azure-keyvault-keys-rust

Azure Key Vault Keys SDK for Rust

Client library for Azure Key Vault Keys — secure storage and management of cryptographic keys.

Installation

cargo add azure_security_keyvault_keys azure_identity

Environment Variables

AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/

Authentication

use azure_identity::DeveloperToolsCredential; use azure_security_keyvault_keys::KeyClient;

let credential = DeveloperToolsCredential::new(None)?; let client = KeyClient::new( "https://<vault-name>.vault.azure.net/", credential.clone(), None, )?;

Key Types

Type Description

RSA RSA keys (2048, 3072, 4096 bits)

EC Elliptic curve keys (P-256, P-384, P-521)

RSA-HSM HSM-protected RSA keys

EC-HSM HSM-protected EC keys

Core Operations

Get Key

let key = client .get_key("key-name", None) .await? .into_model()?;

println!("Key ID: {:?}", key.key.as_ref().map(|k| &k.kid));

Create Key

use azure_security_keyvault_keys::models::{CreateKeyParameters, KeyType};

let params = CreateKeyParameters { kty: KeyType::Rsa, key_size: Some(2048), ..Default::default() };

let key = client .create_key("key-name", params.try_into()?, None) .await? .into_model()?;

Create EC Key

use azure_security_keyvault_keys::models::{CreateKeyParameters, KeyType, CurveName};

let params = CreateKeyParameters { kty: KeyType::Ec, curve: Some(CurveName::P256), ..Default::default() };

let key = client .create_key("ec-key", params.try_into()?, None) .await? .into_model()?;

Delete Key

client.delete_key("key-name", None).await?;

List Keys

use azure_security_keyvault_keys::ResourceExt; use futures::TryStreamExt;

let mut pager = client.list_key_properties(None)?.into_stream(); while let Some(key) = pager.try_next().await? { let name = key.resource_id()?.name; println!("Key: {}", name); }

Backup Key

let backup = client.backup_key("key-name", None).await?; // Store backup.value safely

Restore Key

use azure_security_keyvault_keys::models::RestoreKeyParameters;

let params = RestoreKeyParameters { key_bundle_backup: backup_bytes, };

client.restore_key(params.try_into()?, None).await?;

Cryptographic Operations

Key Vault can perform crypto operations without exposing the private key:

// For cryptographic operations, use the key's operations // Available operations depend on key type and permissions: // - encrypt/decrypt (RSA) // - sign/verify (RSA, EC) // - wrapKey/unwrapKey (RSA)

Best Practices

Use Entra ID auth — DeveloperToolsCredential for dev, ManagedIdentityCredential for production
Use HSM keys for sensitive workloads — hardware-protected keys
Use EC for signing — more efficient than RSA
Use RSA for encryption — when encrypting data
Backup keys — for disaster recovery
Enable soft delete — required for production vaults
Use key rotation — create new versions periodically

RBAC Permissions

Assign these Key Vault roles:

Key Vault Crypto User — use keys for crypto operations
Key Vault Crypto Officer — full CRUD on keys

Reference Links

Resource Link

API Reference https://docs.rs/azure_security_keyvault_keys

Source Code https://github.com/Azure/azure-sdk-for-rust/tree/main/sdk/keyvault/azure_security_keyvault_keys

crates.io https://crates.io/crates/azure_security_keyvault_keys

azure-keyvault-keys-rust

Safety Notice

Copy this and send it to your AI assistant to learn

Source Transparency

Related Skills

azure-observability

azure-appconfiguration-java

azure-compliance

azure-ai