azure.keyvault.keys.crypto.aio package¶
- class azure.keyvault.keys.crypto.aio.CryptographyClient(key: KeyVaultKey | str, credential: AsyncTokenCredential, **kwargs: Any)[source]¶
Performs cryptographic operations using Azure Key Vault keys.
This client will perform operations locally when it’s intialized with the necessary key material or is able to get that material from Key Vault. When the required key material is unavailable, cryptographic operations are performed by the Key Vault service.
- Parameters:
key (str or azure.keyvault.keys.KeyVaultKey) – Either a azure.keyvault.keys.KeyVaultKey instance as returned by
get_key()
, or a string. If a string, the value must be the identifier of an Azure Key Vault key. Including a version is recommended.credential (AsyncTokenCredential) – An object which can provide an access token for the vault, such as a credential from
azure.identity.aio
- Keyword Arguments:
api_version (ApiVersion or str) – Version of the service API to use. Defaults to the most recent.
verify_challenge_resource (bool) – Whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain. Defaults to True.
# create a CryptographyClient using a KeyVaultKey instance key = await key_client.get_key(key_name) crypto_client = CryptographyClient(key, credential) # or a key's id, which must include a version key_id = "https://<your vault>.vault.azure.net/keys/<key name>/fe4fdcab688c479a9aa80f01ffeac26" crypto_client = CryptographyClient(key_id, credential) # the client and credential should be closed when no longer needed # (both are also async context managers) await crypto_client.close() await credential.close()
- async close() None ¶
Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
- async decrypt(algorithm: EncryptionAlgorithm, ciphertext: bytes, **kwargs: Any) DecryptResult [source]¶
Decrypt a single block of encrypted data using the client’s key.
Requires the keys/decrypt permission. This method decrypts only a single block of data, whose size depends on the key and encryption algorithm.
- Parameters:
algorithm (EncryptionAlgorithm) – Encryption algorithm to use
ciphertext (bytes) – Encrypted bytes to decrypt. Microsoft recommends you not use CBC without first ensuring the integrity of the ciphertext using, for example, an HMAC. See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
- Keyword Arguments:
iv (bytes or None) – The initialization vector used during encryption. Required for AES decryption.
authentication_tag (bytes or None) – The authentication tag generated during encryption. Required for only AES-GCM decryption.
additional_authenticated_data (bytes or None) – Optional data that is authenticated but not encrypted. For use with AES-GCM decryption.
- Returns:
The result of the decryption operation.
- Return type:
- Raises:
ValueError – If parameters that are incompatible with the specified algorithm are provided.
from azure.keyvault.keys.crypto import EncryptionAlgorithm result = await client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext) print(result.plaintext)
- async encrypt(algorithm: EncryptionAlgorithm, plaintext: bytes, **kwargs: Any) EncryptResult [source]¶
Encrypt bytes using the client’s key.
Requires the keys/encrypt permission. This method encrypts only a single block of data, whose size depends on the key and encryption algorithm.
- Parameters:
algorithm (EncryptionAlgorithm) – Encryption algorithm to use
plaintext (bytes) – Bytes to encrypt
- Keyword Arguments:
iv (bytes or None) – Initialization vector. Required for only AES-CBC(PAD) encryption. If you pass your own IV, make sure you use a cryptographically random, non-repeating IV. If omitted, an attempt will be made to generate an IV via os.urandom for local cryptography; for remote cryptography, Key Vault will generate an IV.
additional_authenticated_data (bytes or None) – Optional data that is authenticated but not encrypted. For use with AES-GCM encryption.
- Returns:
The result of the encryption operation.
- Return type:
- Raises:
ValueError – if parameters that are incompatible with the specified algorithm are provided, or if generating an IV fails on the current platform.
from azure.keyvault.keys.crypto import EncryptionAlgorithm # the result holds the ciphertext and identifies the encryption key and algorithm used result = await client.encrypt(EncryptionAlgorithm.rsa_oaep, b"plaintext") print(result.key_id) print(result.algorithm) ciphertext = result.ciphertext
- classmethod from_jwk(jwk: JsonWebKey | Dict[str, Any]) CryptographyClient [source]¶
Creates a client that can only perform cryptographic operations locally.
- Parameters:
jwk (JsonWebKey or Dict[str, Any]) – the key’s cryptographic material, as a JsonWebKey or dictionary.
- Returns:
A client that can only perform local cryptographic operations.
- Return type:
- async send_request(request: HttpRequest, *, stream: bool = False, **kwargs: Any) Awaitable[AsyncHttpResponse] ¶
Runs a network request using the client’s existing pipeline.
The request URL can be relative to the vault URL. The service API version used for the request is the same as the client’s unless otherwise specified. This method does not raise if the response is an error; to raise an exception, call raise_for_status() on the returned response object. For more information about how to send custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request.
- Parameters:
request (HttpRequest) – The network request you want to make.
- Keyword Arguments:
stream (bool) – Whether the response payload will be streamed. Defaults to False.
- Returns:
The response of your network call. Does not do error handling on your response.
- Return type:
- async sign(algorithm: SignatureAlgorithm, digest: bytes, **kwargs: Any) SignResult [source]¶
Create a signature from a digest using the client’s key.
Requires the keys/sign permission.
- Parameters:
algorithm (SignatureAlgorithm) – signing algorithm
digest (bytes) – hashed bytes to sign
- Returns:
The result of the signing operation.
- Return type:
import hashlib from azure.keyvault.keys.crypto import SignatureAlgorithm digest = hashlib.sha256(b"plaintext").digest() # sign returns the signature and the metadata required to verify it result = await client.sign(SignatureAlgorithm.rs256, digest) print(result.key_id) print(result.algorithm) signature = result.signature
- async unwrap_key(algorithm: KeyWrapAlgorithm, encrypted_key: bytes, **kwargs: Any) UnwrapResult [source]¶
Unwrap a key previously wrapped with the client’s key.
Requires the keys/unwrapKey permission.
- Parameters:
algorithm (KeyWrapAlgorithm) – wrapping algorithm to use
encrypted_key (bytes) – the wrapped key
- Returns:
The result of the unwrapping operation.
- Return type:
from azure.keyvault.keys.crypto import KeyWrapAlgorithm result = await client.unwrap_key(KeyWrapAlgorithm.rsa_oaep, encrypted_key)
- async verify(algorithm: SignatureAlgorithm, digest: bytes, signature: bytes, **kwargs: Any) VerifyResult [source]¶
Verify a signature using the client’s key.
Requires the keys/verify permission.
- Parameters:
algorithm (SignatureAlgorithm) – verification algorithm
digest (bytes) – Pre-hashed digest corresponding to signature. The hash algorithm used must be compatible with
algorithm
.signature (bytes) – signature to verify
- Returns:
The result of the verifying operation.
- Return type:
from azure.keyvault.keys.crypto import SignatureAlgorithm verified = await client.verify(SignatureAlgorithm.rs256, digest, signature) assert verified.is_valid
- async wrap_key(algorithm: KeyWrapAlgorithm, key: bytes, **kwargs: Any) WrapResult [source]¶
Wrap a key with the client’s key.
Requires the keys/wrapKey permission.
- Parameters:
algorithm (KeyWrapAlgorithm) – wrapping algorithm to use
key (bytes) – key to wrap
- Returns:
The result of the wrapping operation.
- Return type:
from azure.keyvault.keys.crypto import KeyWrapAlgorithm # wrap returns a tuple with the wrapped bytes and the metadata required to unwrap the key result = await client.wrap_key(KeyWrapAlgorithm.rsa_oaep, key_bytes) print(result.key_id) print(result.algorithm) encrypted_key = result.encrypted_key
- property key_id: str | None¶
The full identifier of the client’s key.
This property may be None when a client is constructed with
from_jwk()
.- Returns:
The full identifier of the client’s key.
- Return type:
str or None
- property vault_url: str | None¶
The base vault URL of the client’s key.
This property may be None when a client is constructed with
from_jwk()
.- Returns:
The base vault URL of the client’s key.
- Return type:
str or None