Key types, algorithms, and operations - Azure Key Vault (2024)

Table of Contents
In this article EC algorithms Curve Types SIGN/VERIFY RSA algorithms WRAPKEY/UNWRAPKEY, ENCRYPT/DECRYPT SIGN/VERIFY Symmetric key algorithms (Managed HSM only) Key operations Key rotation policy operations Key attributes Date-time controlled operations Key access control Next steps
  • Article

Key Vault supports two resource types: vaults and managed HSMs. Both resources types support various encryption keys. To see a summary of supported key types, protection types by each resource type, see About keys.

Following table shows a summary of key types and supported algorithms.

Key types/sizes/curvesEncrypt/Decrypt
(Wrap/Unwrap)		Sign/Verify
EC-P256, EC-P256K, EC-P384, EC-P521NAES256
ES256K
ES384
ES512
RSA 2K, 3K, 4KRSA1_5
RSA-OAEP
RSA-OAEP-256		PS256
PS384
PS512
RS256
RS384
RS512
RSNULL
AES 128-bit, 256-bit
(Managed HSM only)		AES-KW
AES-GCM
AES-CBC		NA

EC algorithms

The following algorithm identifiers are supported with EC-HSM keys

Curve Types

SIGN/VERIFY

  • ES256 - ECDSA for SHA-256 digests and keys created with curve P-256. This algorithm is described at RFC7518.
  • ES256K - ECDSA for SHA-256 digests and keys created with curve P-256K. This algorithm is pending standardization.
  • ES384 - ECDSA for SHA-384 digests and keys created with curve P-384. This algorithm is described at RFC7518.
  • ES512 - ECDSA for SHA-512 digests and keys created with curve P-521. This algorithm is described at RFC7518.

RSA algorithms

The following algorithm identifiers are supported with RSA and RSA-HSM keys

WRAPKEY/UNWRAPKEY, ENCRYPT/DECRYPT

  • RSA1_5 - RSAES-PKCS1-V1_5 [RFC3447] key encryption
  • RSA-OAEP - RSAES using Optimal Asymmetric Encryption Padding (OAEP) [RFC3447], with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1.
  • RSA-OAEP-256 – RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256

SIGN/VERIFY

  • PS256 - RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as described in RFC7518.
  • PS384 - RSASSA-PSS using SHA-384 and MGF1 with SHA-384, as described in RFC7518.
  • PS512 - RSASSA-PSS using SHA-512 and MGF1 with SHA-512, as described in RFC7518.
  • RS256 - RSASSA-PKCS-v1_5 using SHA-256. The application supplied digest value must be computed using SHA-256 and must be 32 bytes in length.
  • RS384 - RSASSA-PKCS-v1_5 using SHA-384. The application supplied digest value must be computed using SHA-384 and must be 48 bytes in length.
  • RS512 - RSASSA-PKCS-v1_5 using SHA-512. The application supplied digest value must be computed using SHA-512 and must be 64 bytes in length.
  • RSNULL - See RFC2437, a specialized use-case to enable certain TLS scenarios.

Note

RSA-PSS padding mode is recommended for better performance. The DigestInfo is constructed on the server side for Sign operations that algorithms RS256, RS384 and RS512 generate.

See Also
About Azure Key Vault certificatesHi, I want my client ID and client secret key - Microsoft Q&AUse Azure Key Vault secrets in Azure Pipelines - Azure PipelinesERROR: The user, group or application does not have secrets get permission on key vault - Microsoft Q&A

Symmetric key algorithms (Managed HSM only)

Note

Sign and verify operations algorithms must match the key type, otherwise service will return key size is incorrect error.

Key operations

Key Vault, including Managed HSM, supports the following operations on key objects:

  • Create: Allows a client to create a key in Key Vault. The value of the key is generated by Key Vault and stored, and isn't released to the client. Asymmetric keys may be created in Key Vault.
  • Import: Allows a client to import an existing key to Key Vault. Asymmetric keys may be imported to Key Vault using several different packaging methods within a JWK construct.
  • Update: Allows a client with sufficient permissions to modify the metadata (key attributes) associated with a key previously stored within Key Vault.
  • Delete: Allows a client with sufficient permissions to delete a key from Key Vault.
  • List: Allows a client to list all keys in a given Key Vault.
  • List versions: Allows a client to list all versions of a given key in a given Key Vault.
  • Get: Allows a client to retrieve the public parts of a given key in a Key Vault.
  • Backup: Exports a key in a protected form.
  • Restore: Imports a previously backed up key.
  • Release: It securely releases a key to authorized code running within a confidential compute environment. It requires an attestation that the Trusted Execution Environment (TEE) meets the requirements of the key’s release_policy.
  • Rotate: Rotate an existing key by generating new version of the key (Key Vault only).

For more information, see Key operations in the Key Vault REST API reference.

Once a key has been created in Key Vault, the following cryptographic operations may be performed using the key:

  • Sign and Verify: Strictly, this operation is "sign hash" or "verify hash", as Key Vault doesn't support hashing of content as part of signature creation. Applications should hash the data to be signed locally, then request that Key Vault sign the hash.Verification of signed hashes is supported as a convenience operation for applications that may not have access to [public] key material. For best application performance, VERIFY operations should be performed locally.
  • Key Encryption / Wrapping: A key stored in Key Vault may be used to protect another key, typically a symmetric content encryption key (CEK). When the key in Key Vault is asymmetric, key encryption is used. For example, RSA-OAEP and the WRAPKEY/UNWRAPKEY operations are equivalent to ENCRYPT/DECRYPT. When the key in Key Vault is symmetric, key wrapping is used. For example, AES-KW. The WRAPKEY operation is supported as a convenience for applications that may not have access to [public] key material. For best application performance, WRAPKEY operations should be performed locally.
  • Encrypt and Decrypt: A key stored in Key Vault may be used to encrypt or decrypt a single block of data. The size of the block is determined by the key type and selected encryption algorithm. The Encrypt operation is provided for convenience, for applications that may not have access to [public] key material. For best application performance, ENCRYPT operations should be performed locally.

While WRAPKEY/UNWRAPKEY using asymmetric keys may seem superfluous (as the operation is equivalent to ENCRYPT/DECRYPT), the use of distinct operations is important. The distinction provides semantic and authorization separation of these operations, and consistency when other key types are supported by the service.

Key Vault doesn't support EXPORT operations. Once a key is provisioned in the system, it cannot be extracted or its key material modified. However, users of Key Vault may require their key for other use cases, such as after it has been deleted. In this case, they may use the BACKUP and RESTORE operations to export/import the key in a protected form. Keys created by the BACKUP operation are not usable outside Key Vault. Alternatively, the IMPORT operation may be used against multiple Key Vault instances.

Users may restrict any of the cryptographic operations that Key Vault supports on a per-key basis using the key_ops property of the JWK object.

See Also
Check for Azure Key Vault Secrets Expiration Date

For more information on JWK objects, see JSON Web Key (JWK).

Key rotation policy operations

Key vault key auto-rotation can be set by configuring key auto-rotation policy. It is only available on Key Vault resource.

  • Get Rotation Policy: Retrieve rotation policy configuration.
  • Set Rotation Policy: Set rotation policy configuration.

Key attributes

In addition to the key material, the following attributes may be specified. In a JSON Request, the attributes keyword and braces, '{' '}', are required even if there are no attributes specified.

  • enabled: boolean, optional, default is true. Specifies whether the key is enabled and useable for cryptographic operations. The enabled attribute is used with nbf and exp. When an operation occurs between nbf and exp, it will only be permitted if enabled is set to true. Operations outside the nbf / exp window are automatically disallowed, except for decrypt, release, unwrap, and verify.
  • nbf: IntDate, optional, default is now. The nbf (not before) attribute identifies the time before which the key MUST NOT be used for cryptographic operations, except for decrypt, release, unwrap, and verify. The processing of the nbf attribute requires that the current date/time MUST be after or equal to the not-before date/time listed in the nbf attribute. Key Vault MAY provide for some small leeway, normally no more than a few minutes, to account for clock skew. Its value MUST be a number containing an IntDate value.
  • exp: IntDate, optional, default is "forever". The exp (expiration time) attribute identifies the expiration time on or after which the key MUST NOT be used for cryptographic operation, except for decrypt, release, unwrap, and verify. The processing of the exp attribute requires that the current date/time MUST be before the expiration date/time listed in the exp attribute. Key Vault MAY provide for some small leeway, typically no more than a few minutes, to account for clock skew. Its value MUST be a number containing an IntDate value.

There are more read-only attributes that are included in any response that includes key attributes:

  • created: IntDate, optional. The created attribute indicates when this version of the key was created. The value is null for keys created prior to the addition of this attribute. Its value MUST be a number containing an IntDate value.
  • updated: IntDate, optional. The updated attribute indicates when this version of the key was updated. The value is null for keys that were last updated prior to the addition of this attribute. Its value MUST be a number containing an IntDate value.
  • hsmPlatform: string, optional. The underlying HSM Platform that is protecting a key.
    • A hsmPlatform value of 2 means the key is protected by our latest FIPS 140 Level 3 validated HSM platform.
    • A hsmPlatform value of 1 means the key is protected by our previous FIPS 140 Level 2 validated HSM platform.
    • A hsmPlatform value of 0 means the key is protected by a FIPS 140 Level 1 HSM software cryptographic module.
    • if this is not set by a Managed HSM pool, it is protected by our latest FIPS 140 Level 3 validated HSM platform.

It’s important to note that keys are bound to the HSM in which they were created. New keys are seamlessly created and stored in the new HSMs. While there is no way to migrate or transfer keys, new key versions are automatically in the new HSMs. For more information on how to migrate to a new key, see How to migrate key workloads.

For more information on IntDate and other data types, see [About keys, secrets, and certificates: Data types.

Date-time controlled operations

Not-yet-valid and expired keys, outside the nbf / exp window, will work for decrypt, release, unwrap, and verify operations (won't return 403, Forbidden). The rationale for using the not-yet-valid state is to allow a key to be tested before production use. The rationale for using the expired state is to allow recovery operations on data that was created when the key was valid. Also, you can disable access to a key using Key Vault policies, or by updating the enabled key attribute to false.

For more information on data types, see Data types.

For more information on other possible attributes, see the JSON Web Key (JWK).

You can specify more application-specific metadata in the form of tags. Key Vault supports up to 15 tags, each of which can have a 256 character name and a 256 character value.

Note

Tags are readable by a caller if they have the list or get permission to that key.

Key access control

Access control for keys managed by Key Vault is provided at the level of a Key Vault that acts as the container of keys. You can control access to keys using Key Vault role-based access control (recommended) or old vault access policy permission model. Role-based permission model has three predefined roles to manage keys: 'Key Vault Crypto Officer', 'Key Vault Crypto User', 'Key Vault Service Encryption User' and can be scoped to subscription, resource group or vault level.

Vault access policy permission model permissions:

  • Permissions for key management operations

    • get: Read the public part of a key, plus its attributes
    • list: List the keys or versions of a key stored in a key vault
    • update: Update the attributes for a key
    • create: Create new keys
    • import: Import a key to a key vault
    • delete: Delete the key object
    • recover: Recover a deleted key
    • backup: Back up a key in a key vault
    • restore: Restore a backed up key to a key vault

  • Permissions for cryptographic operations

    • decrypt: Use the key to unprotect a sequence of bytes
    • encrypt: Use the key to protect an arbitrary sequence of bytes
    • unwrapKey: Use the key to unprotect wrapped symmetric keys
    • wrapKey: Use the key to protect a symmetric key
    • verify: Use the key to verify digests
    • sign: Use the key to sign digests

  • Permissions for privileged operations

    • purge: Purge (permanently delete) a deleted key
    • release: Release a key to a confidential compute environment, which matches the release_policy of the key

  • Permissions for rotation policy operations

    • rotate: Rotate an existing key by generating new version of the key (Key Vault only)
    • get rotation policy: Retrieve rotation policy configuration
    • set rotation policy: Set rotation policy configuration

For more information on working with keys, see Key operations in the Key Vault REST API reference.

Next steps

  • About Key Vault
  • About Managed HSM
  • About secrets
  • About certificates
  • Key Vault REST API overview
  • Authentication, requests, and responses
  • Key Vault Developer's Guide
Key types, algorithms, and operations - Azure Key Vault (2024)
Top Articles
International Money Transfer | Send Money Abroad with Wise (ex-TransferWise)
What Is Log Monitoring? A Detailed Guide (Updated) | Middleware
Devotion Showtimes Near Xscape Theatres Blankenbaker 16
NOAA: National Oceanic & Atmospheric Administration hiring NOAA Commissioned Officer: Inter-Service Transfer in Spokane Valley, WA | LinkedIn
Gore Videos Uncensored
Klustron 9
How To Get Free Credits On Smartjailmail
Here's how eating according to your blood type could help you keep healthy
Celsius Energy Drink Wo Kaufen
Student Rating Of Teaching Umn
A.e.a.o.n.m.s
The Rise of Breckie Hill: How She Became a Social Media Star | Entertainment
Used Wood Cook Stoves For Sale Craigslist
Charmeck Arrest Inquiry
Fredericksburg Free Lance Star Obituaries
I Touch and Day Spa II
Who called you from +19192464227 (9192464227): 5 reviews
Weather Rotterdam - Detailed bulletin - Free 15-day Marine forecasts - METEO CONSULT MARINE
The Menu Showtimes Near Regal Edwards Ontario Mountain Village
3476405416
Ruben van Bommel: diepgang en doelgerichtheid als wapens, maar (nog) te weinig rendement
Yard Goats Score
Myhr North Memorial
Busted News Bowie County
Drying Cloths At A Hammam Crossword Clue
Craigslist Rome Ny
Black Panther 2 Showtimes Near Epic Theatres Of Palm Coast
Effingham Daily News Police Report
How rich were the McCallisters in 'Home Alone'? Family's income unveiled
Perry Inhofe Mansion
Mrstryst
Mbi Auto Discount Code
Where Do They Sell Menudo Near Me
Vitals, jeden Tag besser | Vitals Nahrungsergänzungsmittel
Giantess Feet Deviantart
Linabelfiore Of
Afspraak inzien
Wsbtv Fish And Game Report
Improving curriculum alignment and achieving learning goals by making the curriculum visible | Semantic Scholar
Aita For Announcing My Pregnancy At My Sil Wedding
814-747-6702
Nimbleaf Evolution
The Cutest Photos of Enrique Iglesias and Anna Kournikova with Their Three Kids
Keci News
Naomi Soraya Zelda
Slug Menace Rs3
Elvis Costello announces King Of America & Other Realms
Lux Funeral New Braunfels
Kidcheck Login
Mike De Beer Twitter
Convert Celsius to Kelvin
How to Choose Where to Study Abroad
Latest Posts
Dry January: How Much Money Do You Actually Save?
11 Healthy Foods That Can Help You To Gain Weight - PharmEasy Blog
Article information

Author: Annamae Dooley

Last Updated:

Views: 6118

Rating: 4.4 / 5 (45 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Annamae Dooley

Birthday: 2001-07-26

Address: 9687 Tambra Meadow, Bradleyhaven, TN 53219

Phone: +9316045904039

Job: Future Coordinator

Hobby: Archery, Couponing, Poi, Kite flying, Knitting, Rappelling, Baseball

Introduction: My name is Annamae Dooley, I am a witty, quaint, lovely, clever, rich, sparkling, powerful person who loves writing and wants to share my knowledge and understanding with you.