signature: bytes, **kwargs: Any) → azure.keyvault.keys.crypto._models.VerifyResult[source]

Verify a signature using the client’s key. Requires the keys/verify permission.

Parameters

  • algorithm (SignatureAlgorithm) – verification algorithm

  • digest (bytes) –

  • signature (bytes) –

Return type

VerifyResult

Example:

from azure.keyvault.keys.crypto import SignatureAlgorithm

verified = await client.verify(SignatureAlgorithm.rs256, digest, signature)
assert verified.is_valid
async wrap_key(algorithm: KeyWrapAlgorithm, key: bytes, **kwargs: Any) → azure.keyvault.keys.crypto._models.WrapResult[source]

Wrap a key with the client’s key. Requires the keys/wrapKey permission.

Parameters

  • algorithm (KeyWrapAlgorithm) – wrapping algorithm to use

  • key (bytes) – key to wrap

Return type

WrapResult

Example:

from azure.keyvault.keys.crypto import KeyWrapAlgorithm

# the result holds the encrypted key and identifies the encryption key and algorithm used
result = await client.wrap_key(KeyWrapAlgorithm.rsa_oaep, key_bytes)
encrypted_key = result.encrypted_key
print(result.key_id)
print(result.algorithm)
property key_id

The full identifier of the client’s key.

Return type

str

property vault_url
class azure.keyvault.keys.crypto.aio.EncryptionAlgorithm[source]

Encryption algorithms

rsa1_5 = 'RSA1_5'
rsa_oaep = 'RSA-OAEP'
rsa_oaep_256 = 'RSA-OAEP-256'
class azure.keyvault.keys.crypto.aio.EncryptResult(key_id, algorithm, ciphertext)[source]

The result of an encrypt operation.

Parameters

  • key_id (str) – The encryption key’s Key Vault identifier

  • algorithm (EncryptionAlgorithm) – The encryption algorithm used

  • ciphertext (bytes) – The encrypted bytes

class azure.keyvault.keys.crypto.aio.KeyWrapAlgorithm[source]

Key wrapping algorithms

aes_256 = 'A256KW'
rsa1_5 = 'RSA1_5'
rsa_oaep = 'RSA-OAEP'
rsa_oaep_256 = 'RSA-OAEP-256'
class azure.keyvault.keys.crypto.aio.SignatureAlgorithm[source]

Signature algorithms, described in https://tools.ietf.org/html/rfc7518

es256 = 'ES256'

ECDSA using P-256 and SHA-256

es256_k = 'ES256K'

ECDSA using P-256K and SHA-256

es384 = 'ES384'

ECDSA using P-384 and SHA-384

es512 = 'ES512'

ECDSA using P-521 and SHA-512

ps256 = 'PS256'

RSASSA-PSS using SHA-256 and MGF1 with SHA-256

ps384 = 'PS384'

RSASSA-PSS using SHA-384 and MGF1 with SHA-384

ps512 = 'PS512'

RSASSA-PSS using SHA-512 and MGF1 with SHA-512

rs256 = 'RS256'

RSASSA-PKCS1-v1_5 using SHA-256

rs384 = 'RS384'

RSASSA-PKCS1-v1_5 using SHA-384

rs512 = 'RS512'

RSASSA-PKCS1-v1_5 using SHA-512

class azure.keyvault.keys.crypto.aio.SignResult(key_id, algorithm, signature)[source]

The result of a sign operation.

Parameters

  • key_id (str) – The signing key’s Key Vault identifier

  • algorithm (SignatureAlgorithm) – The signature algorithm used

  • signature (bytes) –

class azure.keyvault.keys.crypto.aio.WrapResult(key_id, algorithm, encrypted_key)[source]

The result of a wrap key operation.

Parameters

  • key_id (str) – The wrapping key’s Key Vault identifier

  • algorithm (KeyWrapAlgorithm) – The key wrap algorithm used

  • encrypted_key (bytes) – The encrypted key bytes