azure-security-keyvault-keys-dotnet

npx skills add https://github.com/microsoft/skills --skill azure-security-keyvault-keys-dotnet

Azure.Security.KeyVault.Keys (.NET)

Bibliothèque cliente pour gérer les clés cryptographiques dans Azure Key Vault et Managed HSM.

Installation

dotnet add package Azure.Security.KeyVault.Keys
dotnet add package Azure.Identity

Version actuelle : 4.7.0 (stable)

Variables d'environnement

KEY_VAULT_NAME=<your-key-vault-name>
# Or full URI
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net

Hiérarchie des clients

KeyClient (gestion des clés)
├── CreateKey / CreateRsaKey / CreateEcKey
├── GetKey / GetKeys
├── UpdateKeyProperties
├── DeleteKey / PurgeDeletedKey
├── BackupKey / RestoreKey
└── GetCryptographyClient() → CryptographyClient

CryptographyClient (opérations cryptographiques)
├── Encrypt / Decrypt
├── WrapKey / UnwrapKey
├── Sign / Verify
└── SignData / VerifyData

KeyResolver (résolution de clés)
└── Resolve(keyId) → CryptographyClient

Authentification

DefaultAzureCredential (Recommandé)

using Azure.Identity;
using Azure.Security.KeyVault.Keys;

var keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = $"https://{keyVaultName}.vault.azure.net";

var client = new KeyClient(new Uri(kvUri), new DefaultAzureCredential());

Principal de service

var credential = new ClientSecretCredential(
    tenantId: "<tenant-id>",
    clientId: "<client-id>",
    clientSecret: "<client-secret>");

var client = new KeyClient(new Uri(kvUri), credential);

Gestion des clés

Créer des clés

// Create RSA key
KeyVaultKey rsaKey = await client.CreateKeyAsync("my-rsa-key", KeyType.Rsa);
Console.WriteLine($"Created key: {rsaKey.Name}, Type: {rsaKey.KeyType}");

// Create RSA key with options
var rsaOptions = new CreateRsaKeyOptions("my-rsa-key-2048")
{
    KeySize = 2048,
    HardwareProtected = false, // true for HSM-backed
    ExpiresOn = DateTimeOffset.UtcNow.AddYears(1),
    NotBefore = DateTimeOffset.UtcNow,
    Enabled = true
};
rsaOptions.KeyOperations.Add(KeyOperation.Encrypt);
rsaOptions.KeyOperations.Add(KeyOperation.Decrypt);

KeyVaultKey rsaKey2 = await client.CreateRsaKeyAsync(rsaOptions);

// Create EC key
var ecOptions = new CreateEcKeyOptions("my-ec-key")
{
    CurveName = KeyCurveName.P256,
    HardwareProtected = true // HSM-backed
};
KeyVaultKey ecKey = await client.CreateEcKeyAsync(ecOptions);

// Create Oct (symmetric) key for wrap/unwrap
var octOptions = new CreateOctKeyOptions("my-oct-key")
{
    KeySize = 256,
    HardwareProtected = true
};
KeyVaultKey octKey = await client.CreateOctKeyAsync(octOptions);

Récupérer des clés

// Get specific key (latest version)
KeyVaultKey key = await client.GetKeyAsync("my-rsa-key");
Console.WriteLine($"Key ID: {key.Id}");
Console.WriteLine($"Key Type: {key.KeyType}");
Console.WriteLine($"Version: {key.Properties.Version}");

// Get specific version
KeyVaultKey keyVersion = await client.GetKeyAsync("my-rsa-key", "version-id");

// List all keys
await foreach (KeyProperties keyProps in client.GetPropertiesOfKeysAsync())
{
    Console.WriteLine($"Key: {keyProps.Name}, Enabled: {keyProps.Enabled}");
}

// List key versions
await foreach (KeyProperties version in client.GetPropertiesOfKeyVersionsAsync("my-rsa-key"))
{
    Console.WriteLine($"Version: {version.Version}, Created: {version.CreatedOn}");
}

Mettre à jour les propriétés des clés

KeyVaultKey key = await client.GetKeyAsync("my-rsa-key");

key.Properties.ExpiresOn = DateTimeOffset.UtcNow.AddYears(2);
key.Properties.Tags["environment"] = "production";

KeyVaultKey updatedKey = await client.UpdateKeyPropertiesAsync(key.Properties);

Supprimer et purger des clés

// Start delete operation
DeleteKeyOperation operation = await client.StartDeleteKeyAsync("my-rsa-key");

// Wait for deletion to complete (required before purge)
await operation.WaitForCompletionAsync();
Console.WriteLine($"Deleted key scheduled purge date: {operation.Value.ScheduledPurgeDate}");

// Purge immediately (if soft-delete is enabled)
await client.PurgeDeletedKeyAsync("my-rsa-key");

// Or recover deleted key
KeyVaultKey recoveredKey = await client.StartRecoverDeletedKeyAsync("my-rsa-key");

Sauvegarder et restaurer

// Backup key
byte[] backup = await client.BackupKeyAsync("my-rsa-key");
await File.WriteAllBytesAsync("key-backup.bin", backup);

// Restore key
byte[] backupData = await File.ReadAllBytesAsync("key-backup.bin");
KeyVaultKey restoredKey = await client.RestoreKeyBackupAsync(backupData);

Opérations cryptographiques

Obtenir un CryptographyClient

// From KeyClient
KeyVaultKey key = await client.GetKeyAsync("my-rsa-key");
CryptographyClient cryptoClient = client.GetCryptographyClient(
    key.Name, 
    key.Properties.Version);

// Or create directly with key ID
CryptographyClient cryptoClient = new CryptographyClient(
    new Uri("https://myvault.vault.azure.net/keys/my-rsa-key/version"),
    new DefaultAzureCredential());

Chiffrer et déchiffrer

byte[] plaintext = Encoding.UTF8.GetBytes("Secret message to encrypt");

// Encrypt
EncryptResult encryptResult = await cryptoClient.EncryptAsync(
    EncryptionAlgorithm.RsaOaep256, 
    plaintext);
Console.WriteLine($"Encrypted: {Convert.ToBase64String(encryptResult.Ciphertext)}");

// Decrypt
DecryptResult decryptResult = await cryptoClient.DecryptAsync(
    EncryptionAlgorithm.RsaOaep256, 
    encryptResult.Ciphertext);
string decrypted = Encoding.UTF8.GetString(decryptResult.Plaintext);
Console.WriteLine($"Decrypted: {decrypted}");

Envelopper et dérouler des clés

// Key to wrap (e.g., AES key)
byte[] keyToWrap = new byte[32]; // 256-bit key
RandomNumberGenerator.Fill(keyToWrap);

// Wrap key
WrapResult wrapResult = await cryptoClient.WrapKeyAsync(
    KeyWrapAlgorithm.RsaOaep256, 
    keyToWrap);

// Unwrap key
UnwrapResult unwrapResult = await cryptoClient.UnwrapKeyAsync(
    KeyWrapAlgorithm.RsaOaep256, 
    wrapResult.EncryptedKey);

Signer et vérifier

// Data to sign
byte[] data = Encoding.UTF8.GetBytes("Data to sign");

// Sign data (computes hash internally)
SignResult signResult = await cryptoClient.SignDataAsync(
    SignatureAlgorithm.RS256, 
    data);

// Verify signature
VerifyResult verifyResult = await cryptoClient.VerifyDataAsync(
    SignatureAlgorithm.RS256, 
    data, 
    signResult.Signature);
Console.WriteLine($"Signature valid: {verifyResult.IsValid}");

// Or sign pre-computed hash
using var sha256 = SHA256.Create();
byte[] hash = sha256.ComputeHash(data);

SignResult signHashResult = await cryptoClient.SignAsync(
    SignatureAlgorithm.RS256, 
    hash);

Résolveur de clés

using Azure.Security.KeyVault.Keys.Cryptography;

var resolver = new KeyResolver(new DefaultAzureCredential());

// Resolve key by ID to get CryptographyClient
CryptographyClient cryptoClient = await resolver.ResolveAsync(
    new Uri("https://myvault.vault.azure.net/keys/my-key/version"));

// Use for encryption
EncryptResult result = await cryptoClient.EncryptAsync(
    EncryptionAlgorithm.RsaOaep256, 
    plaintext);

Rotation des clés

// Rotate key (creates new version)
KeyVaultKey rotatedKey = await client.RotateKeyAsync("my-rsa-key");
Console.WriteLine($"New version: {rotatedKey.Properties.Version}");

// Get rotation policy
KeyRotationPolicy policy = await client.GetKeyRotationPolicyAsync("my-rsa-key");

// Update rotation policy
policy.ExpiresIn = "P90D"; // 90 days
policy.LifetimeActions.Add(new KeyRotationLifetimeAction
{
    Action = KeyRotationPolicyAction.Rotate,
    TimeBeforeExpiry = "P30D" // Rotate 30 days before expiry
});

await client.UpdateKeyRotationPolicyAsync("my-rsa-key", policy);

Référence des types de clés

Type Objectif
KeyClient Opérations de gestion des clés
CryptographyClient Opérations cryptographiques
KeyResolver Résoudre l'ID de clé vers CryptographyClient
KeyVaultKey Clé avec matériel cryptographique
KeyProperties Métadonnées de clé (sans matériel cryptographique)
CreateRsaKeyOptions Options de création de clé RSA
CreateEcKeyOptions Options de création de clé EC
CreateOctKeyOptions Options de clé symétrique
EncryptResult Résultat du chiffrement
DecryptResult Résultat du déchiffrement
SignResult Résultat de la signature
VerifyResult Résultat de la vérification
WrapResult Résultat de l'enveloppe de clé
UnwrapResult Résultat du déroulement de clé

Référence des algorithmes

Algorithmes de chiffrement

Algorithme Type de clé Description
RsaOaep RSA RSA-OAEP
RsaOaep256 RSA RSA-OAEP-256
Rsa15 RSA RSA 1.5 (legacy)
A128Gcm Oct AES-128-GCM
A256Gcm Oct AES-256-GCM

Algorithmes de signature

Algorithme Type de clé Description
RS256 RSA RSASSA-PKCS1-v1_5 SHA-256
RS384 RSA RSASSA-PKCS1-v1_5 SHA-384
RS512 RSA RSASSA-PKCS1-v1_5 SHA-512
PS256 RSA RSASSA-PSS SHA-256
ES256 EC ECDSA P-256 SHA-256
ES384 EC ECDSA P-384 SHA-384
ES512 EC ECDSA P-521 SHA-512

Algorithmes d'enveloppe de clé

Algorithme Type de clé Description
RsaOaep RSA RSA-OAEP
RsaOaep256 RSA RSA-OAEP-256
A128KW Oct AES-128 Key Wrap
A256KW Oct AES-256 Key Wrap

Bonnes pratiques

  1. Utiliser Managed Identity — Préférer DefaultAzureCredential aux secrets
  2. Activer soft-delete — Se protéger contre les suppressions accidentelles
  3. Utiliser des clés protégées par HSM — Définir HardwareProtected = true pour les clés sensibles
  4. Implémenter la rotation des clés — Utiliser les politiques de rotation automatique
  5. Limiter les opérations de clé — Activer uniquement les KeyOperations nécessaires
  6. Définir les dates d'expiration — Toujours définir ExpiresOn pour les clés
  7. Utiliser des versions spécifiques — Épingler les versions en production
  8. Mettre en cache CryptographyClient — Réutiliser pour plusieurs opérations

Gestion des erreurs

using Azure;

try
{
    KeyVaultKey key = await client.GetKeyAsync("my-key");
}
catch (RequestFailedException ex) when (ex.Status == 404)
{
    Console.WriteLine("Key not found");
}
catch (RequestFailedException ex) when (ex.Status == 403)
{
    Console.WriteLine("Access denied - check RBAC permissions");
}
catch (RequestFailedException ex)
{
    Console.WriteLine($"Key Vault error: {ex.Status} - {ex.Message}");
}

Rôles RBAC requis

Rôle Permissions
Key Vault Crypto Officer Gestion complète des clés
Key Vault Crypto User Utiliser les clés pour les opérations cryptographiques
Key Vault Reader Lire les métadonnées de clé

SDKs connexes

SDK Objectif Installation
Azure.Security.KeyVault.Keys Clés (ce SDK) dotnet add package Azure.Security.KeyVault.Keys
Azure.Security.KeyVault.Secrets Secrets dotnet add package Azure.Security.KeyVault.Secrets
Azure.Security.KeyVault.Certificates Certificats dotnet add package Azure.Security.KeyVault.Certificates
Azure.Identity Authentification dotnet add package Azure.Identity

Liens de référence

Ressource URL
Package NuGet https://www.nuget.org/packages/Azure.Security.KeyVault.Keys
Référence API https://learn.microsoft.com/dotnet/api/azure.security.keyvault.keys
Démarrage rapide https://learn.microsoft.com/azure/key-vault/keys/quick-create-net
Source GitHub https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/keyvault/Azure.Security.KeyVault.Keys

Skills similaires

azure-keyvault-keys-rust
microsoft / skills

Gérer des clés cryptographiques Azure Key Vault en Rust avec chiffrement et HSM.

2 191
azure-keyvault-keys-ts
microsoft / skills

Gérer et utiliser des clés cryptographiques via Azure Key Vault en TypeScript.

2 191
azure-security-keyvault-keys-java
microsoft / skills

Gérer et utiliser des clés cryptographiques Azure Key Vault en Java.

2 191
azure-ai-agents-persistent-dotnet
microsoft / skills

Créer et gérer des agents IA persistants avec threads, messages et outils sur Azure.

2 191
wiki-architect
microsoft / skills

Générer un catalogue wiki structuré et des guides d'onboarding à partir d'un dépôt de code.

2 191