AzureKeys Module

Properties   Methods   Events   Configuration Settings   Errors  

The AzureKeys component makes it easy to interact with keys in Azure Key Vaults.




The AzureKeys class provides an easy-to-use interface for the key-related functionality of the Azure Key Vault service. Azure Key Vault allows you to works with a few different kinds of resources, one of which is asymmetric key pairs. This class helps you to create, manage, and use said key pairs (or just "keys", for short) for cryptographic operations. To work with "secrets" instead, refer to the AzureSecrets class.

To begin, register for an Azure account and create one or more Key Vaults via the Azure Portal. Set the Vault property to the name of the vault you wish to work with.

This class supports authentication via OAuth 2.0. First, perform OAuth authentication using the OAuth class or a separate process. Once complete you should have an authorization string which looks like:

Bearer ya29.AHES6ZSZEJzATdZYjeihDn5W-VrXSsxEZu5p0pclxGdKKQ
Assign this value to the Authorization property before attempting any operations. Consult the documentation for the service for more information about supported scope values and more details on OAuth authentication.

Using the Class

Keys can be created using the CreateKey method. A key's name and type (i.e., whether it is RSA or EC, and its size or curve, respectively) must be set at the time of creation, and cannot be changed later. A list of cryptographic operations that the key is valid for must also be set, but can be changed at any time using the UpdateKey. If a key with the specified name already exists, a new version of it is created; this makes it easy to "rotate" a key.

When a key will no longer be used, it can be deleted using the DeleteKey method. However, the key will only be soft-deleted; by default, Azure will permanently delete it after the waiting period configured for the vault. During this waiting period, the soft-deleted key may be recovered using RecoverKey, or permanently deleted using PurgeKey (assuming the currently-authenticated user has the permissions to do so).

azurekeys.CreateKey("mykey", "RSA_2048", "encrypt,decrypt,sign,verify,wrapKey,unwrapKey");

// ... Some time later, when the key is no longer needed ...

// At this point, the key is only soft-deleted. It could be recovered...
// ...or permanently deleted.

To list keys, use the ListKeys method. This method is also used to list soft-deleted keys if the GetDeleted configuration setting has been enabled first. To list a key's versions, use the ListVersions method. (You cannot list a deleted key's versions.) In all cases, the IncludeKeyDetails property can optionally be enabled to have the class attempt to retrieve the full information for each key (Azure leaves out certain fields by default when listing).

// If there are many keys to list, there may be multiple pages of results. This will
// cause all pages of results to be accumulated into the Keys collection property.
do {
} while (!string.IsNullOrEmpty(azurekeys.KeyMarker));

// A similar thing applies to key versions as well.
do {
} while (!string.IsNullOrEmpty(azurekeys.VersionMarker));

Depending on a key's "key ops" list, it can be used to perform different cryptographic operations. Keys with the encrypt and decrypt ops can be used in Encrypt and Decrypt operations. Keys with the sign and verify ops can be used in Sign and Verify. Finally, keys with the wrapKey and unwrapKey ops can be used in WrapKey and UnwrapKey operations (which are just like encryption and decryption, but which are intended to be used for wrapping a symmetric key, and which require different permissions to call successfully).

To perform a cryptographic operation, use InputData or InputFile to supply the input data that should be processed. All operations will output the result data to OutputData or OutputFile (except Verify; refer to its documentation for more information).

azurekeys.CreateKey("mykey", "RSA_2048", "encrypt,decrypt");

azurekeys.InputData = "Test123";
azurekeys.OutputFile = "C:/temp/enc.dat";
azurekeys.Encrypt("mykey", "RSA-OAEP-256");

azurekeys.InputFile = "C:/temp/enc.dat";
azurekeys.OutputFile = ""; // So that the data will be output to the OutputData property.
azurekeys.Decrypt("mykey", "RSA-OAEP-256");

The class also supports a variety of other functionality, including:

  • Retrieval of a single key's information (including public key) with GetKeyInfo.
  • Enabling and disabling keys with SetKeyEnabled.
  • Tagging support using AddTag and the Tag* properties.
  • Secure key backup and restoration using BackupKey and RestoreKey.
  • And more!

Property List

The following is the full list of the properties of the module with short descriptions. Click on the links for further details.

AuthorizationOAuth 2.0 Authorization Token.
FirewallA set of properties related to firewall access.
IdleThe current status of the component.
IncludeKeyDetailsWhether to attempt to retrieve fill details when listing keys.
InputDataThe data to process.
InputFileThe file whose data should be processed.
KeyMarkerA marker indicating what page of keys to return next.
KeysA collection of keys.
LocalHostThe name of the local host or user-assigned IP interface through which connections are initiated or accepted.
OtherHeadersOther headers as determined by the user (optional).
OutputDataThe output data.
OutputFileThe file to which output data should be written.
OverwriteWhether the output file should be overwritten if necessary.
ParsedHeadersCollection of headers returned from the last request.
ProxyA set of properties related to proxy access.
QueryParamsAdditional query parameters to be included in the request.
SSLAcceptServerCertEncodedThe certificate (PEM/base64 encoded).
SSLCertEncodedThe certificate (PEM/base64 encoded).
SSLCertStoreThe name of the certificate store for the client certificate.
SSLCertStorePasswordIf the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
SSLCertStoreTypeThe type of certificate store for this certificate.
SSLCertSubjectThe subject of the certificate used for client authentication.
SSLServerCertEncodedThe certificate (PEM/base64 encoded).
TagsA collection of tags.
TimeoutA timeout for the component.
VaultSelects a vault for the component to interact with.
VersionMarkerA marker indicating what page of key versions to return next.

Method List

The following is the full list of the methods of the module with short descriptions. Click on the links for further details.

AddQueryParamAdds a query parameter to the QueryParams properties.
AddTagAdds an item to the Tags properties.
BackupKeyBacks up a key.
ConfigSets or retrieves a configuration setting.
CreateKeyCreates a new key.
DecryptDecrypts data using a key.
DeleteKeyDeletes a key.
DoEventsProcesses events from the internal message queue.
EncryptEncrypts data using a key.
GetKeyInfoGets a key's information and public key.
ListKeysLists keys in the currently-selected vault.
ListVersionsLists versions of a key.
PurgeKeyPermanently deletes a soft-deleted key.
RecoverKeyRecovers a soft-deleted key.
ResetResets the component to its initial state.
RestoreKeyRestores a previously backed-up key to the vault.
SendCustomRequestSends a custom request to the server.
SetKeyEnabledEnables or disables a key.
SignSigns a message using a key.
UnwrapKeyUnwraps a symmetric key.
UpdateKeyUpdates a key's information.
VerifyVerifies a digital signature using a key.
WrapKeyWraps a symmetric key.

Event List

The following is the full list of the events fired by the module with short descriptions. Click on the links for further details.

EndTransferFired when a document finishes transferring.
ErrorInformation about errors during data delivery.
HeaderFired every time a header line comes in.
KeyListFires once for each key when listing keys.
LogFires once for each log message.
SSLServerAuthenticationFired after the server presents its certificate to the client.
SSLStatusShows the progress of the secure connection.
StartTransferFired when a document starts transferring (after the headers).
TagListFires once for each tag returned when a key's information is retrieved.
TransferFired while a document transfers (delivers document).

Configuration Settings

The following is a list of configuration settings for the module with short descriptions. Click on the links for further details.

AccumulatePagesWhether the component should accumulate subsequent pages of results when listing them.
APIVersionThe Azure Key Vault API version that the component conforms to.
CreateKeyEnabledWhether new keys should be created in an enabled or disabled state.
ExpiryDateThe expiry date to send for the key.
GetDeletedWhether the component should retrieve information about soft-deleted keys.
MaxKeysThe maximum number of results to return when listing keys.
MessageDigestThe message digest computed by the component during the last sign or verify operation, if any.
NotBeforeDateThe 'not before' date to send for the key.
RawRequestReturns the data that was sent to the server.
RawResponseReturns the data that was received from the server.
VersionIdThe Id of the key version that the component should make requests against.
XChildCountThe number of child elements of the current element.
XChildName[i]The name of the child element.
XChildXText[i]The inner text of the child element.
XElementThe name of the current element.
XParentThe parent of the current element.
XPathProvides a way to point to a specific element in the returned XML or JSON response.
XSubTreeA snapshot of the current element in the document.
XTextThe text of the current element.
AcceptEncodingUsed to tell the server which types of content encodings the client supports.
AllowHTTPCompressionThis property enables HTTP compression for receiving data.
AllowHTTPFallbackWhether HTTP/2 connections are permitted to fallback to HTTP/1.1.
AppendWhether to append data to LocalFile.
AuthorizationThe Authorization string to be sent to the server.
BytesTransferredContains the number of bytes transferred in the response data.
ChunkSizeSpecifies the chunk size in bytes when using chunked encoding.
CompressHTTPRequestSet to true to compress the body of a PUT or POST request.
EncodeURLIf set to true the URL will be encoded by the component.
FollowRedirectsDetermines what happens when the server issues a redirect.
GetOn302RedirectIf set to true the component will perform a GET on the new location.
HTTP2HeadersWithoutIndexingHTTP2 headers that should not update the dynamic header table with incremental indexing.
HTTPVersionThe version of HTTP used by the component.
IfModifiedSinceA date determining the maximum age of the desired document.
KeepAliveDetermines whether the HTTP connection is closed after completion of the request.
KerberosSPNThe Service Principal Name for the Kerberos Domain Controller.
LogLevelThe level of detail that is logged.
MaxRedirectAttemptsLimits the number of redirects that are followed in a request.
NegotiatedHTTPVersionThe negotiated HTTP version.
OtherHeadersOther headers as determined by the user (optional).
ProxyAuthorizationThe authorization string to be sent to the proxy server.
ProxyAuthSchemeThe authorization scheme to be used for the proxy.
ProxyPasswordA password if authentication is to be used for the proxy.
ProxyPortPort for the proxy server (default 80).
ProxyServerName or IP address of a proxy server (optional).
ProxyUserA user name if authentication is to be used for the proxy.
SentHeadersThe full set of headers as sent by the client.
StatusLineThe first line of the last response from the server.
TransferredDataThe contents of the last response from the server.
TransferredDataLimitThe maximum number of incoming bytes to be stored by the component.
TransferredHeadersThe full set of headers as received from the server.
TransferredRequestThe full request as sent by the client.
UseChunkedEncodingEnables or Disables HTTP chunked encoding for transfers.
UseIDNsWhether to encode hostnames to internationalized domain names.
UserAgentInformation about the user agent (browser).
ConnectionTimeoutSets a separate timeout value for establishing a connection.
FirewallAutoDetectTells the component whether or not to automatically detect and use firewall system settings, if available.
FirewallHostName or IP address of firewall (optional).
FirewallPasswordPassword to be used if authentication is to be used when connecting through the firewall.
FirewallPortThe TCP port for the FirewallHost;.
FirewallTypeDetermines the type of firewall to connect through.
FirewallUserA user name if authentication is to be used connecting through a firewall.
KeepAliveIntervalThe retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received.
KeepAliveTimeThe inactivity time in milliseconds before a TCP keep-alive packet is sent.
LingerWhen set to True, connections are terminated gracefully.
LingerTimeTime in seconds to have the connection linger.
LocalHostThe name of the local host through which connections are initiated or accepted.
LocalPortThe port in the local host where the component binds.
MaxLineLengthThe maximum amount of data to accumulate when no EOL is found.
MaxTransferRateThe transfer rate limit in bytes per second.
ProxyExceptionsListA semicolon separated list of hosts and IPs to bypass when using a proxy.
TCPKeepAliveDetermines whether or not the keep alive socket option is enabled.
TcpNoDelayWhether or not to delay when sending packets.
UseIPv6Whether to use IPv6.
LogSSLPacketsControls whether SSL packets are logged when using the internal security API.
OpenSSLCADirThe path to a directory containing CA certificates.
OpenSSLCAFileName of the file containing the list of CA's trusted by your application.
OpenSSLCipherListA string that controls the ciphers to be used by SSL.
OpenSSLPrngSeedDataThe data to seed the pseudo random number generator (PRNG).
ReuseSSLSessionDetermines if the SSL session is reused.
SSLCACertsA newline separated list of CA certificate to use during SSL client authentication.
SSLCheckCRLWhether to check the Certificate Revocation List for the server certificate.
SSLCipherStrengthThe minimum cipher strength used for bulk encryption.
SSLEnabledCipherSuitesThe cipher suite to be used in an SSL negotiation.
SSLEnabledProtocolsUsed to enable/disable the supported security protocols.
SSLEnableRenegotiationWhether the renegotiation_info SSL extension is supported.
SSLIncludeCertChainWhether the entire certificate chain is included in the SSLServerAuthentication event.
SSLProviderThe name of the security provider to use.
SSLSecurityFlagsFlags that control certificate verification.
TLS12SignatureAlgorithmsDefines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True.
TLS12SupportedGroupsThe supported groups for ECC.
TLS13KeyShareGroupsThe groups for which to pregenerate key shares.
TLS13SignatureAlgorithmsThe allowed certificate signature algorithms.
TLS13SupportedGroupsThe supported groups for (EC)DHE key exchange.
AbsoluteTimeoutDetermines whether timeouts are inactivity timeouts or absolute timeouts.
FirewallDataUsed to send extra data to the firewall.
InBufferSizeThe size in bytes of the incoming queue of the socket.
OutBufferSizeThe size in bytes of the outgoing queue of the socket.
BuildInfoInformation about the product's build.
CodePageThe system code page used for Unicode to Multibyte translations.
LicenseInfoInformation about the current license.
UseInternalSecurityAPITells the component whether or not to use the system security libraries or an internal implementation.

Copyright (c) 2021 /n software inc. - All rights reserved.
Cloud Keys 2020 macOS Edition - Version 20.0 [Build 7876]