azure.keyvault.keys.crypto package¶
-
class
azure.keyvault.keys.crypto.
CryptographyClient
(key, credential, **kwargs)[source]¶ Performs cryptographic operations using Azure Key Vault keys.
- Parameters
key (str or
KeyVaultKey
) – Either aKeyVaultKey
instance as returned byget_key()
, or a string. If a string, the value must be the full identifier of an Azure Key Vault key with a version.credential – An object which can provide an access token for the vault, such as a credential from
azure.identity
- Keyword arguments
api_version - version of the Key Vault API to use. Defaults to the most recent.
Creating a
CryptographyClient
:from azure.identity import DefaultAzureCredential from azure.keyvault.keys.crypto import CryptographyClient credential = DefaultAzureCredential() # create a CryptographyClient using a KeyVaultKey instance key = key_client.get_key("mykey") crypto_client = CryptographyClient(key, credential) # or a key's id, which must include a version key_id = "https://<your vault>.vault.azure.net/keys/mykey/fe4fdcab688c479a9aa80f01ffeac26" crypto_client = CryptographyClient(key_id, credential)
You can also obtain a
CryptographyClient
from aKeyClient
:from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url=<your vault url>, credential=credential) crypto_client = key_client.get_cryptography_client("mykey")
-
decrypt
(algorithm, ciphertext, **kwargs)[source]¶ Decrypt a single block of encrypted data using the client’s key. Requires the keys/decrypt permission.
This method decrypts only a single block of data, the size of which depends on the key and encryption algorithm.
- Parameters
algorithm (
EncryptionAlgorithm
) – encryption algorithm to useciphertext (bytes) – encrypted bytes to decrypt
- Return type
Example:
from azure.keyvault.keys.crypto import EncryptionAlgorithm result = client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext) print(result.plaintext)
-
encrypt
(algorithm, plaintext, **kwargs)[source]¶ Encrypt bytes using the client’s key. Requires the keys/encrypt permission.
This method encrypts only a single block of data, the size of which depends on the key and encryption algorithm.
- Parameters
algorithm (
EncryptionAlgorithm
) – encryption algorithm to useplaintext (bytes) – bytes to encrypt
- Return type
Example:
from azure.keyvault.keys.crypto import EncryptionAlgorithm # the result holds the ciphertext and identifies the encryption key and algorithm used result = client.encrypt(EncryptionAlgorithm.rsa_oaep, b"plaintext") ciphertext = result.ciphertext print(result.key_id) print(result.algorithm)
-
sign
(algorithm, digest, **kwargs)[source]¶ Create a signature from a digest using the client’s key. Requires the keys/sign permission.
- Parameters
algorithm (
SignatureAlgorithm
) – signing algorithmdigest (bytes) – hashed bytes to sign
- Return type
Example:
import hashlib from azure.keyvault.keys.crypto import SignatureAlgorithm digest = hashlib.sha256(b"plaintext").digest() # sign returns a tuple with the signature and the metadata required to verify it result = client.sign(SignatureAlgorithm.rs256, digest) # the result contains the signature and identifies the key and algorithm used signature = result.signature print(result.key_id) print(result.algorithm)
-
unwrap_key
(algorithm, encrypted_key, **kwargs)[source]¶ Unwrap a key previously wrapped with the client’s key. Requires the keys/unwrapKey permission.
- Parameters
algorithm (
KeyWrapAlgorithm
) – wrapping algorithm to useencrypted_key (bytes) – the wrapped key
- Return type
Example:
from azure.keyvault.keys.crypto import KeyWrapAlgorithm result = client.unwrap_key(KeyWrapAlgorithm.rsa_oaep, wrapped_bytes) key = result.key
-
verify
(algorithm, digest, signature, **kwargs)[source]¶ Verify a signature using the client’s key. Requires the keys/verify permission.
- Parameters
- Return type
Example:
from azure.keyvault.keys.crypto import SignatureAlgorithm verified = client.verify(SignatureAlgorithm.rs256, digest, signature) assert verified.is_valid
-
wrap_key
(algorithm, key, **kwargs)[source]¶ Wrap a key with the client’s key. Requires the keys/wrapKey permission.
- Parameters
algorithm (
KeyWrapAlgorithm
) – wrapping algorithm to usekey (bytes) – key to wrap
- Return type
Example:
from azure.keyvault.keys.crypto import KeyWrapAlgorithm # the result holds the encrypted key and identifies the encryption key and algorithm used result = client.wrap_key(KeyWrapAlgorithm.rsa_oaep, key_bytes) encrypted_key = result.encrypted_key print(result.key_id) print(result.algorithm)
-
property
vault_url
¶
-
class
azure.keyvault.keys.crypto.
DecryptResult
(key_id, algorithm, plaintext)[source]¶ The result of a decrypt operation.
- Parameters
key_id (str) – The encryption key’s Key Vault identifier
algorithm (EncryptionAlgorithm) – The encryption algorithm used
plaintext (bytes) – The decrypted bytes
-
class
azure.keyvault.keys.crypto.
EncryptionAlgorithm
[source]¶ Encryption algorithms
-
rsa1_5
= 'RSA1_5'¶
-
rsa_oaep
= 'RSA-OAEP'¶
-
rsa_oaep_256
= 'RSA-OAEP-256'¶
-
-
class
azure.keyvault.keys.crypto.
EncryptResult
(key_id, algorithm, ciphertext)[source]¶ The result of an encrypt operation.
- Parameters
key_id (str) – The encryption key’s Key Vault identifier
algorithm (EncryptionAlgorithm) – The encryption algorithm used
ciphertext (bytes) – The encrypted bytes
-
class
azure.keyvault.keys.crypto.
KeyWrapAlgorithm
[source]¶ Key wrapping algorithms
-
aes_256
= 'A256KW'¶
-
rsa1_5
= 'RSA1_5'¶
-
rsa_oaep
= 'RSA-OAEP'¶
-
rsa_oaep_256
= 'RSA-OAEP-256'¶
-
-
class
azure.keyvault.keys.crypto.
SignatureAlgorithm
[source]¶ Signature algorithms, described in https://tools.ietf.org/html/rfc7518
-
es256
= 'ES256'¶ ECDSA using P-256 and SHA-256
-
es256_k
= 'ES256K'¶ ECDSA using P-256K and SHA-256
-
es384
= 'ES384'¶ ECDSA using P-384 and SHA-384
-
es512
= 'ES512'¶ ECDSA using P-521 and SHA-512
-
ps256
= 'PS256'¶ RSASSA-PSS using SHA-256 and MGF1 with SHA-256
-
ps384
= 'PS384'¶ RSASSA-PSS using SHA-384 and MGF1 with SHA-384
-
ps512
= 'PS512'¶ RSASSA-PSS using SHA-512 and MGF1 with SHA-512
-
rs256
= 'RS256'¶ RSASSA-PKCS1-v1_5 using SHA-256
-
rs384
= 'RS384'¶ RSASSA-PKCS1-v1_5 using SHA-384
-
rs512
= 'RS512'¶ RSASSA-PKCS1-v1_5 using SHA-512
-
-
class
azure.keyvault.keys.crypto.
SignResult
(key_id, algorithm, signature)[source]¶ The result of a sign operation.
- Parameters
key_id (str) – The signing key’s Key Vault identifier
algorithm (SignatureAlgorithm) – The signature algorithm used
signature (bytes) –
-
class
azure.keyvault.keys.crypto.
WrapResult
(key_id, algorithm, encrypted_key)[source]¶ The result of a wrap key operation.
- Parameters
key_id (str) – The wrapping key’s Key Vault identifier
algorithm (KeyWrapAlgorithm) – The key wrap algorithm used
encrypted_key (bytes) – The encrypted key bytes
-
class
azure.keyvault.keys.crypto.
VerifyResult
(key_id, is_valid, algorithm)[source]¶ The result of a verify operation.
- Parameters
key_id (str) – The signing key’s Key Vault identifier
is_valid (bool) – Whether the signature is valid
algorithm (SignatureAlgorithm) – The signature algorithm used
-
class
azure.keyvault.keys.crypto.
UnwrapResult
(key_id, algorithm, key)[source]¶ The result of an unwrap key operation.
- Parameters
key_id (str) – Key encryption key’s Key Vault identifier
algorithm (KeyWrapAlgorithm) – The key wrap algorithm used
key (bytes) – The unwrapped key