0
# Extended Vault Information
1
2
Management of additional vault metadata and extended configuration information beyond the core vault properties. Extended vault information includes algorithm settings, integrity validation parameters, and additional metadata that supports advanced backup and recovery scenarios.
3
4
## Capabilities
5
6
### Get Extended Vault Information
7
8
Retrieves extended information and metadata for a Recovery Services vault.
9
10
```python { .api }
11
def get(resource_group_name: str, vault_name: str, **kwargs) -> VaultExtendedInfoResource:
12
"""
13
Get the vault extended info.
14
15
Parameters:
16
- resource_group_name: str - The name of the resource group
17
- vault_name: str - The name of the recovery services vault
18
19
Returns:
20
VaultExtendedInfoResource: Extended information resource for the vault
21
"""
22
```
23
24
**Usage Example:**
25
26
```python
27
# Get extended vault information
28
extended_info = client.vault_extended_info.get(
29
resource_group_name="my-rg",
30
vault_name="my-vault"
31
)
32
33
print(f"Extended Info ID: {extended_info.id}")
34
print(f"Extended Info Name: {extended_info.name}")
35
36
if extended_info.properties:
37
print(f"Integrity Key: {extended_info.properties.integrity_key}")
38
print(f"Encryption Key: {extended_info.properties.encryption_key}")
39
print(f"Encryption Key Thumbprint: {extended_info.properties.encryption_key_thumbprint}")
40
print(f"Algorithm: {extended_info.properties.algorithm}")
41
```
42
43
### Create or Update Extended Vault Information
44
45
Creates or updates extended information for a Recovery Services vault.
46
47
```python { .api }
48
def create_or_update(
49
resource_group_name: str,
50
vault_name: str,
51
resource_extended_info_details: Union[VaultExtendedInfoResource, IO[bytes]],
52
**kwargs
53
) -> VaultExtendedInfoResource:
54
"""
55
Create vault extended info.
56
57
Parameters:
58
- resource_group_name: str - The name of the resource group
59
- vault_name: str - The name of the recovery services vault
60
- resource_extended_info_details: Union[VaultExtendedInfoResource, IO[bytes]] - Details for creating the vault extended info
61
62
Returns:
63
VaultExtendedInfoResource: The created or updated extended information resource
64
"""
65
```
66
67
**Usage Example:**
68
69
```python
70
from azure.mgmt.recoveryservices.models import VaultExtendedInfoResource
71
import base64
72
import os
73
74
# Generate encryption and integrity keys (simplified example)
75
encryption_key = base64.b64encode(os.urandom(32)).decode('utf-8')
76
integrity_key = base64.b64encode(os.urandom(64)).decode('utf-8')
77
78
# Create extended info resource
79
extended_info = VaultExtendedInfoResource(
80
properties={
81
"integrity_key": integrity_key,
82
"encryption_key": encryption_key,
83
"encryption_key_thumbprint": "sample_thumbprint",
84
"algorithm": "None" # or appropriate algorithm
85
}
86
)
87
88
# Create/update extended vault information
89
result = client.vault_extended_info.create_or_update(
90
resource_group_name="my-rg",
91
vault_name="my-vault",
92
resource_extended_info_details=extended_info
93
)
94
95
print(f"Extended info created/updated: {result.name}")
96
print(f"Algorithm: {result.properties.algorithm}")
97
```
98
99
### Update Extended Vault Information
100
101
Updates existing extended information for a Recovery Services vault.
102
103
```python { .api }
104
def update(
105
resource_group_name: str,
106
vault_name: str,
107
resource_extended_info_details: Union[VaultExtendedInfoResource, IO[bytes]],
108
**kwargs
109
) -> VaultExtendedInfoResource:
110
"""
111
Update vault extended info.
112
113
Parameters:
114
- resource_group_name: str - The name of the resource group
115
- vault_name: str - The name of the recovery services vault
116
- resource_extended_info_details: Union[VaultExtendedInfoResource, IO[bytes]] - Details for updating the vault extended info
117
118
Returns:
119
VaultExtendedInfoResource: The updated extended information resource
120
"""
121
```
122
123
**Usage Example:**
124
125
```python
126
# Get current extended info
127
current_info = client.vault_extended_info.get("my-rg", "my-vault")
128
129
# Update with new algorithm
130
if current_info.properties:
131
updated_info = VaultExtendedInfoResource(
132
properties={
133
"integrity_key": current_info.properties.integrity_key,
134
"encryption_key": current_info.properties.encryption_key,
135
"encryption_key_thumbprint": current_info.properties.encryption_key_thumbprint,
136
"algorithm": "SHA256" # Updated algorithm
137
}
138
)
139
140
# Apply update
141
result = client.vault_extended_info.update(
142
resource_group_name="my-rg",
143
vault_name="my-vault",
144
resource_extended_info_details=updated_info
145
)
146
147
print(f"Extended info updated. New algorithm: {result.properties.algorithm}")
148
```
149
150
## Extended Information Types
151
152
### Vault Extended Info Resource
153
154
```python { .api }
155
class VaultExtendedInfoResource:
156
"""
157
Vault extended information.
158
159
Parameters:
160
- id: Optional[str] - Resource Id represents the complete path to the resource
161
- name: Optional[str] - Resource name associated with the resource
162
- type: Optional[str] - Resource type represents the complete path of the form Namespace/ResourceType/ResourceType/...
163
- e_tag: Optional[str] - Optional ETag
164
- properties: Optional[VaultExtendedInfo] - Extended information properties
165
"""
166
```
167
168
### Vault Extended Info Properties
169
170
```python { .api }
171
class VaultExtendedInfo:
172
"""
173
Vault extended information.
174
175
Parameters:
176
- integrity_key: Optional[str] - Integrity key used for data integrity validation
177
- encryption_key: Optional[str] - Encryption key used for encrypting backup data
178
- encryption_key_thumbprint: Optional[str] - Encryption key thumbprint
179
- algorithm: Optional[str] - Algorithm used for data protection
180
"""
181
```
182
183
## Usage Patterns
184
185
### Secure Extended Info Management
186
187
```python
188
import base64
189
import os
190
from cryptography.hazmat.primitives import hashes
191
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
192
193
def setup_vault_extended_info_securely(client, resource_group: str, vault_name: str, passphrase: str = None):
194
"""
195
Set up extended vault information with secure key generation.
196
"""
197
198
try:
199
# Generate secure keys
200
encryption_key = base64.b64encode(os.urandom(32)).decode('utf-8')
201
integrity_key = base64.b64encode(os.urandom(64)).decode('utf-8')
202
203
# Generate thumbprint for the encryption key
204
key_bytes = base64.b64decode(encryption_key)
205
digest = hashes.Hash(hashes.SHA256())
206
digest.update(key_bytes)
207
thumbprint = base64.b64encode(digest.finalize()).decode('utf-8')[:16]
208
209
# Create extended info
210
extended_info = VaultExtendedInfoResource(
211
properties={
212
"integrity_key": integrity_key,
213
"encryption_key": encryption_key,
214
"encryption_key_thumbprint": thumbprint,
215
"algorithm": "SHA256"
216
}
217
)
218
219
# Apply to vault
220
result = client.vault_extended_info.create_or_update(
221
resource_group_name=resource_group,
222
vault_name=vault_name,
223
resource_extended_info_details=extended_info
224
)
225
226
print(f"✅ Extended info configured for vault: {vault_name}")
227
print(f"Algorithm: {result.properties.algorithm}")
228
print(f"Encryption Key Thumbprint: {result.properties.encryption_key_thumbprint}")
229
230
# Store keys securely (example - in production use Azure Key Vault)
231
secure_info = {
232
"vault": vault_name,
233
"encryption_key": encryption_key,
234
"integrity_key": integrity_key,
235
"thumbprint": thumbprint,
236
"algorithm": result.properties.algorithm
237
}
238
239
return secure_info
240
241
except Exception as e:
242
print(f"Error setting up extended vault info: {e}")
243
raise
244
245
def backup_extended_info_keys(client, resource_group: str, vault_name: str, backup_file: str):
246
"""
247
Backup extended vault information to a secure file.
248
Note: In production, use Azure Key Vault for secure key storage.
249
"""
250
251
try:
252
# Get current extended info
253
extended_info = client.vault_extended_info.get(resource_group, vault_name)
254
255
if not extended_info.properties:
256
print("No extended information found for vault")
257
return
258
259
# Prepare backup data (excluding sensitive keys in this example)
260
backup_data = {
261
"vault_name": vault_name,
262
"resource_group": resource_group,
263
"timestamp": datetime.now().isoformat(),
264
"algorithm": extended_info.properties.algorithm,
265
"encryption_key_thumbprint": extended_info.properties.encryption_key_thumbprint,
266
# Note: In production, encrypt these keys before storing
267
"has_encryption_key": bool(extended_info.properties.encryption_key),
268
"has_integrity_key": bool(extended_info.properties.integrity_key)
269
}
270
271
with open(backup_file, 'w') as f:
272
json.dump(backup_data, f, indent=2)
273
274
print(f"✅ Extended info metadata backed up to {backup_file}")
275
print("⚠️ Note: Actual keys not included for security. Use Azure Key Vault for key backup.")
276
277
except Exception as e:
278
print(f"Error backing up extended info: {e}")
279
raise
280
```
281
282
### Extended Info Validation
283
284
```python
285
def validate_extended_info(extended_info: VaultExtendedInfoResource) -> bool:
286
"""
287
Validate extended vault information for completeness and security.
288
"""
289
290
if not extended_info:
291
print("❌ Extended info is None")
292
return False
293
294
if not extended_info.properties:
295
print("❌ Extended info properties are missing")
296
return False
297
298
props = extended_info.properties
299
validation_results = []
300
301
# Check encryption key
302
if props.encryption_key:
303
try:
304
key_bytes = base64.b64decode(props.encryption_key)
305
if len(key_bytes) >= 32:
306
validation_results.append("✅ Encryption key is present and adequate length")
307
else:
308
validation_results.append("⚠️ Encryption key is shorter than recommended (32 bytes)")
309
except Exception:
310
validation_results.append("❌ Encryption key is not valid base64")
311
else:
312
validation_results.append("❌ Encryption key is missing")
313
314
# Check integrity key
315
if props.integrity_key:
316
try:
317
key_bytes = base64.b64decode(props.integrity_key)
318
if len(key_bytes) >= 32:
319
validation_results.append("✅ Integrity key is present and adequate length")
320
else:
321
validation_results.append("⚠️ Integrity key is shorter than recommended (32 bytes)")
322
except Exception:
323
validation_results.append("❌ Integrity key is not valid base64")
324
else:
325
validation_results.append("❌ Integrity key is missing")
326
327
# Check thumbprint
328
if props.encryption_key_thumbprint:
329
validation_results.append("✅ Encryption key thumbprint is present")
330
else:
331
validation_results.append("⚠️ Encryption key thumbprint is missing")
332
333
# Check algorithm
334
if props.algorithm:
335
if props.algorithm in ["SHA256", "SHA512", "AES256"]:
336
validation_results.append(f"✅ Algorithm is set to secure option: {props.algorithm}")
337
elif props.algorithm == "None":
338
validation_results.append("⚠️ Algorithm is set to 'None' - consider using cryptographic algorithm")
339
else:
340
validation_results.append(f"⚠️ Unknown algorithm: {props.algorithm}")
341
else:
342
validation_results.append("❌ Algorithm is not specified")
343
344
# Print results
345
print("Extended Info Validation Results:")
346
for result in validation_results:
347
print(f" {result}")
348
349
# Return overall success
350
failed_checks = [r for r in validation_results if r.startswith("❌")]
351
return len(failed_checks) == 0
352
353
def rotate_extended_info_keys(client, resource_group: str, vault_name: str):
354
"""
355
Rotate encryption and integrity keys for enhanced security.
356
"""
357
358
try:
359
# Get current extended info
360
current_info = client.vault_extended_info.get(resource_group, vault_name)
361
362
if not current_info.properties:
363
print("No existing extended info found. Create initial configuration first.")
364
return
365
366
# Generate new keys
367
new_encryption_key = base64.b64encode(os.urandom(32)).decode('utf-8')
368
new_integrity_key = base64.b64encode(os.urandom(64)).decode('utf-8')
369
370
# Generate new thumbprint
371
key_bytes = base64.b64decode(new_encryption_key)
372
digest = hashes.Hash(hashes.SHA256())
373
digest.update(key_bytes)
374
new_thumbprint = base64.b64encode(digest.finalize()).decode('utf-8')[:16]
375
376
# Update extended info with new keys
377
updated_info = VaultExtendedInfoResource(
378
properties={
379
"integrity_key": new_integrity_key,
380
"encryption_key": new_encryption_key,
381
"encryption_key_thumbprint": new_thumbprint,
382
"algorithm": current_info.properties.algorithm or "SHA256"
383
}
384
)
385
386
# Apply update
387
result = client.vault_extended_info.update(
388
resource_group_name=resource_group,
389
vault_name=vault_name,
390
resource_extended_info_details=updated_info
391
)
392
393
print(f"✅ Successfully rotated keys for vault: {vault_name}")
394
print(f"New encryption key thumbprint: {result.properties.encryption_key_thumbprint}")
395
print("⚠️ Important: Update any systems using the old keys")
396
397
return {
398
"old_thumbprint": current_info.properties.encryption_key_thumbprint,
399
"new_thumbprint": result.properties.encryption_key_thumbprint,
400
"rotation_time": datetime.now().isoformat()
401
}
402
403
except Exception as e:
404
print(f"Error rotating extended info keys: {e}")
405
raise
406
```
407
408
### Extended Info Monitoring
409
410
```python
411
def monitor_extended_info_health(client, resource_group: str, vault_name: str):
412
"""
413
Monitor the health and configuration of extended vault information.
414
"""
415
416
try:
417
extended_info = client.vault_extended_info.get(resource_group, vault_name)
418
419
print(f"🔍 Extended Info Health Check for Vault: {vault_name}")
420
print("=" * 60)
421
422
if not extended_info:
423
print("❌ CRITICAL: No extended information configured")
424
return {"status": "critical", "issues": ["No extended info"]}
425
426
if not extended_info.properties:
427
print("❌ CRITICAL: Extended information properties missing")
428
return {"status": "critical", "issues": ["Missing properties"]}
429
430
props = extended_info.properties
431
issues = []
432
warnings = []
433
434
# Check encryption key
435
if not props.encryption_key:
436
issues.append("Missing encryption key")
437
438
# Check integrity key
439
if not props.integrity_key:
440
issues.append("Missing integrity key")
441
442
# Check thumbprint
443
if not props.encryption_key_thumbprint:
444
warnings.append("Missing encryption key thumbprint")
445
446
# Check algorithm
447
if not props.algorithm or props.algorithm == "None":
448
warnings.append("No cryptographic algorithm specified")
449
450
# Report results
451
if issues:
452
print("❌ CRITICAL ISSUES:")
453
for issue in issues:
454
print(f" - {issue}")
455
status = "critical"
456
elif warnings:
457
print("⚠️ WARNINGS:")
458
for warning in warnings:
459
print(f" - {warning}")
460
status = "warning"
461
else:
462
print("✅ All checks passed")
463
status = "healthy"
464
465
# Show configuration summary
466
print("\n📋 Configuration Summary:")
467
print(f" Algorithm: {props.algorithm or 'Not set'}")
468
print(f" Has Encryption Key: {'Yes' if props.encryption_key else 'No'}")
469
print(f" Has Integrity Key: {'Yes' if props.integrity_key else 'No'}")
470
print(f" Key Thumbprint: {props.encryption_key_thumbprint or 'Not set'}")
471
472
return {
473
"status": status,
474
"issues": issues,
475
"warnings": warnings,
476
"configuration": {
477
"algorithm": props.algorithm,
478
"has_encryption_key": bool(props.encryption_key),
479
"has_integrity_key": bool(props.integrity_key),
480
"has_thumbprint": bool(props.encryption_key_thumbprint)
481
}
482
}
483
484
except Exception as e:
485
print(f"Error monitoring extended info health: {e}")
486
return {"status": "error", "error": str(e)}
487
```