@azure/keyvault-keys
Advanced tools
@azure/keyvault-keys is an npm package that provides a client library for managing keys in Azure Key Vault. It allows you to create, import, update, delete, and manage keys, as well as perform cryptographic operations such as encryption, decryption, signing, and verifying.
Create a Key
This feature allows you to create a new key in Azure Key Vault. The code sample demonstrates how to create an RSA key using the KeyClient.
const { DefaultAzureCredential } = require('@azure/identity');
const { KeyClient } = require('@azure/keyvault-keys');
const credential = new DefaultAzureCredential();
const keyClient = new KeyClient('https://<your-key-vault-name>.vault.azure.net', credential);
async function createKey() {
const keyName = 'myKey';
const result = await keyClient.createKey(keyName, 'RSA');
console.log('Key created:', result);
}
createKey();Get a Key
This feature allows you to retrieve an existing key from Azure Key Vault. The code sample demonstrates how to get a key by its name using the KeyClient.
const { DefaultAzureCredential } = require('@azure/identity');
const { KeyClient } = require('@azure/keyvault-keys');
const credential = new DefaultAzureCredential();
const keyClient = new KeyClient('https://<your-key-vault-name>.vault.azure.net', credential);
async function getKey() {
const keyName = 'myKey';
const result = await keyClient.getKey(keyName);
console.log('Key retrieved:', result);
}
getKey();Delete a Key
This feature allows you to delete an existing key from Azure Key Vault. The code sample demonstrates how to start the deletion process for a key using the KeyClient.
const { DefaultAzureCredential } = require('@azure/identity');
const { KeyClient } = require('@azure/keyvault-keys');
const credential = new DefaultAzureCredential();
const keyClient = new KeyClient('https://<your-key-vault-name>.vault.azure.net', credential);
async function deleteKey() {
const keyName = 'myKey';
const result = await keyClient.beginDeleteKey(keyName);
console.log('Key deletion started:', result);
}
deleteKey();Encrypt Data
This feature allows you to encrypt data using a key stored in Azure Key Vault. The code sample demonstrates how to encrypt data using the CryptographyClient.
const { DefaultAzureCredential } = require('@azure/identity');
const { KeyClient, CryptographyClient } = require('@azure/keyvault-keys');
const credential = new DefaultAzureCredential();
const keyClient = new KeyClient('https://<your-key-vault-name>.vault.azure.net', credential);
async function encryptData() {
const keyName = 'myKey';
const key = await keyClient.getKey(keyName);
const cryptoClient = new CryptographyClient(key.id, credential);
const plaintext = Buffer.from('my secret data');
const result = await cryptoClient.encrypt('RSA-OAEP', plaintext);
console.log('Encrypted data:', result.result);
}
encryptData();Decrypt Data
This feature allows you to decrypt data using a key stored in Azure Key Vault. The code sample demonstrates how to decrypt data using the CryptographyClient.
const { DefaultAzureCredential } = require('@azure/identity');
const { KeyClient, CryptographyClient } = require('@azure/keyvault-keys');
const credential = new DefaultAzureCredential();
const keyClient = new KeyClient('https://<your-key-vault-name>.vault.azure.net', credential);
async function decryptData() {
const keyName = 'myKey';
const key = await keyClient.getKey(keyName);
const cryptoClient = new CryptographyClient(key.id, credential);
const encryptedData = Buffer.from('<your-encrypted-data>', 'base64');
const result = await cryptoClient.decrypt('RSA-OAEP', encryptedData);
console.log('Decrypted data:', result.result.toString());
}
decryptData();The aws-sdk package provides a comprehensive set of tools for interacting with AWS services, including AWS Key Management Service (KMS). It allows you to create, manage, and use cryptographic keys in AWS. Compared to @azure/keyvault-keys, aws-sdk offers broader functionality across various AWS services but may have a steeper learning curve for those only interested in key management.
The node-jose package is a JavaScript library for JSON Object Signing and Encryption (JOSE) and provides tools for working with cryptographic keys and performing cryptographic operations. While it is not tied to a specific cloud provider, it offers a more general-purpose approach to key management and cryptographic operations compared to @azure/keyvault-keys.
Azure KeyVault is a service that allows you to encrypt authentication keys, storage account keys, data encryption keys, .pfx files, and passwords by using keys that are protected by hardware security modules (HSMs).
Azure KeyVault Key management allows you to create and control encryption keys that encrypt your data.
Use the client library for Azure KeyVault Keys in your Node.js application to
Source code | Package (npm) | API Reference Documentation | Product documentation | Samples
Install the Azure Event KeyVault Keys client library using npm
npm install @azure/keyvault-keys
Prerequisites: You must have an Azure subscription and a KeyVault resource to use this package. If you are using this package in a Node.js application, then use Node.js 6.x or higher.
TypeScript users need to have Node type definitions installed:
npm install @types/node
You also need to enable compilerOptions.allowSyntheticDefaultImports in your tsconfig.json. Note that if you have enabled compilerOptions.esModuleInterop, allowSyntheticDefaultImports is enabled by default. See TypeScript's compiler options handbook for more information.
Use the Azure Cloud Shell snippet below to create/get client secret credentials.
Create a service principal and configure its access to Azure resources:
az ad sp create-for-rbac -n <your-application-name> --skip-assignment
Output:
{
"appId": "generated-app-ID",
"displayName": "dummy-app-name",
"name": "http://dummy-app-name",
"password": "random-password",
"tenant": "tenant-ID"
}
Use the above returned credentials information to set AZURE_CLIENT_ID(appId), AZURE_CLIENT_SECRET(password) and AZURE_TENANT_ID(tenant) environment variables. The following example shows a way to do this in Bash:
export AZURE_CLIENT_ID="generated-app-ID"
export AZURE_CLIENT_SECRET="random-password"
export AZURE_TENANT_ID="tenant-ID"
Grant the above mentioned application authorization to perform secret operations on the keyvault:
az keyvault set-policy --name <your-key-vault-name> --spn $AZURE_CLIENT_ID --secret-permissions backup delete get list set
--secret-permissions: Accepted values: backup, delete, get, list, purge, recover, restore, set
Use the above mentioned Key Vault name to retrieve details of your Vault which also contains your Key Vault URL:
az keyvault show --name <your-key-vault-name>
To use the key vault from TypeScript/JavaScript, you need to first authenticate with the key vault service. To authenticate, first we import the identity and KeysClient, which will connect to the key vault.
import { EnvironmentCredential } from "@azure/identity";
import { KeysClient } from "@azure/keyvault-keys";
Once these are imported, we can next connect to the key vault service. To do this, we'll need to copy some settings from the key vault we are connecting to into our environment variables. Once they are in our environment, we can access them with the following code:
// EnvironmentCredential expects the following three environment variables:
// * AZURE_TENANT_ID: The tenant ID in Azure Active Directory
// * AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant
// * AZURE_CLIENT_SECRET: The client secret for the registered application
const credential = new EnvironmentCredential();
// Build the URL to reach your key vault
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
// Lastly, create our keys client and connect to the service
const client = new KeysClient(url, credential);
Azure Key Vault allows you to create and store keys in the key vault. Azure supports RSA keys and elliptic curve keys, each with corresponding support in hardware security modules (HSM).
Multiple keys, and multiple versions of the same key, can be kept in the key vault. Keys can be listed, as well as versions of the same key. Keys can have attributes (Eg, if it is enabled) updated after they are created. Keys can also be deleted, and -- in key vaults with soft delete -- these deleted keys can be recovered.
Azure Key Vault allows you to create keys that are stored in the key vault. When a key is first created, it is given a name. This name acts as a way to reach the key later.
Keys in the key vault can have multiple versions of the same key. These are called versions of that key.
Keys can be created using either RSA or elliptic curve algorithms, each with corresponding support for hardware security modules (HSMs).
In addition to creating keys, existing key data can be imported into a key vault.
The simplest way to read keys back from the vault is to get a key by name. This will retrieve the most recent version of the key. You can optionally get a different version of the key if you also know the version you want.
Key vaults also support listing the keys they have, as well as listing the all the versions of the given key.
Once a key is created, it is possible to update attributes of the key. For example, if a key needs to be temporarily unavailable, the enabled attribute can be set to false for a time.
Key vaults allow deleting keys so that they are no longer available.
In key vaults with 'soft delete' enabled, keys are not immediately removed but instead marked simply as 'deleted'. These deleted keys can be listed, purged, and recovered.
The following sections provide code snippets that cover some of the common tasks using Azure KeyVault Keys.
Once you have authenticated and created an instance of an KeysClient class (see "Authenticate the client" above), you can create, read, update, and delete keys:
createKey creates a Key to be stored in the Azure Key Vault. If a key with the same name already exists, then a new version of the key is created.
const keyName = "MyKeyName";
const result = await client.createKey(keyName, "RSA");
console.log("result: ", result);
getKey retrieves a key previous stores in the Key Vault.
const getResult = await client.getKey(keyName);
console.log("getResult: ", getResult);
listKeyVersions will list versions of the given key.
for await (let version of client.listKeyVersions(keyName)) {
console.log("version: ", version);
}
listKeys will list all keys in the Key Vault.
for await (let listedKey of client.listKeys()) {
console.log("key: ", listedKey);
}
updateKey updates the attributes of a key.
const updatedKey = await client.updateKeyAttributes(keyName, result.version, { enabled: false });
deleteKey deletes a key previously stored in the Key Vault. When soft-delete is not enabled for the Key Vault, this operation permanently deletes the key.
await client.deleteKey(keyName);
You can set the following environment variable to get the debug logs when using this library.
export DEBUG=azure*
export DEBUG=azure*,rhea*
DEBUG environment variable as follows:export DEBUG=azure*,rhea*,-rhea:raw,-rhea:message,-azure:amqp-common:datatransformer
DEBUG environment variable as follows:export DEBUG=azure:keyvault-keys:error,azure-amqp-common:error,rhea-promise:error,rhea:events,rhea:frames,rhea:io,rhea:flow
DEBUG environment variable as shown above and then run your test script as follows:
out.log and logging statements from the sdk go to debug.log.
node your-test-script.js > out.log 2>debug.log
out.log by redirecting stderr to stdout (&1), and then redirect stdout to a file:
node your-test-script.js >out.log 2>&1
out.log.
node your-test-script.js &> out.log
Please take a look at the samples directory for detailed examples on how to use this library.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
FAQs
Isomorphic client library for Azure KeyVault's keys.
The npm package @azure/keyvault-keys receives a total of 934,158 weekly downloads. As such, @azure/keyvault-keys popularity was classified as popular.
We found that @azure/keyvault-keys demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
Security News
A Stanford study reveals 9.5% of engineers contribute almost nothing, costing tech $90B annually, with remote work fueling the rise of "ghost engineers."