Encrypt and decrypt data using a key in Azure Key Vault with JavaScript

Create the KeyClient with the appropriate programmatic authentication credentials, then create a CryptographyClient use the client to set, update, and rotate a key in Azure Key Vault.

Select an encryption algorithm

To make the best use of the SDK and its provided enums and types, select your encryption algorithm before continuing to the next section.

  • RSA - Rivest–Shamir–Adleman
  • AES GCM - Advanced Encryption Standard Galois Counter Mode
  • AES CBC - Advanced Encryption Standard Cipher Block Chaining

Use the KnownEncryptionAlgorithms enum to select a specific algorithm.

import {
} from '@azure/keyvault-keys';

const myAlgorithm = KnownEncryptionAlgorithms.RSAOaep256

Get encryption key

Create or get your KeyVaultKey encryption key from the Key Vault to use with encryption and decryption.

Encrypt and decrypt with a key

Encryption requires one of the following parameter objects:

All three parameter objects require the algorithm and the plaintext used to encrypt. An example of RSA encryption parameters is shown below.

import { DefaultAzureCredential } from '@azure/identity';
import {
} from '@azure/keyvault-keys';

// get service client using AZURE_KEYVAULT_NAME environment variable
const credential = new DefaultAzureCredential();
const serviceClient = new KeyClient(

// get existing key
const keyVaultKey = await serviceClient.getKey('myRsaKey');

if (keyVaultKey?.name) {

    // get encryption client
    const encryptClient = new CryptographyClient(keyVaultKey, credential);
    // set data to encrypt
    const originalInfo = 'Hello World';
    // set encryption algorithm
    const algorithm = KnownEncryptionAlgorithms.RSAOaep256;
    // encrypt settings: RsaEncryptParameters | AesGcmEncryptParameters | AesCbcEncryptParameters
    const encryptParams = {
        plaintext: Buffer.from(originalInfo)
    // encrypt
    const encryptResult = await encryptClient.encrypt(encryptParams);
    // ... hand off encrypted result to another process
    // ... other process needs to decrypt data

    // decrypt settings: DecryptParameters
    const decryptParams = {
        ciphertext: encryptResult.result
    // decrypt
    const decryptResult = await encryptClient.decrypt(decryptParams);

The encryptParams object sets the parameters for encryption. Use the following encrypt parameter objects to set properties.

The decryptParams object sets the parameters for decryption. Use the following decrypt parameter objects to set properties.

Next steps