com.azure.security.keyvault.keys

Class KeyClient

java.lang.Object

com.azure.security.keyvault.keys.KeyClient

public final class KeyClient
extends Object

The KeyClient provides synchronous methods to manage keys in the Azure Key Vault. The client supports creating, retrieving, updating, deleting, purging, backing up, restoring and listing the keys. The client also supports listing deleted keys for a soft-delete enabled Azure Key Vault.

Samples to construct the sync client

 KeyClient keyClient = new KeyClientBuilder()
     .vaultUrl("https://myvault.azure.net/")
     .credential(new DefaultAzureCredentialBuilder().build())
     .buildClient();
 

See Also:

KeyClientBuilder, PagedIterable

Method Summary

Modifier and Type	Method and Description
byte[]	backupKey(String name) Requests a backup of the specified key be downloaded to the client.
com.azure.core.http.rest.Response<byte[]>	backupKeyWithResponse(String name, com.azure.core.util.Context context) Requests a backup of the specified key be downloaded to the client.
com.azure.core.util.polling.SyncPoller<DeletedKey,Void>	beginDeleteKey(String name) Deletes a key of any type from the key vault.
com.azure.core.util.polling.SyncPoller<KeyVaultKey,Void>	beginRecoverDeletedKey(String name) Recovers the deleted key in the key vault to its latest version and can only be performed on a soft-delete enabled vault.
KeyVaultKey	createEcKey(CreateEcKeyOptions createEcKeyOptions) Creates a new Ec key and stores it in the key vault.
com.azure.core.http.rest.Response<KeyVaultKey>	createEcKeyWithResponse(CreateEcKeyOptions createEcKeyOptions, com.azure.core.util.Context context) Creates a new Ec key and stores it in the key vault.
KeyVaultKey	createKey(CreateKeyOptions createKeyOptions) Creates a new key and stores it in the key vault.
KeyVaultKey	createKey(String name, KeyType keyType) Creates a new key and stores it in the key vault.
com.azure.core.http.rest.Response<KeyVaultKey>	createKeyWithResponse(CreateKeyOptions createKeyOptions, com.azure.core.util.Context context) Creates a new key and stores it in the key vault.
KeyVaultKey	createRsaKey(CreateRsaKeyOptions createRsaKeyOptions) Creates a new Rsa key and stores it in the key vault.
com.azure.core.http.rest.Response<KeyVaultKey>	createRsaKeyWithResponse(CreateRsaKeyOptions createRsaKeyOptions, com.azure.core.util.Context context) Creates a new Rsa key and stores it in the key vault.
DeletedKey	getDeletedKey(String name) Gets the public part of a deleted key.
com.azure.core.http.rest.Response<DeletedKey>	getDeletedKeyWithResponse(String name, com.azure.core.util.Context context) Gets the public part of a deleted key.
KeyVaultKey	getKey(String name) Get the public part of the latest version of the specified key from the key vault.
KeyVaultKey	getKey(String name, String version) Gets the public part of the specified key and key version.
com.azure.core.http.rest.Response<KeyVaultKey>	getKeyWithResponse(String name, String version, com.azure.core.util.Context context) Gets the public part of the specified key and key version.
String	getVaultUrl() Get the vault endpoint url
KeyVaultKey	importKey(ImportKeyOptions importKeyOptions) Imports an externally created key and stores it in key vault.
KeyVaultKey	importKey(String name, JsonWebKey keyMaterial) Imports an externally created key and stores it in key vault.
com.azure.core.http.rest.Response<KeyVaultKey>	importKeyWithResponse(ImportKeyOptions importKeyOptions, com.azure.core.util.Context context) Imports an externally created key and stores it in key vault.
com.azure.core.http.rest.PagedIterable<DeletedKey>	listDeletedKeys() Lists deleted keys of the key vault.
com.azure.core.http.rest.PagedIterable<DeletedKey>	listDeletedKeys(com.azure.core.util.Context context) Lists deleted keys of the key vault.
com.azure.core.http.rest.PagedIterable<KeyProperties>	listPropertiesOfKeys() List keys in the key vault.
com.azure.core.http.rest.PagedIterable<KeyProperties>	listPropertiesOfKeys(com.azure.core.util.Context context) List keys in the key vault.
com.azure.core.http.rest.PagedIterable<KeyProperties>	listPropertiesOfKeyVersions(String name) List all versions of the specified key.
com.azure.core.http.rest.PagedIterable<KeyProperties>	listPropertiesOfKeyVersions(String name, com.azure.core.util.Context context) List all versions of the specified key.
void	purgeDeletedKey(String name) Permanently deletes the specified key without the possibility of recovery.
com.azure.core.http.rest.Response<Void>	purgeDeletedKeyWithResponse(String name, com.azure.core.util.Context context) Permanently deletes the specified key without the possibility of recovery.
KeyVaultKey	restoreKeyBackup(byte[] backup) Restores a backed up key to a vault.
com.azure.core.http.rest.Response<KeyVaultKey>	restoreKeyBackupWithResponse(byte[] backup, com.azure.core.util.Context context) Restores a backed up key to a vault.
KeyVaultKey	updateKeyProperties(KeyProperties keyProperties, KeyOperation... keyOperations) Updates the attributes and key operations associated with the specified key, but not the cryptographic key material of the specified key in the key vault.
com.azure.core.http.rest.Response<KeyVaultKey>	updateKeyPropertiesWithResponse(KeyProperties keyProperties, com.azure.core.util.Context context, KeyOperation... keyOperations) Updates the attributes and key operations associated with the specified key, but not the cryptographic key material of the specified key in the key vault.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

getVaultUrl

public String getVaultUrl()

Get the vault endpoint url

Returns:

the vault endpoint url

createKey

public KeyVaultKey createKey(String name,
                             KeyType keyType)

Creates a new key and stores it in the key vault. The create key operation can be used to create any key type in key vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

The keyType indicates the type of key to create. Possible values include: EC, EC-HSM, RSA, RSA-HSM and OCT.

Code Samples

Creates a new EC key. Prints out the details of the created key.

 KeyVaultKey key = keyClient.createKey("keyName", KeyType.EC);
 System.out.printf("Key is created with name %s and id %s %n", key.getName(), key.getId());
 

Parameters:

name - The name of the key being created.

keyType - The type of key to create. For valid values, see KeyType.

Returns:

The created key.

Throws:

com.azure.core.exception.ResourceModifiedException - if name or keyType is null.

com.azure.core.exception.HttpResponseException - if name is empty string.

createKey

public KeyVaultKey createKey(CreateKeyOptions createKeyOptions)

Creates a new key and stores it in the key vault. The create key operation can be used to create any key type in key vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

The CreateKeyOptions is required. The expires and notBefore values are optional. The CreateKeyOptions.isEnabled() enabled} field is set to true by Azure Key Vault, if not specified.

The keyType indicates the type of key to create. Possible values include: EC, EC-HSM, RSA, RSA-HSM and OCT.

Code Samples

Creates a new RSA key which activates in one day and expires in one year. Prints out the details of the

 CreateKeyOptions createKeyOptions = new CreateKeyOptions("keyName", KeyType.RSA)
     .setNotBefore(OffsetDateTime.now().plusDays(1))
     .setExpiresOn(OffsetDateTime.now().plusYears(1));
 KeyVaultKey optionsKey = keyClient.createKey(createKeyOptions);
 System.out.printf("Key is created with name %s and id %s %n", optionsKey.getName(), optionsKey.getId());
 

Parameters:

createKeyOptions - The key options object containing information about the key being created.

Returns:

The created key.

Throws:

NullPointerException - if keyCreateOptions is null.

com.azure.core.exception.ResourceModifiedException - if keyCreateOptions is malformed.

createKeyWithResponse

public com.azure.core.http.rest.Response<KeyVaultKey> createKeyWithResponse(CreateKeyOptions createKeyOptions,
                                                                            com.azure.core.util.Context context)

Creates a new key and stores it in the key vault. The create key operation can be used to create any key type in key vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

The CreateKeyOptions is required. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

The keyType indicates the type of key to create. Possible values include: EC, EC-HSM, RSA, RSA-HSM and OCT.

Code Samples

Creates a new RSA key which activates in one day and expires in one year. Prints out the details of the

 CreateKeyOptions createKeyOptions = new CreateKeyOptions("keyName", KeyType.RSA)
     .setNotBefore(OffsetDateTime.now().plusDays(1))
     .setExpiresOn(OffsetDateTime.now().plusYears(1));
 KeyVaultKey optionsKey = keyClient.createKeyWithResponse(createKeyOptions, new Context(key1, value1)).getValue();
 System.out.printf("Key is created with name %s and id %s %n", optionsKey.getName(), optionsKey.getId());
 

Parameters:

createKeyOptions - The key options object containing information about the key being created.

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

A Response whose value contains the created key.

Throws:

NullPointerException - if keyCreateOptions is null.

com.azure.core.exception.ResourceModifiedException - if keyCreateOptions is malformed.

createRsaKey

public KeyVaultKey createRsaKey(CreateRsaKeyOptions createRsaKeyOptions)

Creates a new Rsa key and stores it in the key vault. The create Rsa key operation can be used to create any Rsa key type in key vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

The CreateRsaKeyOptions is required. The keySize can be optionally specified. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

The keyType indicates the type of key to create. Possible values include: RSA and RSA-HSM.

Code Samples

Creates a new RSA key with size 2048 which activates in one day and expires in one year. Prints out the details of the created key.

 CreateRsaKeyOptions createRsaKeyOptions = new CreateRsaKeyOptions("keyName")
     .setKeySize(2048)
     .setNotBefore(OffsetDateTime.now().plusDays(1))
     .setExpiresOn(OffsetDateTime.now().plusYears(1));
 KeyVaultKey rsaKey = keyClient.createRsaKey(createRsaKeyOptions);
 System.out.printf("Key is created with name %s and id %s %n", rsaKey.getName(), rsaKey.getId());
 

Parameters:

createRsaKeyOptions - The key options object containing information about the rsa key being created.

Returns:

The created key.

Throws:

NullPointerException - if rsaKeyCreateOptions is null.

com.azure.core.exception.ResourceModifiedException - if rsaKeyCreateOptions is malformed.

com.azure.core.exception.HttpResponseException - if name is empty string.

createRsaKeyWithResponse

public com.azure.core.http.rest.Response<KeyVaultKey> createRsaKeyWithResponse(CreateRsaKeyOptions createRsaKeyOptions,
                                                                               com.azure.core.util.Context context)

Creates a new Rsa key and stores it in the key vault. The create Rsa key operation can be used to create any Rsa key type in key vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

The CreateRsaKeyOptions is required. The keySize can be optionally specified. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

The keyType indicates the type of key to create. Possible values include: RSA and RSA-HSM.

Code Samples

Creates a new RSA key with size 2048 which activates in one day and expires in one year. Prints out the details of the created key.

 CreateRsaKeyOptions createRsaKeyOptions = new CreateRsaKeyOptions("keyName")
     .setKeySize(2048)
     .setNotBefore(OffsetDateTime.now().plusDays(1))
     .setExpiresOn(OffsetDateTime.now().plusYears(1));
 KeyVaultKey rsaKey = keyClient.createRsaKeyWithResponse(createRsaKeyOptions, new Context(key1, value1)).getValue();
 System.out.printf("Key is created with name %s and id %s %n", rsaKey.getName(), rsaKey.getId());
 

Parameters:

createRsaKeyOptions - The key options object containing information about the rsa key being created.

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

A Response whose value contains the created key.

Throws:

NullPointerException - if rsaKeyCreateOptions is null.

com.azure.core.exception.ResourceModifiedException - if rsaKeyCreateOptions is malformed.

createEcKey

public KeyVaultKey createEcKey(CreateEcKeyOptions createEcKeyOptions)

Creates a new Ec key and stores it in the key vault. The create Ec key operation can be used to create any Ec key type in key vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

The CreateEcKeyOptions parameter is required. The key curve can be optionally specified. If not specified, default value of P-256 is used by Azure Key Vault. The expires and notBefore values are optional. The enabled field is set to true by Azure Key Vault, if not specified.

The keyType indicates the type of key to create. Possible values include: EC and EC-HSM.

Code Samples

Creates a new EC key with P-384 web key curve. The key activates in one day and expires in one year. Prints out the details of the created key.

 CreateEcKeyOptions createEcKeyOptions = new CreateEcKeyOptions("keyName")
     .setCurveName(KeyCurveName.P_384)
     .setNotBefore(OffsetDateTime.now().plusDays(1))
     .setExpiresOn(OffsetDateTime.now().plusYears(1));
 KeyVaultKey ecKey = keyClient.createEcKey(createEcKeyOptions);
 System.out.printf("Key is created with name %s and id %s %n", ecKey.getName(), ecKey.getId());
 

Parameters:

createEcKeyOptions - The key options object containing information about the ec key being created.

Returns:

The created key.

Throws:

NullPointerException - if ecKeyCreateOptions is null.

com.azure.core.exception.ResourceModifiedException - if ecKeyCreateOptions is malformed.

createEcKeyWithResponse

public com.azure.core.http.rest.Response<KeyVaultKey> createEcKeyWithResponse(CreateEcKeyOptions createEcKeyOptions,
                                                                              com.azure.core.util.Context context)

Creates a new Ec key and stores it in the key vault. The create Ec key operation can be used to create any Ec key type in key vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

The CreateEcKeyOptions parameter is required. The key curve can be optionally specified. If not specified, default value of P-256 is used by Azure Key Vault. The expires and notBefore values are optional. The CreateKeyOptions.isEnabled() enabled} field is set to true by Azure Key Vault, if not specified.

The keyType indicates the type of key to create. Possible values include: EC and EC-HSM.

Code Samples

Creates a new EC key with P-384 web key curve. The key activates in one day and expires in one year. Prints out the details of the created key.

 CreateEcKeyOptions createEcKeyOptions = new CreateEcKeyOptions("keyName")
     .setCurveName(KeyCurveName.P_384)
     .setNotBefore(OffsetDateTime.now().plusDays(1))
     .setExpiresOn(OffsetDateTime.now().plusYears(1));
 KeyVaultKey ecKey = keyClient.createEcKeyWithResponse(createEcKeyOptions, new Context(key1, value1)).getValue();
 System.out.printf("Key is created with name %s and id %s %n", ecKey.getName(), ecKey.getId());
 

Parameters:

createEcKeyOptions - The key options object containing information about the ec key being created.

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

A Response whose value contains the created key.

Throws:

NullPointerException - if ecKeyCreateOptions is null.

com.azure.core.exception.ResourceModifiedException - if ecKeyCreateOptions is malformed.

importKey

public KeyVaultKey importKey(String name,
                             JsonWebKey keyMaterial)

Imports an externally created key and stores it in key vault. The import key operation may be used to import any key type into the Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

Code Samples

Imports a new key into key vault. Prints out the details of the imported key.

 KeyVaultKey importedKey = keyClient.importKey("keyName", jsonWebKeyToImport);
 System.out.printf("Key is imported with name %s and id %s \n", importedKey.getName(), importedKey.getId());
 

Parameters:

name - The name for the imported key.

keyMaterial - The Json web key being imported.

Returns:

The imported key.

Throws:

com.azure.core.exception.HttpResponseException - if name is empty string.

importKey

public KeyVaultKey importKey(ImportKeyOptions importKeyOptions)

Imports an externally created key and stores it in key vault. The import key operation may be used to import any key type into the Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

The keyImportOptions is required and its fields name and key material cannot be null. The expires and notBefore values in keyImportOptions are optional. If not specified, no values are set for the fields. The enabled field is set to true and the hsm field is set to false by Azure Key Vault, if they are not specified.

Code Samples

Imports a new key into key vault. Prints out the details of the imported key.

 ImportKeyOptions options = new ImportKeyOptions("keyName", jsonWebKeyToImport)
     .setHardwareProtected(false);
 
 KeyVaultKey importedKeyResponse = keyClient.importKey(options);
 System.out.printf("Key is imported with name %s and id %s \n", importedKeyResponse.getName(),
     importedKeyResponse.getId());
 

Parameters:

importKeyOptions - The key import configuration object containing information about the json web key being imported.

Returns:

The imported key.

Throws:

NullPointerException - if keyImportOptions is null.

com.azure.core.exception.HttpResponseException - if name is empty string.

importKeyWithResponse

public com.azure.core.http.rest.Response<KeyVaultKey> importKeyWithResponse(ImportKeyOptions importKeyOptions,
                                                                            com.azure.core.util.Context context)

Imports an externally created key and stores it in key vault. The import key operation may be used to import any key type into the Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

The keyImportOptions is required and its fields name and key material cannot be null. The expires and notBefore values in keyImportOptions are optional. If not specified, no values are set for the fields. The enabled field is set to true and the hsm field is set to false by Azure Key Vault, if they are not specified.

Code Samples

Imports a new key into key vault. Prints out the details of the imported key.

 ImportKeyOptions importKeyOptions = new ImportKeyOptions("keyName", jsonWebKeyToImport)
     .setHardwareProtected(false);
 
 KeyVaultKey importedKeyResp = keyClient.importKeyWithResponse(importKeyOptions, new Context(key1, value1))
     .getValue();
 System.out.printf("Key is imported with name %s and id %s \n", importedKeyResp.getName(),
     importedKeyResp.getId());
 

Parameters:

importKeyOptions - The key import configuration object containing information about the json web key being imported.

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

A Response whose value contains the imported key.

Throws:

NullPointerException - if keyImportOptions is null.

com.azure.core.exception.HttpResponseException - if name is empty string.

getKey

public KeyVaultKey getKey(String name,
                          String version)

Gets the public part of the specified key and key version. The get key operation is applicable to all key types and it requires the keys/get permission.

Code Samples

Gets a specific version of the key in the key vault. Prints out the details of the returned key.

 String keyVersion = "6A385B124DEF4096AF1361A85B16C204";
 KeyVaultKey keyWithVersion = keyClient.getKey("keyName", keyVersion);
 System.out.printf("Key is returned with name %s and id %s %n", keyWithVersion.getName(),
     keyWithVersion.getId());
 

Parameters:

name - The name of the key, cannot be null

version - The version of the key to retrieve. If this is an empty String or null, this call is equivalent to calling KeyClient.getKey(String), with the latest version being retrieved.

Returns:

The requested key. The content of the key is null if both name and version are null or empty.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault or an empty/null name and a non null/empty version is provided.

com.azure.core.exception.HttpResponseException - if a valid name and a non null/empty version is specified.

getKeyWithResponse

public com.azure.core.http.rest.Response<KeyVaultKey> getKeyWithResponse(String name,
                                                                         String version,
                                                                         com.azure.core.util.Context context)

Gets the public part of the specified key and key version. The get key operation is applicable to all key types and it requires the keys/get permission.

Code Samples

Gets a specific version of the key in the key vault. Prints out the details of the returned key.

 String keyVersion = "6A385B124DEF4096AF1361A85B16C204";
 KeyVaultKey keyWithVersion = keyClient.getKeyWithResponse("keyName", keyVersion,
     new Context(key1, value1)).getValue();
 System.out.printf("Key is returned with name %s and id %s %n", keyWithVersion.getName(),
     keyWithVersion.getId());
 

Parameters:

name - The name of the key, cannot be null

context - Additional context that is passed through the Http pipeline during the service call.

version - The version of the key to retrieve. If this is an empty String or null, this call is equivalent to calling KeyClient.getKey(String), with the latest version being retrieved.

Returns:

A Response whose value contains the requested key. The content of the key is null if both name and version are null or empty.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault or an empty/null name and a non null/empty version is provided.

com.azure.core.exception.HttpResponseException - if a valid name and a non null/empty version is specified.

getKey

public KeyVaultKey getKey(String name)

Get the public part of the latest version of the specified key from the key vault. The get key operation is applicable to all key types and it requires the keys/get permission.

Code Samples

Gets the latest version of the key in the key vault. Prints out the details of the returned key.

 KeyVaultKey keyWithVersionValue = keyClient.getKey("keyName");
 System.out.printf("Key is returned with name %s and id %s %n", keyWithVersionValue.getName(),
     keyWithVersionValue.getId());
 

Parameters:

name - The name of the key.

Returns:

The requested key. The content of the key is null if name is null or empty.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with non null/empty name doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - if a non null/empty and an invalid name is specified.

updateKeyProperties

public KeyVaultKey updateKeyProperties(KeyProperties keyProperties,
                                       KeyOperation... keyOperations)

Updates the attributes and key operations associated with the specified key, but not the cryptographic key material of the specified key in the key vault. The update operation changes specified attributes of an existing stored key and attributes that are not specified in the request are left unchanged. The cryptographic key material of a key itself cannot be changed. This operation requires the keys/set permission.

Code Samples

Gets the latest version of the key, changes its expiry time and key operations and the updates the key in the key vault.

 KeyVaultKey key = keyClient.getKey("keyName");
 key.getProperties().setExpiresOn(OffsetDateTime.now().plusDays(60));
 KeyVaultKey updatedKey = keyClient.updateKeyProperties(key.getProperties(), KeyOperation.ENCRYPT,
     KeyOperation.DECRYPT);
 System.out.printf("Key is updated with name %s and id %s %n", updatedKey.getName(), updatedKey.getId());
 

Parameters:

keyProperties - The key properties object with updated properties.

keyOperations - The updated key operations to associate with the key.

Returns:

A Response whose value contains the updated key.

Throws:

NullPointerException - if key is null.

com.azure.core.exception.ResourceNotFoundException - when a key with name and version doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - if name or version is empty string.

updateKeyPropertiesWithResponse

public com.azure.core.http.rest.Response<KeyVaultKey> updateKeyPropertiesWithResponse(KeyProperties keyProperties,
                                                                                      com.azure.core.util.Context context,
                                                                                      KeyOperation... keyOperations)

Updates the attributes and key operations associated with the specified key, but not the cryptographic key material of the specified key in the key vault. The update operation changes specified attributes of an existing stored key and attributes that are not specified in the request are left unchanged. The cryptographic key material of a key itself cannot be changed. This operation requires the keys/set permission.

Code Samples

Gets the latest version of the key, changes its expiry time and key operations and the updates the key in the key vault.

 KeyVaultKey key = keyClient.getKey("keyName");
 key.getProperties().setExpiresOn(OffsetDateTime.now().plusDays(60));
 KeyVaultKey updatedKey = keyClient.updateKeyPropertiesWithResponse(key.getProperties(),
     new Context(key1, value1), KeyOperation.ENCRYPT, KeyOperation.DECRYPT).getValue();
 System.out.printf("Key is updated with name %s and id %s %n", updatedKey.getName(), updatedKey.getId());
 

Parameters:

keyProperties - The key properties object with updated properties.

context - Additional context that is passed through the Http pipeline during the service call.

keyOperations - The updated key operations to associate with the key.

Returns:

A Response whose value contains the updated key.

Throws:

NullPointerException - if key is null.

com.azure.core.exception.ResourceNotFoundException - when a key with name and version doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - if name or version is empty string.

beginDeleteKey

public com.azure.core.util.polling.SyncPoller<DeletedKey,Void> beginDeleteKey(String name)

Deletes a key of any type from the key vault. If soft-delete is enabled on the key vault then the key is placed in the deleted state and requires to be purged for permanent deletion else the key is permanently deleted. The delete operation applies to any key stored in Azure Key Vault but it cannot be applied to an individual version of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission.

Code Samples

Deletes the key from the keyvault. Prints out the recovery id of the deleted key returned in the response.

 SyncPoller<DeletedKey, Void> deletedKeyPoller = keyClient.beginDeleteKey("keyName");
 
 PollResponse<DeletedKey> deletedKeyPollResponse = deletedKeyPoller.poll();
 
 // Deleted date only works for SoftDelete Enabled Key Vault.
 DeletedKey deletedKey = deletedKeyPollResponse.getValue();
 System.out.println("Deleted Date  %s" + deletedKey.getDeletedOn().toString());
 System.out.printf("Deleted Key's Recovery Id %s", deletedKey.getRecoveryId());
 
 // Key is being deleted on server.
 deletedKeyPoller.waitForCompletion();
 // Key is deleted
 

Parameters:

name - The name of the key to be deleted.

Returns:

A SyncPoller to poll on and retrieve deleted key

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - when a key with name is empty string.

getDeletedKey

public DeletedKey getDeletedKey(String name)

Gets the public part of a deleted key. The Get Deleted Key operation is applicable for soft-delete enabled vaults. This operation requires the keys/get permission.

Code Samples

Gets the deleted key from the key vault enabled for soft-delete. Prints out the details of the deleted key returned in the response.

//Assuming key is deleted on a soft-delete enabled key vault.

 DeletedKey deletedKey = keyClient.getDeletedKey("keyName");
 System.out.printf("Deleted Key's Recovery Id %s", deletedKey.getRecoveryId());
 

Parameters:

name - The name of the deleted key.

Returns:

The deleted key.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - when a key with name is empty string.

getDeletedKeyWithResponse

public com.azure.core.http.rest.Response<DeletedKey> getDeletedKeyWithResponse(String name,
                                                                               com.azure.core.util.Context context)

Gets the public part of a deleted key. The Get Deleted Key operation is applicable for soft-delete enabled vaults. This operation requires the keys/get permission.

Code Samples

Gets the deleted key from the key vault enabled for soft-delete. Prints out the details of the deleted key returned in the response.

//Assuming key is deleted on a soft-delete enabled key vault.

 DeletedKey deletedKey = keyClient.getDeletedKeyWithResponse("keyName", new Context(key1, value1))
     .getValue();
 System.out.printf("Deleted Key with recovery Id %s %n", deletedKey.getRecoveryId());
 

Parameters:

name - The name of the deleted key.

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

A Response whose value contains the deleted key.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - when a key with name is empty string.

purgeDeletedKey

public void purgeDeletedKey(String name)

Permanently deletes the specified key without the possibility of recovery. The Purge Deleted Key operation is applicable for soft-delete enabled vaults. This operation requires the keys/purge permission.

Code Samples

Purges the deleted key from the key vault enabled for soft-delete. Prints out the status code from the server response.

//Assuming key is deleted on a soft-delete enabled key vault.

 keyClient.purgeDeletedKey("deletedKeyName");
 

Parameters:

name - The name of the deleted key.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - when a key with name is empty string.

purgeDeletedKeyWithResponse

public com.azure.core.http.rest.Response<Void> purgeDeletedKeyWithResponse(String name,
                                                                           com.azure.core.util.Context context)

Permanently deletes the specified key without the possibility of recovery. The Purge Deleted Key operation is applicable for soft-delete enabled vaults. This operation requires the keys/purge permission.

Code Samples

Purges the deleted key from the key vault enabled for soft-delete. Prints out the status code from the server response.

//Assuming key is deleted on a soft-delete enabled key vault.

 Response<Void> purgedResponse = keyClient.purgeDeletedKeyWithResponse("deletedKeyName",
     new Context(key2, value2));
 System.out.printf("Purge Status Code: %d %n", purgedResponse.getStatusCode());
 

Parameters:

name - The name of the deleted key.

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

A response containing status code and HTTP headers.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - when a key with name is empty string.

beginRecoverDeletedKey

public com.azure.core.util.polling.SyncPoller<KeyVaultKey,Void> beginRecoverDeletedKey(String name)

Recovers the deleted key in the key vault to its latest version and can only be performed on a soft-delete enabled vault. An attempt to recover an non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation requires the keys/recover permission.

Code Samples

Recovers the deleted key from the key vault enabled for soft-delete.

//Assuming key is deleted on a soft-delete enabled key vault.

 SyncPoller<KeyVaultKey, Void> recoverKeyPoller = keyClient.beginRecoverDeletedKey("deletedKeyName");
 
 PollResponse<KeyVaultKey> recoverKeyPollResponse = recoverKeyPoller.poll();
 
 KeyVaultKey recoveredKey = recoverKeyPollResponse.getValue();
 System.out.println("Recovered Key Name %s" + recoveredKey.getName());
 System.out.printf("Recovered Key's Id %s", recoveredKey.getId());
 
 // Key is being recovered on server.
 recoverKeyPoller.waitForCompletion();
 // Key is recovered
 

Parameters:

name - The name of the deleted key to be recovered.

Returns:

A SyncPoller to poll on and retrieve recovered key.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - when a key with name is empty string.

backupKey

public byte[] backupKey(String name)

Requests a backup of the specified key be downloaded to the client. The Key Backup operation exports a key from Azure Key Vault in a protected form. Note that this operation does not return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to generate a key in one Azure Key Vault instance, backup the key, and then restore it into another Azure Key Vault instance. The backup operation may be used to export, in protected form, any key type from Azure Key Vault. Individual versions of a key cannot be backed up. Backup / Restore can be performed within geographical boundaries only; meaning that a backup from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.

Code Samples

Backs up the key from the key vault and prints out the length of the key's backup byte array returned in the response

 byte[] keyBackup = keyClient.backupKey("keyName");
 System.out.printf("Key's Backup Byte array's length %s", keyBackup.length);
 

Parameters:

name - The name of the key.

Returns:

The backed up key blob.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - when a key with name is empty string.

backupKeyWithResponse

public com.azure.core.http.rest.Response<byte[]> backupKeyWithResponse(String name,
                                                                       com.azure.core.util.Context context)

Requests a backup of the specified key be downloaded to the client. The Key Backup operation exports a key from Azure Key Vault in a protected form. Note that this operation does not return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to generate a key in one Azure Key Vault instance, backup the key, and then restore it into another Azure Key Vault instance. The backup operation may be used to export, in protected form, any key type from Azure Key Vault. Individual versions of a key cannot be backed up. Backup / Restore can be performed within geographical boundaries only; meaning that a backup from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.

Code Samples

Backs up the key from the key vault and prints out the length of the key's backup byte array returned in the response

 byte[] keyBackup = keyClient.backupKeyWithResponse("keyName", new Context(key2, value2)).getValue();
 System.out.printf("Key's Backup Byte array's length %s", keyBackup.length);
 

Parameters:

name - The name of the key.

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

A Response whose value contains the backed up key blob.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a key with name doesn't exist in the key vault.

com.azure.core.exception.HttpResponseException - when a key with name is empty string.

restoreKeyBackup

public KeyVaultKey restoreKeyBackup(byte[] backup)

Restores a backed up key to a vault. Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, attributes and access control policies. The restore operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target Key Vault, the restore operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different vault. Restore will restore all versions and preserve version identifiers. The restore operation is subject to security constraints: The target Key Vault must be owned by the same Microsoft Azure Subscription as the source Key Vault The user must have restore permission in the target Key Vault. This operation requires the keys/restore permission.

Code Samples

Restores the key in the key vault from its backup. Prints out the details of the restored key returned in the response.

//Pass the Key Backup Byte array to the restore operation.

 byte[] keyBackupByteArray = {};
 KeyVaultKey keyResponse = keyClient.restoreKeyBackup(keyBackupByteArray);
 System.out.printf("Restored Key with name %s and id %s %n", keyResponse.getName(), keyResponse.getId());
 

Parameters:

backup - The backup blob associated with the key.

Returns:

The restored key.

Throws:

com.azure.core.exception.ResourceModifiedException - when backup blob is malformed.

restoreKeyBackupWithResponse

public com.azure.core.http.rest.Response<KeyVaultKey> restoreKeyBackupWithResponse(byte[] backup,
                                                                                   com.azure.core.util.Context context)

Restores a backed up key to a vault. Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, attributes and access control policies. The restore operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target Key Vault, the restore operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different vault. Restore will restore all versions and preserve version identifiers. The restore operation is subject to security constraints: The target Key Vault must be owned by the same Microsoft Azure Subscription as the source Key Vault The user must have restore permission in the target Key Vault. This operation requires the keys/restore permission.

Code Samples

Restores the key in the key vault from its backup. Prints out the details of the restored key returned in the response.

//Pass the Key Backup Byte array to the restore operation.

 byte[] keyBackupByteArray = {};
 Response<KeyVaultKey> keyResponse = keyClient.restoreKeyBackupWithResponse(keyBackupByteArray,
     new Context(key1, value1));
 System.out.printf("Restored Key with name %s and id %s %n",
     keyResponse.getValue().getName(), keyResponse.getValue().getId());
 

Parameters:

backup - The backup blob associated with the key.

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

A Response whose value contains the restored key.

Throws:

com.azure.core.exception.ResourceModifiedException - when backup blob is malformed.

listPropertiesOfKeys

public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeys()

List keys in the key vault. Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored key. The List operation is applicable to all key types and the individual key response in the list is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material and individual key versions are not listed in the response. This operation requires the keys/list permission.

It is possible to get full keys with key material from this information. Loop over the key and call KeyClient.getKey(String, String). This will return the key with key material included of its latest version.

 for (KeyProperties key : keyClient.listPropertiesOfKeys()) {
     KeyVaultKey keyWithMaterial = keyClient.getKey(key.getName(), key.getVersion());
     System.out.printf("Received key with name %s and type %s", keyWithMaterial.getName(),
         keyWithMaterial.getKeyType());
 }
 

Code Samples to iterate keys by page

It is possible to get full keys with key material from this information. Iterate over all the key by page and call KeyClient.getKey(String, String). This will return the key with key material included of its latest version.

 keyClient.listPropertiesOfKeys().iterableByPage().forEach(resp -> {
     System.out.printf("Got response headers . Url: %s, Status code: %d %n",
         resp.getRequest().getUrl(), resp.getStatusCode());
     resp.getItems().forEach(value -> {
         KeyVaultKey keyWithMaterial = keyClient.getKey(value.getName(), value.getVersion());
         System.out.printf("Received key with name %s and type %s %n", keyWithMaterial.getName(),
             keyWithMaterial.getKeyType());
     });
 });
 

Returns:

PagedIterable of key of all the keys in the vault.

listPropertiesOfKeys

public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeys(com.azure.core.util.Context context)

List keys in the key vault. Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored key. The List operation is applicable to all key types and the individual key response in the list is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material and individual key versions are not listed in the response. This operation requires the keys/list permission.

It is possible to get full keys with key material from this information. Loop over the key and call KeyClient.getKey(String, String). This will return the key with key material included of its latest version.

 for (KeyProperties key : keyClient.listPropertiesOfKeys(new Context(key2, value2))) {
     KeyVaultKey keyWithMaterial = keyClient.getKey(key.getName(), key.getVersion());
     System.out.printf("Received key with name %s and type %s", keyWithMaterial.getName(),
         keyWithMaterial.getKeyType());
 }
 

Code Samples to iterate keys by page

It is possible to get full keys with key material from this information. Iterate over all the key by page and call KeyClient.getKey(String, String). This will return the key with key material included of its latest version.

 keyClient.listPropertiesOfKeys().iterableByPage().forEach(resp -> {
     System.out.printf("Got response headers . Url: %s, Status code: %d %n",
         resp.getRequest().getUrl(), resp.getStatusCode());
     resp.getItems().forEach(value -> {
         KeyVaultKey keyWithMaterial = keyClient.getKey(value.getName(), value.getVersion());
         System.out.printf("Received key with name %s and type %s %n", keyWithMaterial.getName(),
             keyWithMaterial.getKeyType());
     });
 });
 

Parameters:

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

PagedIterable of key of all the keys in the vault.

listDeletedKeys

public com.azure.core.http.rest.PagedIterable<DeletedKey> listDeletedKeys()

Lists deleted keys of the key vault. The deleted keys are retrieved as JSON Web Key structures that contain the public part of a deleted key. The Get Deleted Keys operation is applicable for vaults enabled for soft-delete. This operation requires the keys/list permission.

Code Samples

Lists the deleted keys in the key vault and for each deleted key prints out its recovery id.

 for (DeletedKey deletedKey : keyClient.listDeletedKeys()) {
     System.out.printf("Deleted key's recovery Id %s", deletedKey.getRecoveryId());
 }
 

Code Samples to iterate over deleted keys by page

Iterate over the lists the deleted keys by each page in the key vault and for each deleted key prints out its recovery id.

 keyClient.listDeletedKeys().iterableByPage().forEach(resp -> {
     System.out.printf("Got response headers . Url: %s, Status code: %d %n",
         resp.getRequest().getUrl(), resp.getStatusCode());
     resp.getItems().forEach(value -> {
         System.out.printf("Deleted key's recovery Id %s %n", value.getRecoveryId());
     });
 });
 

Returns:

PagedIterable of all of the deleted keys in the vault.

listDeletedKeys

public com.azure.core.http.rest.PagedIterable<DeletedKey> listDeletedKeys(com.azure.core.util.Context context)

Lists deleted keys of the key vault. The deleted keys are retrieved as JSON Web Key structures that contain the public part of a deleted key. The Get Deleted Keys operation is applicable for vaults enabled for soft-delete. This operation requires the keys/list permission.

Code Samples

Lists the deleted keys in the key vault and for each deleted key prints out its recovery id.

 for (DeletedKey deletedKey : keyClient.listDeletedKeys(new Context(key2, value2))) {
     System.out.printf("Deleted key's recovery Id %s", deletedKey.getRecoveryId());
 }
 

Code Samples to iterate over deleted keys by page

Iterate over the lists the deleted keys by each page in the key vault and for each deleted key prints out its recovery id.

 keyClient.listDeletedKeys().iterableByPage().forEach(resp -> {
     System.out.printf("Got response headers . Url: %s, Status code: %d %n",
         resp.getRequest().getUrl(), resp.getStatusCode());
     resp.getItems().forEach(value -> {
         System.out.printf("Deleted key's recovery Id %s %n", value.getRecoveryId());
     });
 });
 

Parameters:

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

PagedIterable of all of the deleted keys in the vault.

listPropertiesOfKeyVersions

public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeyVersions(String name)

List all versions of the specified key. The individual key response in the flux is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material values are not provided in the response. This operation requires the keys/list permission.

It is possible to get full keys with key material for each version from this information. Loop over the key and call KeyClient.getKey(String, String). This will return the keys with key material included of the specified versions.

 for (KeyProperties key : keyClient.listPropertiesOfKeyVersions("keyName")) {
     KeyVaultKey keyWithMaterial  = keyClient.getKey(key.getName(), key.getVersion());
     System.out.printf("Received key's version with name %s, type %s and version %s",
         keyWithMaterial.getName(),
             keyWithMaterial.getKeyType(), keyWithMaterial.getProperties().getVersion());
 }
 

Code Samples to iterate over key versions by page

It is possible to get full keys with key material for each version from this information. Iterate over all the key by page and call KeyClient.getKey(String, String). This will return the keys with key material included of the specified versions.

 keyClient.listPropertiesOfKeyVersions("keyName").iterableByPage().forEach(resp -> {
     System.out.printf("Got response headers . Url: %s, Status code: %d %n",
         resp.getRequest().getUrl(), resp.getStatusCode());
     resp.getItems().forEach(value -> {
         System.out.printf("Key name: %s, Key version: %s %n", value.getName(), value.getVersion());
     });
 });
 

Parameters:

name - The name of the key.

Returns:

PagedIterable of key of all the versions of the specified key in the vault. List is empty if key with name does not exist in key vault.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a given key name is null or an empty string.

listPropertiesOfKeyVersions

public com.azure.core.http.rest.PagedIterable<KeyProperties> listPropertiesOfKeyVersions(String name,
                                                                                         com.azure.core.util.Context context)

List all versions of the specified key. The individual key response in the flux is represented by KeyProperties as only the key identifier, attributes and tags are provided in the response. The key material values are not provided in the response. This operation requires the keys/list permission.

It is possible to get full keys with key material for each version from this information. Loop over the key and call KeyClient.getKey(String, String). This will return the keys with key material included of the specified versions.

 for (KeyProperties key : keyClient.listPropertiesOfKeyVersions("keyName")) {
     KeyVaultKey keyWithMaterial  = keyClient.getKey(key.getName(), key.getVersion());
     System.out.printf("Received key's version with name %s, type %s and version %s",
         keyWithMaterial.getName(),
             keyWithMaterial.getKeyType(), keyWithMaterial.getProperties().getVersion());
 }
 

Code Samples to iterate over key versions by page

It is possible to get full keys with key material for each version from this information. Iterate over all the key by page and call KeyClient.getKey(String, String). This will return the keys with key material included of the specified versions.

 keyClient.listPropertiesOfKeyVersions("keyName").iterableByPage().forEach(resp -> {
     System.out.printf("Got response headers . Url: %s, Status code: %d %n",
         resp.getRequest().getUrl(), resp.getStatusCode());
     resp.getItems().forEach(value -> {
         System.out.printf("Key name: %s, Key version: %s %n", value.getName(), value.getVersion());
     });
 });
 

Parameters:

name - The name of the key.

context - Additional context that is passed through the Http pipeline during the service call.

Returns:

PagedIterable of key of all the versions of the specified key in the vault. List is empty if key with name does not exist in key vault.

Throws:

com.azure.core.exception.ResourceNotFoundException - when a given key name is null or an empty string.