AzureKeys Component
Properties Methods Events Configuration Settings Errors
The AzureKeys component makes it easy to interact with keys in Azure Key Vaults.
Syntax
CloudKeys.Azurekeys
Remarks
The AzureKeys component provides an easy-to-use interface for the key-related functionality of the Azure Key Vault service. Azure Key Vault allows you to works with a few different kinds of resources, one of which is asymmetric key pairs. This component helps you to create, manage, and use said key pairs (or just "keys", for short) for cryptographic operations. To work with "secrets" instead, refer to the AzureSecrets component.
To begin, register for an Azure account and create one or more Key Vaults via the Azure Portal. Set the Vault property to the name of the vault you wish to work with.
This component supports authentication via OAuth 2.0. First, perform OAuth authentication using the OAuth component or a separate process. Once complete you should have an authorization string which looks like:
Bearer ya29.AHES6ZSZEJzATdZYjeihDn5W-VrXSsxEZu5p0pclxGdKKQAssign this value to the Authorization property before attempting any operations. Consult the documentation for the service for more information about supported scope values and more details on OAuth authentication.
Using the Component
Keys can be created using the CreateKey method. A key's name and type (i.e., whether it is RSA or EC, and its size or curve, respectively) must be set at the time of creation, and cannot be changed later. A list of cryptographic operations that the key is valid for must also be set, but can be changed at any time using the UpdateKey. If a key with the specified name already exists, a new version of it is created; this makes it easy to "rotate" a key.
When a key will no longer be used, it can be deleted using the DeleteKey method. However, the key will only be soft-deleted; by default, Azure will permanently delete it after the waiting period configured for the vault. During this waiting period, the soft-deleted key may be recovered using RecoverKey, or permanently deleted using PurgeKey (assuming the currently-authenticated user has the permissions to do so).
azurekeys.CreateKey("mykey", "RSA_2048", "encrypt,decrypt,sign,verify,wrapKey,unwrapKey");
// ... Some time later, when the key is no longer needed ...
azurekeys.DeleteKey("mykey");
// At this point, the key is only soft-deleted. It could be recovered...
azurekeys.RecoverKey("mykey");
// ...or permanently deleted.
azurekeys.PurgeKey("mykey");
To list keys, use the ListKeys method. This method is also used to list soft-deleted keys if the GetDeleted configuration setting has been enabled first. To list a key's versions, use the ListVersions method. (You cannot list a deleted key's versions.) In all cases, the IncludeKeyDetails property can optionally be enabled to have the component attempt to retrieve the full information for each key (Azure leaves out certain fields by default when listing).
// If there are many keys to list, there may be multiple pages of results. This will
// cause all pages of results to be accumulated into the Keys collection property.
do {
azurekeys.ListKeys();
} while (!string.IsNullOrEmpty(azurekeys.KeyMarker));
// A similar thing applies to key versions as well.
do {
azurekeys.ListVersions("mykey");
} while (!string.IsNullOrEmpty(azurekeys.VersionMarker));
Depending on a key's "key ops" list, it can be used to perform different cryptographic operations. Keys with the encrypt and decrypt ops can be used in Encrypt and Decrypt operations. Keys with the sign and verify ops can be used in Sign and Verify. Finally, keys with the wrapKey and unwrapKey ops can be used in WrapKey and UnwrapKey operations (which are just like encryption and decryption, but which are intended to be used for wrapping a symmetric key, and which require different permissions to call successfully).
To perform a cryptographic operation, use InputData, InputFile, or SetInputStream to supply the input data that should be processed. All operations will output the result data to OutputData, OutputFile, or SetOutputStream (except Verify; refer to its documentation for more information).
azurekeys.CreateKey("mykey", "RSA_2048", "encrypt,decrypt");
azurekeys.InputData = "Test123";
azurekeys.OutputFile = "C:/temp/enc.dat";
azurekeys.Encrypt("mykey", "RSA-OAEP-256");
azurekeys.InputFile = "C:/temp/enc.dat";
azurekeys.OutputFile = ""; // So that the data will be output to the OutputData property.
azurekeys.Decrypt("mykey", "RSA-OAEP-256");
The component also supports a variety of other functionality, including:
- Retrieval of a single key's information (including public key) with GetKeyInfo.
- Enabling and disabling keys with SetKeyEnabled.
- Tagging support using AddTag and the Tags collection.
- Secure key backup and restoration using BackupKey and RestoreKey.
- And more!
Property List
The following is the full list of the properties of the component with short descriptions. Click on the links for further details.
Authorization | OAuth 2.0 Authorization Token. |
Firewall | A set of properties related to firewall access. |
Idle | The current status of the component. |
IncludeKeyDetails | Whether to attempt to retrieve fill details when listing keys. |
InputData | The data to process. |
InputFile | The file whose data should be processed. |
KeyMarker | A marker indicating what page of keys to return next. |
Keys | A collection of keys. |
LocalHost | The name of the local host or user-assigned IP interface through which connections are initiated or accepted. |
OtherHeaders | Other headers as determined by the user (optional). |
OutputData | The output data. |
OutputFile | The file to which output data should be written. |
Overwrite | Whether the output file should be overwritten if necessary. |
ParsedHeaders | Collection of headers returned from the last request. |
Proxy | A set of properties related to proxy access. |
QueryParams | Additional query parameters to be included in the request. |
SSLAcceptServerCert | Instructs the component to unconditionally accept the server certificate that matches the supplied certificate. |
SSLCert | The certificate to be used during SSL negotiation. |
SSLServerCert | The server certificate for the last established connection. |
Tags | A collection of tags. |
Timeout | A timeout for the component. |
Vault | Selects a vault for the component to interact with. |
VersionMarker | A marker indicating what page of key versions to return next. |
Method List
The following is the full list of the methods of the component with short descriptions. Click on the links for further details.
addQueryParam | Adds a query parameter to the QueryParams properties. |
addTag | Adds an item to the Tags properties. |
backupKey | Backs up a key. |
config | Sets or retrieves a configuration setting. |
createKey | Creates a new key. |
decrypt | Decrypts data using a key. |
deleteKey | Deletes a key. |
doEvents | Processes events from the internal message queue. |
encrypt | Encrypts data using a key. |
getKeyInfo | Gets a key's information and public key. |
listKeys | Lists keys in the currently-selected vault. |
listVersions | Lists versions of a key. |
purgeKey | Permanently deletes a soft-deleted key. |
recoverKey | Recovers a soft-deleted key. |
reset | Resets the component to its initial state. |
restoreKey | Restores a previously backed-up key to the vault. |
sendCustomRequest | Sends a custom request to the server. |
setInputStream | Sets the stream whose data should be processed. |
setKeyEnabled | Enables or disables a key. |
setOutputStream | Sets the stream to which output data should be written. |
sign | Signs a message using a key. |
unwrapKey | Unwraps a symmetric key. |
updateKey | Updates a key's information. |
verify | Verifies a digital signature using a key. |
wrapKey | Wraps a symmetric key. |
Event List
The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.
EndTransfer | Fired when a document finishes transferring. |
Error | Information about errors during data delivery. |
Header | Fired every time a header line comes in. |
KeyList | Fires once for each key when listing keys. |
Log | Fires once for each log message. |
SSLServerAuthentication | Fired after the server presents its certificate to the client. |
SSLStatus | Shows the progress of the secure connection. |
StartTransfer | Fired when a document starts transferring (after the headers). |
TagList | Fires once for each tag returned when a key's information is retrieved. |
Transfer | Fired while a document transfers (delivers document). |
Configuration Settings
The following is a list of configuration settings for the component with short descriptions. Click on the links for further details.
AccumulatePages | Whether the component should accumulate subsequent pages of results when listing them. |
APIVersion | The Azure Key Vault API version that the component conforms to. |
CloseInputStreamAfterProcessing | Whether the specified input stream should be closed after data is read from it. |
CloseOutputStreamAfterProcessing | Whether the specified output stream should be closed after data is written to it. |
CreateKeyEnabled | Whether new keys should be created in an enabled or disabled state. |
ExpiryDate | The expiry date to send for the key. |
GetDeleted | Whether the component should retrieve information about soft-deleted keys. |
MaxKeys | The maximum number of results to return when listing keys. |
MessageDigest | The message digest computed by the component during the last sign or verify operation, if any. |
NotBeforeDate | The 'not before' date to send for the key. |
RawRequest | Returns the data that was sent to the server. |
RawResponse | Returns the data that was received from the server. |
VersionId | The Id of the key version that the component should make requests against. |
XChildCount | The number of child elements of the current element. |
XChildName[i] | The name of the child element. |
XChildXText[i] | The inner text of the child element. |
XElement | The name of the current element. |
XParent | The parent of the current element. |
XPath | Provides a way to point to a specific element in the returned XML or JSON response. |
XSubTree | A snapshot of the current element in the document. |
XText | The text of the current element. |
AcceptEncoding | Used to tell the server which types of content encodings the client supports. |
AllowHTTPCompression | This property enables HTTP compression for receiving data. |
AllowHTTPFallback | Whether HTTP/2 connections are permitted to fallback to HTTP/1.1. |
AllowNTLMFallback | Whether to allow fallback from Negotiate to NTLM when authenticating. |
Append | Whether to append data to LocalFile. |
Authorization | The Authorization string to be sent to the server. |
BytesTransferred | Contains the number of bytes transferred in the response data. |
ChunkSize | Specifies the chunk size in bytes when using chunked encoding. |
CompressHTTPRequest | Set to true to compress the body of a PUT or POST request. |
EncodeURL | If set to true the URL will be encoded by the component. |
FollowRedirects | Determines what happens when the server issues a redirect. |
GetOn302Redirect | If set to true the component will perform a GET on the new location. |
HTTP2HeadersWithoutIndexing | HTTP2 headers that should not update the dynamic header table with incremental indexing. |
HTTPVersion | The version of HTTP used by the component. |
IfModifiedSince | A date determining the maximum age of the desired document. |
KeepAlive | Determines whether the HTTP connection is closed after completion of the request. |
KerberosSPN | The Service Principal Name for the Kerberos Domain Controller. |
LogLevel | The level of detail that is logged. |
MaxHeaders | Instructs component to save the amount of headers specified that are returned by the server after a Header event has been fired. |
MaxHTTPCookies | Instructs component to save the amount of cookies specified that are returned by the server when a SetCookie event is fired. |
MaxRedirectAttempts | Limits the number of redirects that are followed in a request. |
NegotiatedHTTPVersion | The negotiated HTTP version. |
OtherHeaders | Other headers as determined by the user (optional). |
ProxyAuthorization | The authorization string to be sent to the proxy server. |
ProxyAuthScheme | The authorization scheme to be used for the proxy. |
ProxyPassword | A password if authentication is to be used for the proxy. |
ProxyPort | Port for the proxy server (default 80). |
ProxyServer | Name or IP address of a proxy server (optional). |
ProxyUser | A user name if authentication is to be used for the proxy. |
SentHeaders | The full set of headers as sent by the client. |
StatusLine | The first line of the last response from the server. |
TransferredData | The contents of the last response from the server. |
TransferredDataLimit | The maximum number of incoming bytes to be stored by the component. |
TransferredHeaders | The full set of headers as received from the server. |
TransferredRequest | The full request as sent by the client. |
UseChunkedEncoding | Enables or Disables HTTP chunked encoding for transfers. |
UseIDNs | Whether to encode hostnames to internationalized domain names. |
UsePlatformDeflate | Whether to use the platform implementation to decompress compressed responses. |
UsePlatformHTTPClient | Whether or not to use the platform HTTP client. |
UserAgent | Information about the user agent (browser). |
CloseStreamAfterTransfer | If true, the component will close the upload or download stream after the transfer. |
ConnectionTimeout | Sets a separate timeout value for establishing a connection. |
FirewallAutoDetect | Tells the component whether or not to automatically detect and use firewall system settings, if available. |
FirewallHost | Name or IP address of firewall (optional). |
FirewallListener | If true, the component binds to a SOCKS firewall as a server (IPPort only). |
FirewallPassword | Password to be used if authentication is to be used when connecting through the firewall. |
FirewallPort | The TCP port for the FirewallHost;. |
FirewallType | Determines the type of firewall to connect through. |
FirewallUser | A user name if authentication is to be used connecting through a firewall. |
KeepAliveInterval | The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received. |
KeepAliveTime | The inactivity time in milliseconds before a TCP keep-alive packet is sent. |
Linger | When set to True, connections are terminated gracefully. |
LingerTime | Time in seconds to have the connection linger. |
LocalHost | The name of the local host through which connections are initiated or accepted. |
LocalPort | The port in the local host where the component binds. |
MaxLineLength | The maximum amount of data to accumulate when no EOL is found. |
MaxTransferRate | The transfer rate limit in bytes per second. |
ProxyExceptionsList | A semicolon separated list of hosts and IPs to bypass when using a proxy. |
TCPKeepAlive | Determines whether or not the keep alive socket option is enabled. |
TcpNoDelay | Whether or not to delay when sending packets. |
UseIPv6 | Whether to use IPv6. |
UseNTLMv2 | Whether to use NTLM V2. |
LogSSLPackets | Controls whether SSL packets are logged when using the internal security API. |
ReuseSSLSession | Determines if the SSL session is reused. |
SSLCACerts | A newline separated list of CA certificate to use during SSL client authentication. |
SSLCipherStrength | The minimum cipher strength used for bulk encryption. |
SSLContextProtocol | The protocol used when getting an SSLContext instance. |
SSLEnabledCipherSuites | The cipher suite to be used in an SSL negotiation. |
SSLEnabledProtocols | Used to enable/disable the supported security protocols. |
SSLEnableRenegotiation | Whether the renegotiation_info SSL extension is supported. |
SSLIncludeCertChain | Whether the entire certificate chain is included in the SSLServerAuthentication event. |
SSLNegotiatedCipher | Returns the negotiated ciphersuite. |
SSLNegotiatedCipherStrength | Returns the negotiated ciphersuite strength. |
SSLNegotiatedCipherSuite | Returns the negotiated ciphersuite. |
SSLNegotiatedKeyExchange | Returns the negotiated key exchange algorithm. |
SSLNegotiatedKeyExchangeStrength | Returns the negotiated key exchange algorithm strength. |
SSLNegotiatedProtocol | Returns the negotiated protocol version. |
SSLProvider | The name of the security provider to use. |
SSLServerCACerts | A newline separated list of CA certificate to use during SSL server certificate validation. |
SSLTrustManagerFactoryAlgorithm | The algorithm to be used to create a TrustManager through TrustManagerFactory. |
TLS12SignatureAlgorithms | Defines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True. |
TLS12SupportedGroups | The supported groups for ECC. |
TLS13KeyShareGroups | The groups for which to pregenerate key shares. |
TLS13SignatureAlgorithms | The allowed certificate signature algorithms. |
TLS13SupportedGroups | The supported groups for (EC)DHE key exchange. |
AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
FirewallData | Used to send extra data to the firewall. |
InBufferSize | The size in bytes of the incoming queue of the socket. |
OutBufferSize | The size in bytes of the outgoing queue of the socket. |
BuildInfo | Information about the product's build. |
GUIAvailable | Tells the component whether or not a message loop is available for processing events. |
LicenseInfo | Information about the current license. |
UseDaemonThreads | Whether threads created by the component are daemon threads. |
UseInternalSecurityAPI | Tells the component whether or not to use the system security libraries or an internal implementation. |