tessl/pypi-azure-keyvault-keys
Microsoft Azure Key Vault Keys client library for Python providing cryptographic key management operations
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-azure-keyvault-keys@4.11.0index.mddocs/
Azure Key Vault Keys
Microsoft Azure Key Vault Keys client library for Python providing comprehensive cryptographic key management operations including creating, storing, retrieving, updating, and deleting cryptographic keys in Azure Key Vault. The library supports various key types (RSA, EC, oct), key operations (encrypt, decrypt, sign, verify, wrap, unwrap), key versioning, and provides both synchronous and asynchronous client implementations.
Package Information
- Package Name: azure-keyvault-keys
- Package Type: pypi
- Language: Python
- Installation:
pip install azure-keyvault-keys - Version: Available via
azure.keyvault.keys.__version__
Core Imports
from azure.keyvault.keys import KeyClientFor asynchronous operations:
from azure.keyvault.keys.aio import KeyClientFor cryptographic operations:
from azure.keyvault.keys.crypto import CryptographyClient
from azure.keyvault.keys.crypto.aio import CryptographyClient # async versionFor data models and enums:
from azure.keyvault.keys import (
KeyVaultKey, KeyProperties, DeletedKey, JsonWebKey,
KeyType, KeyCurveName, KeyOperation
)Basic Usage
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient, KeyType
# Create a client
credential = DefaultAzureCredential()
vault_url = "https://my-key-vault.vault.azure.net/"
client = KeyClient(vault_url=vault_url, credential=credential)
# Create a key
key_name = "my-rsa-key"
key = client.create_rsa_key(key_name, size=2048)
print(f"Created key: {key.name}")
# Get a key
retrieved_key = client.get_key(key_name)
print(f"Retrieved key: {retrieved_key.name}")
# Create a cryptography client for operations
crypto_client = client.get_cryptography_client(key_name)
# Encrypt data
from azure.keyvault.keys.crypto import EncryptionAlgorithm
plaintext = b"Hello, World!"
encrypt_result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)
print(f"Encrypted data length: {len(encrypt_result.ciphertext)}")
# Decrypt data
decrypt_result = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, encrypt_result.ciphertext)
print(f"Decrypted text: {decrypt_result.plaintext}")Architecture
The azure-keyvault-keys package follows a modular architecture with clear separation of concerns:
- KeyClient: Main client for key lifecycle management (create, read, update, delete, list, backup, restore)
- CryptographyClient: Specialized client for cryptographic operations using keys (encrypt, decrypt, sign, verify, wrap, unwrap)
- Data Models: Comprehensive type definitions for keys, properties, and operation results
- Enums: Strongly-typed constants for algorithms, key types, operations, and curves
- Async Support: Complete async/await implementations parallel to synchronous APIs
This design enables both high-level key management and low-level cryptographic operations while supporting enterprise features like key rotation, attestation, and Managed HSM integration.
Capabilities
Key Management
Core key lifecycle operations including creation, retrieval, updating, deletion, and enumeration. Supports all Azure Key Vault key types (RSA, EC, symmetric) with hardware and software variants.
def create_key(name: str, key_type: KeyType, **kwargs) -> KeyVaultKey: ...
def create_rsa_key(name: str, *, size: int = None, **kwargs) -> KeyVaultKey: ...
def create_ec_key(name: str, *, curve: KeyCurveName = None, **kwargs) -> KeyVaultKey: ...
def get_key(name: str, version: str = None, **kwargs) -> KeyVaultKey: ...
def update_key_properties(name: str, version: str = None, **kwargs) -> KeyVaultKey: ...
def begin_delete_key(name: str, **kwargs) -> LROPoller[DeletedKey]: ...Cryptographic Operations
Comprehensive cryptographic operations using Azure Key Vault keys including encryption, decryption, digital signing, signature verification, and key wrapping. Supports multiple algorithms and integrates with Python's cryptography library.
def encrypt(algorithm: EncryptionAlgorithm, plaintext: bytes, **kwargs) -> EncryptResult: ...
def decrypt(algorithm: EncryptionAlgorithm, ciphertext: bytes, **kwargs) -> DecryptResult: ...
def sign(algorithm: SignatureAlgorithm, digest: bytes, **kwargs) -> SignResult: ...
def verify(algorithm: SignatureAlgorithm, digest: bytes, signature: bytes, **kwargs) -> VerifyResult: ...
def wrap_key(algorithm: KeyWrapAlgorithm, key: bytes, **kwargs) -> WrapResult: ...
def unwrap_key(algorithm: KeyWrapAlgorithm, encrypted_key: bytes, **kwargs) -> UnwrapResult: ...Key Backup and Recovery
Backup and restore functionality for keys, enabling key migration and disaster recovery scenarios. Also includes soft-delete and recovery operations for accidental deletion protection.
def backup_key(name: str, **kwargs) -> bytes: ...
def restore_key_backup(backup: bytes, **kwargs) -> KeyVaultKey: ...
def list_deleted_keys(**kwargs) -> ItemPaged[DeletedKey]: ...
def get_deleted_key(name: str, **kwargs) -> DeletedKey: ...
def begin_recover_deleted_key(name: str, **kwargs) -> LROPoller[KeyVaultKey]: ...
def purge_deleted_key(name: str, **kwargs) -> None: ...Key Import and Export
Import keys from external sources and export keys with secure release policies. Supports JSON Web Key (JWK) format and secure key release for data protection scenarios.
def import_key(name: str, key: JsonWebKey, **kwargs) -> KeyVaultKey: ...
def release_key(name: str, target_attestation_token: str, **kwargs) -> ReleaseKeyResult: ...Key Rotation and Policies
Automated key rotation management with configurable policies, lifetime actions, and rotation triggers. Enables compliance with security policies requiring regular key rotation.
def get_key_rotation_policy(key_name: str, **kwargs) -> KeyRotationPolicy: ...
def update_key_rotation_policy(key_name: str, policy: KeyRotationPolicy, **kwargs) -> KeyRotationPolicy: ...
def rotate_key(name: str, **kwargs) -> KeyVaultKey: ...Asynchronous Operations
Complete async/await support for all key management and cryptographic operations, enabling efficient non-blocking I/O in async applications.
async def create_key(name: str, key_type: KeyType, **kwargs) -> KeyVaultKey: ...
async def encrypt(algorithm: EncryptionAlgorithm, plaintext: bytes, **kwargs) -> EncryptResult: ...
async def decrypt(algorithm: EncryptionAlgorithm, ciphertext: bytes, **kwargs) -> DecryptResult: ...Common Types
class KeyVaultKey:
"""A key's attributes and cryptographic material."""
id: str
name: str
properties: KeyProperties
key: JsonWebKey
key_type: KeyType
key_operations: List[KeyOperation]
class KeyProperties:
"""A key's ID and attributes without cryptographic material."""
id: str
name: str
version: str
enabled: bool
not_before: datetime
expires_on: datetime
created_on: datetime
updated_on: datetime
vault_url: str
recoverable_days: int
recovery_level: str
tags: Dict[str, str]
managed: bool
exportable: bool
class JsonWebKey:
"""JSON Web Key representation as defined in RFC 7517."""
kid: str
kty: KeyType
key_ops: List[KeyOperation]
# RSA parameters
n: bytes # RSA modulus
e: bytes # RSA public exponent
d: bytes # RSA private exponent
dp: bytes # RSA private key parameter
dq: bytes # RSA private key parameter
qi: bytes # RSA private key parameter
p: bytes # RSA secret prime
q: bytes # RSA secret prime
# EC parameters
crv: KeyCurveName # Elliptic curve name
x: bytes # X component of EC public key
y: bytes # Y component of EC public key
# Symmetric key parameters
k: bytes # Symmetric key
# HSM token
t: bytes # HSM Token for Bring Your Own Key
class DeletedKey(KeyVaultKey):
"""A deleted key's properties and deletion information."""
deleted_on: datetime # When the key was deleted
recovery_id: str # Recovery identifier for deleted key
scheduled_purge_date: datetime # When key will be permanently deleted
class KeyVaultKeyIdentifier:
"""Information about a KeyVaultKey parsed from a key ID."""
source_id: str # The complete key identifier URL
vault_url: str # The Key Vault URL
name: str # The key name
version: str # The key version (optional)
class KeyReleasePolicy:
"""The policy rules under which a key can be exported."""
encoded_policy: bytes # The policy rules encoded based on content_type
content_type: str # Content type and version of the release policy
immutable: bool # Whether the policy is immutable
class KeyRotationLifetimeAction:
"""Action and trigger performed over a key's lifetime."""
action: KeyRotationPolicyAction # The action to execute
time_after_create: str # Time after creation as ISO 8601 duration
time_before_expiry: str # Time before expiry as ISO 8601 duration
class KeyRotationPolicy:
"""Key rotation policy configuration."""
id: str # Policy identifier
lifetime_actions: List[KeyRotationLifetimeAction] # Lifetime actions
expires_in: str # Expiration time as ISO 8601 duration
created_on: datetime # When policy was created
updated_on: datetime # When policy was last updated
class ReleaseKeyResult:
"""Result of a key release operation."""
value: str # The released key value
class KeyType(str, Enum):
"""Supported key types."""
ec = "EC"
ec_hsm = "EC-HSM"
rsa = "RSA"
rsa_hsm = "RSA-HSM"
oct = "oct"
oct_hsm = "oct-HSM"
class KeyCurveName(str, Enum):
"""Supported elliptic curves."""
p_256 = "P-256" # NIST P-256 elliptic curve
p_384 = "P-384" # NIST P-384 elliptic curve
p_521 = "P-521" # NIST P-521 elliptic curve
p_256_k = "P-256K" # SECG SECP256K1 elliptic curve
class KeyOperation(str, Enum):
"""Supported key operations."""
encrypt = "encrypt"
decrypt = "decrypt"
sign = "sign"
verify = "verify"
wrap_key = "wrapKey"
unwrap_key = "unwrapKey"
import_key = "import"
export = "export"
class KeyExportEncryptionAlgorithm(str, Enum):
"""Supported algorithms for protecting exported key material."""
ckm_rsa_aes_key_wrap = "CKM_RSA_AES_KEY_WRAP"
rsa_aes_key_wrap_256 = "RSA_AES_KEY_WRAP_256"
rsa_aes_key_wrap_384 = "RSA_AES_KEY_WRAP_384"
class KeyRotationPolicyAction(str, Enum):
"""The action that will be executed in a key rotation policy."""
rotate = "Rotate" # Rotate the key based on the key policy
notify = "Notify" # Trigger Event Grid events
class ApiVersion(str, Enum):
"""Key Vault API versions supported by the client."""
V7_6 = "7.6" # Latest version (default)
V7_5 = "7.5"
V7_4 = "7.4"
V7_3 = "7.3"
V7_2 = "7.2"
V7_1 = "7.1"
V7_0 = "7.0"
V2016_10_01 = "2016-10-01"
# Package version constant
__version__: str # Current package version (e.g., "4.11.0")