Share via

@azure/keyvault-keys package

Classes

CryptographyClient

A client used to perform cryptographic operations on an Azure Key vault key or a local JsonWebKey.
KeyClient

The KeyClient provides methods to manage KeyVaultKey in the Azure Key Vault. The client supports creating, retrieving, updating, deleting, purging, backing up, restoring and listing KeyVaultKeys. The client also supports listing DeletedKey for a soft-delete enabled Azure Key Vault.

Interfaces

AesCbcDecryptParameters

Decryption parameters for AES-CBC encryption algorithms.
AesCbcEncryptParameters

Encryption parameters for AES-CBC encryption algorithms.
AesGcmDecryptParameters

Decryption parameters for AES-GCM encryption algorithms.
AesGcmEncryptParameters

Encryption parameters for AES-GCM encryption algorithms.
BackupKeyOptions

Options for backupKey(string, BackupKeyOptions).
BeginDeleteKeyOptions

An interface representing the optional parameters that can be passed to beginDeleteKey(string, BeginDeleteKeyOptions)
BeginRecoverDeletedKeyOptions

An interface representing the optional parameters that can be passed to beginRecoverDeletedKey(string, BeginRecoverDeletedKeyOptions)
CreateEcKeyOptions

An interface representing the optional parameters that can be passed to createEcKey(string, CreateEcKeyOptions)
CreateKeyOptions

An interface representing the optional parameters that can be passed to createKey(string, string, CreateKeyOptions)
CreateOctKeyOptions

An interface representing the optional parameters that can be passed to createOctKey(string, CreateOctKeyOptions)
CreateRsaKeyOptions

An interface representing the optional parameters that can be passed to createRsaKey(string, CreateRsaKeyOptions)
CryptographyClientOptions

The optional parameters accepted by the KeyVault's CryptographyClient
CryptographyOptions

An interface representing the options of the cryptography API methods, go to the CryptographyClient for more information.
DecryptOptions

Options for decrypt(DecryptParameters, DecryptOptions).
DecryptResult

Result of the decrypt(DecryptParameters, DecryptOptions) operation.
DeletedKey

An interface representing a deleted Key Vault Key.
EncryptOptions

Options for encrypt(EncryptParameters, EncryptOptions).
EncryptResult

Result of the encrypt(EncryptParameters, EncryptOptions) operation.
GetCryptographyClientOptions

Options for getCryptographyClient.
GetDeletedKeyOptions

Options for getDeletedKey(string, GetDeletedKeyOptions).
GetKeyAttestationOptions

Options for getKeyAttestation(string, GetKeyAttestationOptions).
GetKeyOptions

Options for getKey(string, GetKeyOptions).
GetKeyRotationPolicyOptions

Options for <xref:KeyClient.getRotationPolicy>
GetRandomBytesOptions

Options for getRandomBytes
ImportKeyOptions

An interface representing the optional parameters that can be passed to importKey(string, JsonWebKey, ImportKeyOptions)
JsonWebKey

As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18
KeyAttestation

An interface representing the properties of a key's attestation
KeyClientOptions

The optional parameters accepted by the KeyVault's KeyClient
KeyPollerOptions

An interface representing the optional parameters that can be passed to beginDeleteKey(string, BeginDeleteKeyOptions) and beginRecoverDeletedKey(string, BeginRecoverDeletedKeyOptions)
KeyProperties

An interface representing the Properties of KeyVaultKey
KeyReleasePolicy

The policy rules under which a key can be exported.
KeyRotationLifetimeAction

An action and its corresponding trigger that will be performed by Key Vault over the lifetime of a key.
KeyRotationPolicy

The complete key rotation policy that belongs to a key.
KeyRotationPolicyProperties

The properties of a key rotation policy that the client can set for a given key.

You may also reset the key rotation policy to its default values by setting lifetimeActions to an empty array.
KeyVaultKey

An interface representing a Key Vault Key, with its name, value and KeyProperties.
KeyVaultKeyIdentifier

Represents the segments that compose a Key Vault Key Id.
ListDeletedKeysOptions

An interface representing optional parameters for KeyClient paged operations passed to listDeletedKeys(ListDeletedKeysOptions).
ListPropertiesOfKeyVersionsOptions

An interface representing optional parameters for KeyClient paged operations passed to listPropertiesOfKeyVersions(string, ListPropertiesOfKeyVersionsOptions).
ListPropertiesOfKeysOptions

An interface representing optional parameters for KeyClient paged operations passed to listPropertiesOfKeys(ListPropertiesOfKeysOptions).
PageSettings

An interface that tracks the settings for paged iteration
PagedAsyncIterableIterator

An interface that allows async iterable iteration both to completion and by page.
PollOperationState

PollOperationState contains an opinionated list of the smallest set of properties needed to define any long running operation poller.

While the Poller class works as the local control mechanism to start triggering, wait for, and potentially cancel a long running operation, the PollOperationState documents the status of the remote long running operation.

It should be updated at least when the operation starts, when it's finished, and when it's cancelled. Though, implementations can have any other number of properties that can be updated by other reasons.
PollerLike

Abstract representation of a poller, intended to expose just the minimal API that the user needs to work with.
PurgeDeletedKeyOptions

Options for purgeDeletedKey(string, PurgeDeletedKeyOptions).
ReleaseKeyOptions

Options for releaseKey
ReleaseKeyResult

Result of the releaseKey operation.
RestoreKeyBackupOptions

Options for restoreKeyBackup(Uint8Array, RestoreKeyBackupOptions).
RotateKeyOptions

Options for rotateKey
RsaDecryptParameters

Decryption parameters for RSA encryption algorithms.
RsaEncryptParameters

Encryption parameters for RSA encryption algorithms.
SignOptions

Options for sign(string, Uint8Array, SignOptions).
SignResult

Result of the sign(string, Uint8Array, SignOptions) operation.
UnwrapKeyOptions

Options for unwrapKey(KeyWrapAlgorithm, Uint8Array, UnwrapKeyOptions).
UnwrapResult

Result of the <xref:unwrap> operation.
UpdateKeyPropertiesOptions

Options for updateKeyProperties(string, string, UpdateKeyPropertiesOptions).
UpdateKeyRotationPolicyOptions

Options for updateKeyRotationPolicy
VerifyDataOptions

Options for verifyData(string, Uint8Array, Uint8Array, VerifyOptions)
VerifyOptions

Options for verify(string, Uint8Array, Uint8Array, VerifyOptions).
VerifyResult

Result of the verify(string, Uint8Array, Uint8Array, VerifyOptions) operation.
WrapKeyOptions

Options for wrapKey(KeyWrapAlgorithm, Uint8Array, WrapKeyOptions).
WrapResult

Result of the <xref:wrap> operation.

Type Aliases

AesCbcEncryptionAlgorithm

A union type representing all supported AES-CBC encryption algorithms.
AesGcmEncryptionAlgorithm

A union type representing all supported AES-GCM encryption algorithms.
DecryptParameters

A type representing all currently supported decryption parameters as they apply to different encryption algorithms.
DeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval.
KnownDeletionRecoveryLevel can be used interchangeably with DeletionRecoveryLevel, this enum contains the known values that the service supports.

Known values supported by the service

Purgeable: Denotes a vault state in which deletion is an irreversible operation, without the possibility for recovery. This level corresponds to no protection being available against a Delete operation; the data is irretrievably lost upon accepting a Delete operation at the entity level or higher (vault, resource group, subscription etc.)
Recoverable+Purgeable: Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days), unless a Purge operation is requested, or the subscription is cancelled. System wil permanently delete it after 90 days, if not recovered
Recoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered
Recoverable+ProtectedSubscription: Denotes a vault and subscription state in which deletion is recoverable within retention interval (90 days), immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled. System wil permanently delete it after 90 days, if not recovered
CustomizedRecoverable+Purgeable: Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled.
CustomizedRecoverable: Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available.
CustomizedRecoverable+ProtectedSubscription: Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled when 7 <= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled.
EncryptParameters

A type representing all currently supported encryption parameters as they apply to different encryption algorithms.
EncryptionAlgorithm

An algorithm used for encryption and decryption.
<xref:KnownJsonWebKeyEncryptionAlgorithm> can be used interchangeably with JsonWebKeyEncryptionAlgorithm, this enum contains the known values that the service supports.

Known values supported by the service

RSA-OAEP: [Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does not recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems.
RSA-OAEP-256: RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256.
RSA1_5: [Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does not recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption.
A128GCM: 128-bit AES-GCM.
A192GCM: 192-bit AES-GCM.
A256GCM: 256-bit AES-GCM.
A128KW: 128-bit AES key wrap.
A192KW: 192-bit AES key wrap.
A256KW: 256-bit AES key wrap.
A128CBC: 128-bit AES-CBC.
A192CBC: 192-bit AES-CBC.
A256CBC: 256-bit AES-CBC.
A128CBCPAD: 128-bit AES-CBC with PKCS padding.
A192CBCPAD: 192-bit AES-CBC with PKCS padding.
A256CBCPAD: 256-bit AES-CBC with PKCS padding.
CKM_AES_KEY_WRAP: CKM AES key wrap.
CKM_AES_KEY_WRAP_PAD: CKM AES key wrap with padding.
KeyCurveName

Elliptic curve name. For valid values, see JsonWebKeyCurveName.
<xref:KnownJsonWebKeyCurveName> can be used interchangeably with JsonWebKeyCurveName, this enum contains the known values that the service supports.

Known values supported by the service

P-256: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.
P-384: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.
P-521: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.
P-256K: The SECG SECP256K1 elliptic curve.
KeyExportEncryptionAlgorithm

Defines values for KeyEncryptionAlgorithm. KnownKeyExportEncryptionAlgorithm can be used interchangeably with KeyEncryptionAlgorithm, this enum contains the known values that the service supports.

Known values supported by the service

CKM_RSA_AES_KEY_WRAP
RSA_AES_KEY_WRAP_256
RSA_AES_KEY_WRAP_384
KeyOperation

JSON web key operations. For more information, see JsonWebKeyOperation.
<xref:KnownJsonWebKeyOperation> can be used interchangeably with JsonWebKeyOperation, this enum contains the known values that the service supports.

Known values supported by the service

encrypt: Indicates that the key can be used to encrypt.
decrypt: Indicates that the key can be used to decrypt.
sign: Indicates that the key can be used to sign.
verify: Indicates that the key can be used to verify.
wrapKey: Indicates that the key can be used to wrap another key.
unwrapKey: Indicates that the key can be used to unwrap another key.
import: Indicates that the key can be imported during creation.
export: Indicates that the private component of the key can be exported.
KeyRotationPolicyAction

The action that will be executed.
KeyType

JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.
<xref:KnownJsonWebKeyType> can be used interchangeably with JsonWebKeyType, this enum contains the known values that the service supports.

Known values supported by the service

EC: Elliptic Curve.
EC-HSM: Elliptic Curve with a private key which is stored in the HSM.
RSA: RSA (https://tools.ietf.org/html/rfc3447)
RSA-HSM: RSA with a private key which is stored in the HSM.
oct: Octet sequence (used to represent symmetric keys)
oct-HSM: Octet sequence (used to represent symmetric keys) which is stored the HSM.
KeyWrapAlgorithm

Supported algorithms for key wrapping/unwrapping
RsaEncryptionAlgorithm

A union type representing all supported RSA encryption algorithms.
SignatureAlgorithm

The signing/verification algorithm identifier. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm.
<xref:KnownJsonWebKeySignatureAlgorithm> can be used interchangeably with JsonWebKeySignatureAlgorithm, this enum contains the known values that the service supports.

Known values supported by the service

PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as described in https://tools.ietf.org/html/rfc7518
PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384, as described in https://tools.ietf.org/html/rfc7518
PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512, as described in https://tools.ietf.org/html/rfc7518
RS256: RSASSA-PKCS1-v1_5 using SHA-256, as described in https://tools.ietf.org/html/rfc7518
RS384: RSASSA-PKCS1-v1_5 using SHA-384, as described in https://tools.ietf.org/html/rfc7518
RS512: RSASSA-PKCS1-v1_5 using SHA-512, as described in https://tools.ietf.org/html/rfc7518
HS256: HMAC using SHA-256, as described in https://tools.ietf.org/html/rfc7518
HS384: HMAC using SHA-384, as described in https://tools.ietf.org/html/rfc7518
HS512: HMAC using SHA-512, as described in https://tools.ietf.org/html/rfc7518
RSNULL: Reserved
ES256: ECDSA using P-256 and SHA-256, as described in https://tools.ietf.org/html/rfc7518.
ES384: ECDSA using P-384 and SHA-384, as described in https://tools.ietf.org/html/rfc7518
ES512: ECDSA using P-521 and SHA-512, as described in https://tools.ietf.org/html/rfc7518
ES256K: ECDSA using P-256K and SHA-256, as described in https://tools.ietf.org/html/rfc7518

Enums

KnownDeletionRecoveryLevel

Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval.
KnownEncryptionAlgorithms

An algorithm used for encryption and decryption.
KnownKeyCurveNames

Elliptic curve name. For valid values, see JsonWebKeyCurveName.
KnownKeyExportEncryptionAlgorithm

The encryption algorithm to use to protected the exported key material
KnownKeyOperations

Known values of KeyOperation that the service accepts.
KnownKeyTypes

JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.
KnownSignatureAlgorithms

The signing/verification algorithm identifier. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm.

Functions

parseKeyVaultKeyIdentifier(string)

Parses the given Key Vault Key Id. An example is:

https://.vault.azure.net/keys//

On parsing the above Id, this function returns:

  {
     sourceId: "https://<keyvault-name>.vault.azure.net/keys/<key-name>/<unique-version-id>",
     vaultUrl: "https://<keyvault-name>.vault.azure.net",
     version: "<unique-version-id>",
     name: "<key-name>"
  }

Function Details

parseKeyVaultKeyIdentifier(string)

Parses the given Key Vault Key Id. An example is:

https://.vault.azure.net/keys//

On parsing the above Id, this function returns:

  {
     sourceId: "https://<keyvault-name>.vault.azure.net/keys/<key-name>/<unique-version-id>",
     vaultUrl: "https://<keyvault-name>.vault.azure.net",
     version: "<unique-version-id>",
     name: "<key-name>"
  }

function parseKeyVaultKeyIdentifier(id: string): KeyVaultKeyIdentifier

Parameters

id

string

The Id of the Key Vault Key.

Returns

KeyVaultKeyIdentifier