Back up, delete and restore keys in Azure Key Vault with JavaScript

Create the KeyClient with the appropriate programmatic authentication credentials, then create a CryptographyClient use the client to set, update, and rotate a key in Azure Key Vault.

Back up, delete, purge and restore key

Before deleting a key and its versions, back up the key and serialize to a secure data store. Once the key is backed up, delete the key and all versions. If the vault uses soft-deletes, you can wait for the purge date to pass or purge the key manually. Once the key is purged, you can restore the key and all version from the backup. If you want to restore the key prior to the purge, you don't need to use the backup object but instead you can recover the soft-deleted key and all versions.

// Authenticate to Azure Key Vault
const credential = new DefaultAzureCredential();
const client = new KeyClient(

// Create key
const keyName = `myKey-${}`;
const key = await client.createRsaKey(keyName);
console.log(`${} is created`);

// Backup key and all versions (as Uint8Array)
const keyBackup = await client.backupKey(keyName);
console.log(`${} is backed up`);

// Delete key - wait until delete is complete
await (await client.beginDeleteKey(keyName)).pollUntilDone();
console.log(`${} is deleted`);

// Purge soft-deleted key 
await client.purgeDeletedKey(keyName);
console.log(`Soft-deleted key, ${}, is purged`);

if (keyBackup) {
    // Restore key and all versions to
    // Get last version
    const { name, key, properties } = await client.restoreKeyBackup(keyBackup);
    console.log(`${name} is restored from backup, latest version is ${properties.version}`);
    // do something with key

Next steps