CryptographyClient class
A client used to perform cryptographic operations on an Azure Key vault key or a local JsonWebKey.
Constructors
| Cryptography |
Constructs a new instance of the Cryptography client for the given key in local mode. Example usage: |
| Cryptography |
Constructs a new instance of the Cryptography client for the given key Example usage: |
Properties
| keyID | The ID of the key used to perform cryptographic operations for the client. |
| vault |
The base URL to the vault. If a local JsonWebKey is used vaultUrl will be empty. |
Methods
| decrypt(Decrypt |
Decrypts the given ciphertext with the specified decryption parameters. Depending on the algorithm used in the decryption parameters, the set of possible decryption parameters will change. Microsoft recommends you not use CBC without first ensuring the integrity of the ciphertext using, for example, an HMAC. See https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. Example usage: |
| decrypt(string, Uint8Array, Decrypt |
Decrypts the given ciphertext with the specified cryptography algorithm Example usage: Microsoft recommends you not use CBC without first ensuring the integrity of the ciphertext using, for example, an HMAC. See https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. |
| encrypt(Encrypt |
Encrypts the given plaintext with the specified encryption parameters. Depending on the algorithm set in the encryption parameters, the set of possible encryption parameters will change. Example usage: |
| encrypt(string, Uint8Array, Encrypt |
Encrypts the given plaintext with the specified cryptography algorithm Example usage: |
| sign(string, Uint8Array, Sign |
Cryptographically sign the digest of a message Example usage: |
| sign |
Cryptographically sign a block of data Example usage: |
| unwrap |
Unwraps the given wrapped key using the specified cryptography algorithm Example usage: |
| verify(string, Uint8Array, Uint8Array, Verify |
Verify the signed message digest Example usage: |
| verify |
Verify the signed block of data Example usage: |
| wrap |
Wraps the given key using the specified cryptography algorithm Example usage: |
Constructor Details
CryptographyClient(JsonWebKey)
Constructs a new instance of the Cryptography client for the given key in local mode.
Example usage:
import { CryptographyClient } from "@azure/keyvault-keys";
const jsonWebKey = {
kty: "RSA",
kid: "test-key-123",
use: "sig",
alg: "RS256",
n: new Uint8Array([112, 34, 56, 98, 123, 244, 200, 99]),
e: new Uint8Array([1, 0, 1]),
d: new Uint8Array([45, 67, 89, 23, 144, 200, 76, 233]),
p: new Uint8Array([34, 89, 100, 77, 204, 56, 29, 77]),
q: new Uint8Array([78, 99, 201, 45, 188, 34, 67, 90]),
dp: new Uint8Array([23, 45, 78, 56, 200, 144, 32, 67]),
dq: new Uint8Array([12, 67, 89, 144, 99, 56, 23, 45]),
qi: new Uint8Array([78, 90, 45, 201, 34, 67, 120, 55]),
};
const client = new CryptographyClient(jsonWebKey);
new CryptographyClient(key: JsonWebKey)Parameters
- key
- JsonWebKey
The JsonWebKey to use during cryptography operations.
CryptographyClient(string | KeyVaultKey, TokenCredential, CryptographyClientOptions)
Constructs a new instance of the Cryptography client for the given key
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
// Create or retrieve a key from the keyvault
const myKey = await client.createKey("MyKey", "RSA");
// Lastly, create our cryptography client and connect to the service
const cryptographyClient = new CryptographyClient(myKey, credential);
new CryptographyClient(key: string | KeyVaultKey, credential: TokenCredential, pipelineOptions?: CryptographyClientOptions)Parameters
- key
-
string | KeyVaultKey
The key to use during cryptography tasks. You can also pass the identifier of the key i.e its url here.
- credential
- TokenCredential
An object that implements the TokenCredential interface used to authenticate requests to the service. Use the @azure/identity package to create a credential that suits your needs.
- pipelineOptions
- CryptographyClientOptions
Pipeline options used to configure Key Vault API requests. Omit this parameter to use the default pipeline configuration.
Property Details
keyID
The ID of the key used to perform cryptographic operations for the client.
undefined | string keyIDProperty Value
undefined | string
vaultUrl
The base URL to the vault. If a local JsonWebKey is used vaultUrl will be empty.
string vaultUrlProperty Value
string
Method Details
decrypt(DecryptParameters, DecryptOptions)
Decrypts the given ciphertext with the specified decryption parameters. Depending on the algorithm used in the decryption parameters, the set of possible decryption parameters will change.
Microsoft recommends you not use CBC without first ensuring the integrity of the ciphertext using, for example, an HMAC. See https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey.id, credential);
const encryptResult = await cryptographyClient.encrypt({
algorithm: "RSA1_5",
plaintext: Buffer.from("My Message"),
});
console.log("encrypt result: ", encryptResult.result);
const decryptResult = await cryptographyClient.decrypt({
algorithm: "RSA1_5",
ciphertext: encryptResult.result,
});
console.log("decrypt result: ", decryptResult.result.toString());
function decrypt(decryptParameters: DecryptParameters, options?: DecryptOptions): Promise<DecryptResult>Parameters
- decryptParameters
- DecryptParameters
The decryption parameters.
- options
- DecryptOptions
Additional options.
Returns
Promise<DecryptResult>
decrypt(string, Uint8Array, DecryptOptions)
Warning
This API is now deprecated.
Use decrypt({ algorithm, ciphertext }, options) instead.
Decrypts the given ciphertext with the specified cryptography algorithm
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey.id, credential);
const encryptResult = await cryptographyClient.encrypt({
algorithm: "RSA1_5",
plaintext: Buffer.from("My Message"),
});
console.log("encrypt result: ", encryptResult.result);
const decryptResult = await cryptographyClient.decrypt({
algorithm: "RSA1_5",
ciphertext: encryptResult.result,
});
console.log("decrypt result: ", decryptResult.result.toString());
Microsoft recommends you not use CBC without first ensuring the integrity of the ciphertext using, for example, an HMAC. See https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
function decrypt(algorithm: string, ciphertext: Uint8Array, options?: DecryptOptions): Promise<DecryptResult>Parameters
- algorithm
-
string
The algorithm to use.
- ciphertext
-
Uint8Array
The text to decrypt.
- options
- DecryptOptions
Additional options.
Returns
Promise<DecryptResult>
encrypt(EncryptParameters, EncryptOptions)
Encrypts the given plaintext with the specified encryption parameters. Depending on the algorithm set in the encryption parameters, the set of possible encryption parameters will change.
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey.id, credential);
const encryptResult = await cryptographyClient.encrypt({
algorithm: "RSA1_5",
plaintext: Buffer.from("My Message"),
});
console.log("encrypt result: ", encryptResult.result);
function encrypt(encryptParameters: EncryptParameters, options?: EncryptOptions): Promise<EncryptResult>Parameters
- encryptParameters
- EncryptParameters
The encryption parameters, keyed on the encryption algorithm chosen.
- options
- EncryptOptions
Additional options.
Returns
Promise<EncryptResult>
encrypt(string, Uint8Array, EncryptOptions)
Warning
This API is now deprecated.
Use encrypt({ algorithm, plaintext }, options) instead.
Encrypts the given plaintext with the specified cryptography algorithm
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey.id, credential);
const encryptResult = await cryptographyClient.encrypt({
algorithm: "RSA1_5",
plaintext: Buffer.from("My Message"),
});
console.log("encrypt result: ", encryptResult.result);
function encrypt(algorithm: string, plaintext: Uint8Array, options?: EncryptOptions): Promise<EncryptResult>Parameters
- algorithm
-
string
The algorithm to use.
- plaintext
-
Uint8Array
The text to encrypt.
- options
- EncryptOptions
Additional options.
Returns
Promise<EncryptResult>
sign(string, Uint8Array, SignOptions)
Cryptographically sign the digest of a message
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
import { createHash } from "node:crypto";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
let myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const signatureValue = "MySignature";
const hash = createHash("sha256");
const digest = hash.update(signatureValue).digest();
console.log("digest: ", digest);
const signResult = await cryptographyClient.sign("RS256", digest);
console.log("sign result: ", signResult.result);
function sign(algorithm: string, digest: Uint8Array, options?: SignOptions): Promise<SignResult>Parameters
- algorithm
-
string
The signing algorithm to use.
- digest
-
Uint8Array
The digest of the data to sign.
- options
- SignOptions
Additional options.
Returns
Promise<SignResult>
signData(string, Uint8Array, SignOptions)
Cryptographically sign a block of data
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const signResult = await cryptographyClient.signData("RS256", Buffer.from("My Message"));
console.log("sign result: ", signResult.result);
function signData(algorithm: string, data: Uint8Array, options?: SignOptions): Promise<SignResult>Parameters
- algorithm
-
string
The signing algorithm to use.
- data
-
Uint8Array
The data to sign.
- options
- SignOptions
Additional options.
Returns
Promise<SignResult>
unwrapKey(KeyWrapAlgorithm, Uint8Array, UnwrapKeyOptions)
Unwraps the given wrapped key using the specified cryptography algorithm
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const wrapResult = await cryptographyClient.wrapKey("RSA-OAEP", Buffer.from("My Key"));
console.log("wrap result:", wrapResult.result);
const unwrapResult = await cryptographyClient.unwrapKey("RSA-OAEP", wrapResult.result);
console.log("unwrap result: ", unwrapResult.result);
function unwrapKey(algorithm: KeyWrapAlgorithm, encryptedKey: Uint8Array, options?: UnwrapKeyOptions): Promise<UnwrapResult>Parameters
- algorithm
- KeyWrapAlgorithm
The decryption algorithm to use to unwrap the key.
- encryptedKey
-
Uint8Array
The encrypted key to unwrap.
- options
- UnwrapKeyOptions
Additional options.
Returns
Promise<UnwrapResult>
verify(string, Uint8Array, Uint8Array, VerifyOptions)
Verify the signed message digest
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
import { createHash } from "node:crypto";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const hash = createHash("sha256");
hash.update("My Message");
const digest = hash.digest();
const signResult = await cryptographyClient.sign("RS256", digest);
console.log("sign result: ", signResult.result);
const verifyResult = await cryptographyClient.verify("RS256", digest, signResult.result);
console.log("verify result: ", verifyResult.result);
function verify(algorithm: string, digest: Uint8Array, signature: Uint8Array, options?: VerifyOptions): Promise<VerifyResult>Parameters
- algorithm
-
string
The signing algorithm to use to verify with.
- digest
-
Uint8Array
The digest to verify.
- signature
-
Uint8Array
The signature to verify the digest against.
- options
- VerifyOptions
Additional options.
Returns
Promise<VerifyResult>
verifyData(string, Uint8Array, Uint8Array, VerifyOptions)
Verify the signed block of data
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const buffer = Buffer.from("My Message");
const signResult = await cryptographyClient.signData("RS256", buffer);
console.log("sign result: ", signResult.result);
const verifyResult = await cryptographyClient.verifyData("RS256", buffer, signResult.result);
console.log("verify result: ", verifyResult.result);
function verifyData(algorithm: string, data: Uint8Array, signature: Uint8Array, options?: VerifyOptions): Promise<VerifyResult>Parameters
- algorithm
-
string
The algorithm to use to verify with.
- data
-
Uint8Array
The signed block of data to verify.
- signature
-
Uint8Array
The signature to verify the block against.
- options
- VerifyOptions
Additional options.
Returns
Promise<VerifyResult>
wrapKey(KeyWrapAlgorithm, Uint8Array, WrapKeyOptions)
Wraps the given key using the specified cryptography algorithm
Example usage:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const wrapResult = await cryptographyClient.wrapKey("RSA-OAEP", Buffer.from("My Key"));
console.log("wrap result:", wrapResult.result);
function wrapKey(algorithm: KeyWrapAlgorithm, key: Uint8Array, options?: WrapKeyOptions): Promise<WrapResult>Parameters
- algorithm
- KeyWrapAlgorithm
The encryption algorithm to use to wrap the given key.
- key
-
Uint8Array
The key to wrap.
- options
- WrapKeyOptions
Additional options.
Returns
Promise<WrapResult>