azure.keyvault.keys.crypto package

class azure.keyvault.keys.crypto.CryptographyClient(key, credential, **kwargs)[source]

Performs cryptographic operations using Azure Key Vault keys.

Parameters

  • key (str or KeyVaultKey) – Either a KeyVaultKey instance as returned by get_key(), or a string. If a string, the value must be the full identifier of an Azure Key Vault key with a version.

  • credential – An object which can provide an access token for the vault, such as a credential from azure.identity

Keyword arguments

  • api_version - version of the Key Vault API to use. Defaults to the most recent.

Creating a CryptographyClient:

from azure.identity import DefaultAzureCredential
from azure.keyvault.keys.crypto import CryptographyClient

credential = DefaultAzureCredential()

# create a CryptographyClient using a KeyVaultKey instance
key = key_client.get_key("mykey")
crypto_client = CryptographyClient(key, credential)

# or a key's id, which must include a version
key_id = "https://<your vault>.vault.azure.net/keys/mykey/fe4fdcab688c479a9aa80f01ffeac26"
crypto_client = CryptographyClient(key_id, credential)

You can also obtain a CryptographyClient from a KeyClient:

from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=<your vault url>, credential=credential)
crypto_client = key_client.get_cryptography_client("mykey")
decrypt(algorithm, ciphertext, **kwargs)[source]

Decrypt a single block of encrypted data using the client’s key. Requires the keys/decrypt permission.

This method decrypts only a single block of data, the size of which depends on the key and encryption algorithm.

Parameters

  • algorithm (EncryptionAlgorithm) – encryption algorithm to use

  • ciphertext (bytes) – encrypted bytes to decrypt

Return type

DecryptResult

Example:

from azure.keyvault.keys.crypto import EncryptionAlgorithm

result = client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext)
print(result.plaintext)
encrypt(algorithm, plaintext, **kwargs)[source]

Encrypt bytes using the client’s key. Requires the keys/encrypt permission.

This method encrypts only a single block of data, the size of which depends on the key and encryption algorithm.

Parameters

  • algorithm (EncryptionAlgorithm) – encryption algorithm to use

  • plaintext (bytes) – bytes to encrypt

Return type

EncryptResult

Example:

from azure.keyvault.keys.crypto import EncryptionAlgorithm

# the result holds the ciphertext and identifies the encryption key and algorithm used
result = client.encrypt(EncryptionAlgorithm.rsa_oaep, b"plaintext")
ciphertext = result.ciphertext
print(result.key_id)
print(result.algorithm)
sign(algorithm, digest, **kwargs)[source]

Create a signature from a digest using the client’s key. Requires the keys/sign permission.

Parameters

  • algorithm (SignatureAlgorithm) – signing algorithm

  • digest (bytes) – hashed bytes to sign

Return type

SignResult

Example:

import hashlib
from azure.keyvault.keys.crypto import SignatureAlgorithm

digest = hashlib.sha256(b"plaintext").digest()

# sign returns a tuple with the signature and the metadata required to verify it
result = client.sign(SignatureAlgorithm.rs256, digest)

# the result contains the signature and identifies the key and algorithm used
signature = result.signature
print(result.key_id)
print(result.algorithm)
unwrap_key(algorithm, encrypted_key, **kwargs)[source]

Unwrap a key previously wrapped with the client’s key. Requires the keys/unwrapKey permission.

Parameters

  • algorithm (KeyWrapAlgorithm) – wrapping algorithm to use

  • encrypted_key (bytes) – the wrapped key

Return type

UnwrapResult

Example:

from azure.keyvault.keys.crypto import KeyWrapAlgorithm

result = client.unwrap_key(KeyWrapAlgorithm.rsa_oaep, wrapped_bytes)
key = result.key
verify(algorithm, digest, signature, **kwargs)[source]

Verify a signature using the client’s key. Requires the keys/verify permission.

Parameters

  • algorithm (SignatureAlgorithm) – verification algorithm

  • digest (bytes) –

  • signature (bytes) –

Return type

VerifyResult

Example:

from azure.keyvault.keys.crypto import SignatureAlgorithm

verified = client.verify(SignatureAlgorithm.rs256, digest, signature)
assert verified.is_valid
wrap_key(algorithm, key, **kwargs)[source]

Wrap a key with the client’s key. Requires the keys/wrapKey permission.

Parameters

  • algorithm (KeyWrapAlgorithm) – wrapping algorithm to use

  • key (bytes) – key to wrap

Return type

WrapResult

Example:

from azure.keyvault.keys.crypto import KeyWrapAlgorithm

# the result holds the encrypted key and identifies the encryption key and algorithm used
result = client.wrap_key(KeyWrapAlgorithm.rsa_oaep, key_bytes)
encrypted_key = result.encrypted_key
print(result.key_id)
print(result.algorithm)
property key_id

The full identifier of the client’s key.

Return type

str

property vault_url
class azure.keyvault.keys.crypto.DecryptResult(key_id, algorithm, plaintext)[source]

The result of a decrypt operation.

Parameters

  • key_id (str) – The encryption key’s Key Vault identifier

  • algorithm (EncryptionAlgorithm) – The encryption algorithm used

  • plaintext (bytes) – The decrypted bytes

class azure.keyvault.keys.crypto.EncryptionAlgorithm[source]

Encryption algorithms

rsa1_5 = 'RSA1_5'
rsa_oaep = 'RSA-OAEP'
rsa_oaep_256 = 'RSA-OAEP-256'
class azure.keyvault.keys.crypto.EncryptResult(key_id, algorithm, ciphertext)[source]

The result of an encrypt operation.

Parameters

  • key_id (str) – The encryption key’s Key Vault identifier

  • algorithm (EncryptionAlgorithm) – The encryption algorithm used

  • ciphertext (bytes) – The encrypted bytes

class azure.keyvault.keys.crypto.KeyWrapAlgorithm[source]

Key wrapping algorithms

aes_256 = 'A256KW'
rsa1_5 = 'RSA1_5'
rsa_oaep = 'RSA-OAEP'
rsa_oaep_256 = 'RSA-OAEP-256'
class azure.keyvault.keys.crypto.SignatureAlgorithm[source]

Signature algorithms, described in https://tools.ietf.org/html/rfc7518

es256 = 'ES256'

ECDSA using P-256 and SHA-256

es256_k = 'ES256K'

ECDSA using P-256K and SHA-256

es384 = 'ES384'

ECDSA using P-384 and SHA-384

es512 = 'ES512'

ECDSA using P-521 and SHA-512

ps256 = 'PS256'

RSASSA-PSS using SHA-256 and MGF1 with SHA-256

ps384 = 'PS384'

RSASSA-PSS using SHA-384 and MGF1 with SHA-384

ps512 = 'PS512'

RSASSA-PSS using SHA-512 and MGF1 with SHA-512

rs256 = 'RS256'

RSASSA-PKCS1-v1_5 using SHA-256

rs384 = 'RS384'

RSASSA-PKCS1-v1_5 using SHA-384

rs512 = 'RS512'

RSASSA-PKCS1-v1_5 using SHA-512

class azure.keyvault.keys.crypto.SignResult(key_id, algorithm, signature)[source]

The result of a sign operation.

Parameters

  • key_id (str) – The signing key’s Key Vault identifier

  • algorithm (SignatureAlgorithm) – The signature algorithm used

  • signature (bytes) –

class azure.keyvault.keys.crypto.WrapResult(key_id, algorithm, encrypted_key)[source]

The result of a wrap key operation.

Parameters

  • key_id (str) – The wrapping key’s Key Vault identifier

  • algorithm (KeyWrapAlgorithm) – The key wrap algorithm used

  • encrypted_key (bytes) – The encrypted key bytes

class azure.keyvault.keys.crypto.VerifyResult(key_id, is_valid, algorithm)[source]

The result of a verify operation.

Parameters

  • key_id (str) – The signing key’s Key Vault identifier

  • is_valid (bool) – Whether the signature is valid

  • algorithm (SignatureAlgorithm) – The signature algorithm used

class azure.keyvault.keys.crypto.UnwrapResult(key_id, algorithm, key)[source]

The result of an unwrap key operation.

Parameters

  • key_id (str) – Key encryption key’s Key Vault identifier

  • algorithm (KeyWrapAlgorithm) – The key wrap algorithm used

  • key (bytes) – The unwrapped key