This sample demonstrates how to create, get, update, and delete a key in Azure Key Vault. To get started, you'll need a URI to an Azure Key Vault. See the README for links and instructions.
To create a new KeyClient
to create, get, update, or delete keys, you need the endpoint to an Azure Key Vault and credentials.
You can use the DefaultAzureCredential to try a number of common authentication methods optimized for both running as a service and development.
In the sample below, you can set keyVaultUrl
based on an environment variable, configuration setting, or any way that works for your application.
var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
Let's create an RSA key valid for 1 year. If the key already exists in the Azure Key Vault, then a new version of the key is created.
string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}";
var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false)
{
KeySize = 2048,
ExpiresOn = DateTimeOffset.Now.AddYears(1)
};
client.CreateRsaKey(rsaKey);
Let's get the cloud RSA key from the Azure Key Vault.
KeyVaultKey cloudRsaKey = client.GetKey(rsaKeyName);
Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}");
After one year, the cloud RSA key is still required, so we need to update the expiry time of the key. The update method can be used to update the expiry attribute of the key.
cloudRsaKey.Properties.ExpiresOn.Value.AddYears(1);
KeyVaultKey updatedKey = client.UpdateKeyProperties(cloudRsaKey.Properties, cloudRsaKey.KeyOperations);
Debug.WriteLine($"Key's updated expiry time is {updatedKey.Properties.ExpiresOn}");
We need the cloud RSA key with bigger key size, so you want to update the key in Azure Key Vault to ensure it has the required size.
Calling CreateRsaKey
on an existing key creates a new version of the key in the Azure Key Vault with the new specified size.
var newRsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false)
{
KeySize = 4096,
ExpiresOn = DateTimeOffset.Now.AddYears(1)
};
client.CreateRsaKey(newRsaKey);
The cloud RSA key is no longer needed, so we need to delete it from the Key Vault.
DeleteKeyOperation operation = client.StartDeleteKey(rsaKeyName);
If the Azure Key Vault is soft delete-enabled and you want to permanently delete the key before its ScheduledPurgeDate
,
the deleted key needs to be purged. Before it can be purged, you need to wait until the key is fully deleted.
// You only need to wait for completion if you want to purge or recover the key.
while (!operation.HasCompleted)
{
Thread.Sleep(2000);
operation.UpdateStatus();
}
client.PurgeDeletedKey(rsaKeyName);
When writing asynchronous code, you can instead await WaitForCompletionAsync
to wait indefinitely.
You can optionally pass in a CancellationToken
to cancel waiting after a certain period or time or any other trigger you require.
// You only need to wait for completion if you want to purge or recover the key.
await operation.WaitForCompletionAsync();
await client.PurgeDeletedKeyAsync(rsaKeyName);