Azure Key Vault Keys (Java) Manage cryptographic keys and perform cryptographic operations in Azure Key Vault and Managed HSM. Installation < dependency

< groupId

com.azure </ groupId

< artifactId

azure-security-keyvault-keys </ artifactId

< version

4.9.0 </ version

</ dependency

Client Creation import com . azure . security . keyvault . keys . KeyClient ; import com . azure . security . keyvault . keys . KeyClientBuilder ; import com . azure . security . keyvault . keys . cryptography . CryptographyClient ; import com . azure . security . keyvault . keys . cryptography . CryptographyClientBuilder ; import com . azure . identity . DefaultAzureCredentialBuilder ; // Key management client KeyClient keyClient = new KeyClientBuilder ( ) . vaultUrl ( "https://.vault.azure.net" ) . credential ( new DefaultAzureCredentialBuilder ( ) . build ( ) ) . buildClient ( ) ; // Async client KeyAsyncClient keyAsyncClient = new KeyClientBuilder ( ) . vaultUrl ( "https://.vault.azure.net" ) . credential ( new DefaultAzureCredentialBuilder ( ) . build ( ) ) . buildAsyncClient ( ) ; // Cryptography client (for encrypt/decrypt/sign/verify) CryptographyClient cryptoClient = new CryptographyClientBuilder ( ) . keyIdentifier ( "https://.vault.azure.net/keys//" ) . credential ( new DefaultAzureCredentialBuilder ( ) . build ( ) ) . buildClient ( ) ; Key Types Type Description RSA RSA key (2048, 3072, 4096 bits) RSA_HSM RSA key in HSM EC Elliptic Curve key EC_HSM Elliptic Curve key in HSM OCT Symmetric key (Managed HSM only) OCT_HSM Symmetric key in HSM Create Keys Create RSA Key import com . azure . security . keyvault . keys . models . * ; // Simple RSA key KeyVaultKey rsaKey = keyClient . createRsaKey ( new CreateRsaKeyOptions ( "my-rsa-key" ) . setKeySize ( 2048 ) ) ; System . out . println ( "Key name: " + rsaKey . getName ( ) ) ; System . out . println ( "Key ID: " + rsaKey . getId ( ) ) ; System . out . println ( "Key type: " + rsaKey . getKeyType ( ) ) ; // RSA key with options KeyVaultKey rsaKeyWithOptions = keyClient . createRsaKey ( new CreateRsaKeyOptions ( "my-rsa-key-2" ) . setKeySize ( 4096 ) . setExpiresOn ( OffsetDateTime . now ( ) . plusYears ( 1 ) ) . setNotBefore ( OffsetDateTime . now ( ) ) . setEnabled ( true ) . setKeyOperations ( KeyOperation . ENCRYPT , KeyOperation . DECRYPT , KeyOperation . WRAP_KEY , KeyOperation . UNWRAP_KEY ) . setTags ( Map . of ( "environment" , "production" ) ) ) ; // HSM-backed RSA key KeyVaultKey hsmKey = keyClient . createRsaKey ( new CreateRsaKeyOptions ( "my-hsm-key" ) . setKeySize ( 2048 ) . setHardwareProtected ( true ) ) ; Create EC Key // EC key with P-256 curve KeyVaultKey ecKey = keyClient . createEcKey ( new CreateEcKeyOptions ( "my-ec-key" ) . setCurveName ( KeyCurveName . P_256 ) ) ; // EC key with other curves KeyVaultKey ecKey384 = keyClient . createEcKey ( new CreateEcKeyOptions ( "my-ec-key-384" ) . setCurveName ( KeyCurveName . P_384 ) ) ; KeyVaultKey ecKey521 = keyClient . createEcKey ( new CreateEcKeyOptions ( "my-ec-key-521" ) . setCurveName ( KeyCurveName . P_521 ) ) ; // HSM-backed EC key KeyVaultKey ecHsmKey = keyClient . createEcKey ( new CreateEcKeyOptions ( "my-ec-hsm-key" ) . setCurveName ( KeyCurveName . P_256 ) . setHardwareProtected ( true ) ) ; Create Symmetric Key (Managed HSM only) KeyVaultKey octKey = keyClient . createOctKey ( new CreateOctKeyOptions ( "my-symmetric-key" ) . setKeySize ( 256 ) . setHardwareProtected ( true ) ) ; Get Key // Get latest version KeyVaultKey key = keyClient . getKey ( "my-key" ) ; // Get specific version KeyVaultKey keyVersion = keyClient . getKey ( "my-key" , "" ) ; // Get only key properties (no key material) KeyProperties keyProps = keyClient . getKey ( "my-key" ) . getProperties ( ) ; Update Key Properties KeyVaultKey key = keyClient . getKey ( "my-key" ) ; // Update properties key . getProperties ( ) . setEnabled ( false ) . setExpiresOn ( OffsetDateTime . now ( ) . plusMonths ( 6 ) ) . setTags ( Map . of ( "status" , "archived" ) ) ; KeyVaultKey updatedKey = keyClient . updateKeyProperties ( key . getProperties ( ) , KeyOperation . ENCRYPT , KeyOperation . DECRYPT ) ; List Keys import com . azure . core . util . paging . PagedIterable ; // List all keys for ( KeyProperties keyProps : keyClient . listPropertiesOfKeys ( ) ) { System . out . println ( "Key: " + keyProps . getName ( ) ) ; System . out . println ( " Enabled: " + keyProps . isEnabled ( ) ) ; System . out . println ( " Created: " + keyProps . getCreatedOn ( ) ) ; } // List key versions for ( KeyProperties version : keyClient . listPropertiesOfKeyVersions ( "my-key" ) ) { System . out . println ( "Version: " + version . getVersion ( ) ) ; System . out . println ( "Created: " + version . getCreatedOn ( ) ) ; } Delete Key import com . azure . core . util . polling . SyncPoller ; // Begin delete (soft-delete enabled vaults) SyncPoller < DeletedKey , Void

deletePoller

keyClient . beginDeleteKey ( "my-key" ) ; // Wait for deletion DeletedKey deletedKey = deletePoller . poll ( ) . getValue ( ) ; System . out . println ( "Deleted: " + deletedKey . getDeletedOn ( ) ) ; deletePoller . waitForCompletion ( ) ; // Purge deleted key (permanent deletion) keyClient . purgeDeletedKey ( "my-key" ) ; // Recover deleted key SyncPoller < KeyVaultKey , Void

recoverPoller

keyClient . beginRecoverDeletedKey ( "my-key" ) ; recoverPoller . waitForCompletion ( ) ; Cryptographic Operations Encrypt/Decrypt import com . azure . security . keyvault . keys . cryptography . models . * ; CryptographyClient cryptoClient = new CryptographyClientBuilder ( ) . keyIdentifier ( "https://.vault.azure.net/keys/" ) . credential ( new DefaultAzureCredentialBuilder ( ) . build ( ) ) . buildClient ( ) ; byte [ ] plaintext = "Hello, World!" . getBytes ( StandardCharsets . UTF_8 ) ; // Encrypt EncryptResult encryptResult = cryptoClient . encrypt ( EncryptionAlgorithm . RSA_OAEP , plaintext ) ; byte [ ] ciphertext = encryptResult . getCipherText ( ) ; System . out . println ( "Ciphertext length: " + ciphertext . length ) ; // Decrypt DecryptResult decryptResult = cryptoClient . decrypt ( EncryptionAlgorithm . RSA_OAEP , ciphertext ) ; String decrypted = new String ( decryptResult . getPlainText ( ) , StandardCharsets . UTF_8 ) ; System . out . println ( "Decrypted: " + decrypted ) ; Sign/Verify import java . security . MessageDigest ; // Create digest of data byte [ ] data = "Data to sign" . getBytes ( StandardCharsets . UTF_8 ) ; MessageDigest md = MessageDigest . getInstance ( "SHA-256" ) ; byte [ ] digest = md . digest ( data ) ; // Sign SignResult signResult = cryptoClient . sign ( SignatureAlgorithm . RS256 , digest ) ; byte [ ] signature = signResult . getSignature ( ) ; // Verify VerifyResult verifyResult = cryptoClient . verify ( SignatureAlgorithm . RS256 , digest , signature ) ; System . out . println ( "Valid signature: " + verifyResult . isValid ( ) ) ; Wrap/Unwrap Key // Key to wrap (e.g., AES key) byte [ ] keyToWrap = new byte [ 32 ] ; // 256-bit key new SecureRandom ( ) . nextBytes ( keyToWrap ) ; // Wrap WrapResult wrapResult = cryptoClient . wrapKey ( KeyWrapAlgorithm . RSA_OAEP , keyToWrap ) ; byte [ ] wrappedKey = wrapResult . getEncryptedKey ( ) ; // Unwrap UnwrapResult unwrapResult = cryptoClient . unwrapKey ( KeyWrapAlgorithm . RSA_OAEP , wrappedKey ) ; byte [ ] unwrappedKey = unwrapResult . getKey ( ) ; Backup and Restore // Backup byte [ ] backup = keyClient . backupKey ( "my-key" ) ; // Save backup to file Files . write ( Paths . get ( "key-backup.blob" ) , backup ) ; // Restore byte [ ] backupData = Files . readAllBytes ( Paths . get ( "key-backup.blob" ) ) ; KeyVaultKey restoredKey = keyClient . restoreKeyBackup ( backupData ) ; Key Rotation // Rotate to new version KeyVaultKey rotatedKey = keyClient . rotateKey ( "my-key" ) ; System . out . println ( "New version: " + rotatedKey . getProperties ( ) . getVersion ( ) ) ; // Set rotation policy KeyRotationPolicy policy = new KeyRotationPolicy ( ) . setExpiresIn ( "P90D" ) // Expire after 90 days . setLifetimeActions ( Arrays . asList ( new KeyRotationLifetimeAction ( KeyRotationPolicyAction . ROTATE ) . setTimeBeforeExpiry ( "P30D" ) ) ) ; // Rotate 30 days before expiry keyClient . updateKeyRotationPolicy ( "my-key" , policy ) ; // Get rotation policy KeyRotationPolicy currentPolicy = keyClient . getKeyRotationPolicy ( "my-key" ) ; Import Key import com . azure . security . keyvault . keys . models . ImportKeyOptions ; import com . azure . security . keyvault . keys . models . JsonWebKey ; // Import existing key material JsonWebKey jsonWebKey = new JsonWebKey ( ) . setKeyType ( KeyType . RSA ) . setN ( modulus ) . setE ( exponent ) . setD ( privateExponent ) // ... other RSA components ; ImportKeyOptions importOptions = new ImportKeyOptions ( "imported-key" , jsonWebKey ) . setHardwareProtected ( false ) ; KeyVaultKey importedKey = keyClient . importKey ( importOptions ) ; Encryption Algorithms Algorithm Key Type Description RSA1_5 RSA RSAES-PKCS1-v1_5 RSA_OAEP RSA RSAES with OAEP (recommended) RSA_OAEP_256 RSA RSAES with OAEP using SHA-256 A128GCM OCT AES-GCM 128-bit A256GCM OCT AES-GCM 256-bit A128CBC OCT AES-CBC 128-bit A256CBC OCT AES-CBC 256-bit Signature Algorithms Algorithm Key Type Hash RS256 RSA SHA-256 RS384 RSA SHA-384 RS512 RSA SHA-512 PS256 RSA SHA-256 (PSS) ES256 EC P-256 SHA-256 ES384 EC P-384 SHA-384 ES512 EC P-521 SHA-512 Error Handling import com . azure . core . exception . HttpResponseException ; import com . azure . core . exception . ResourceNotFoundException ; try { KeyVaultKey key = keyClient . getKey ( "non-existent-key" ) ; } catch ( ResourceNotFoundException e ) { System . out . println ( "Key not found: " + e . getMessage ( ) ) ; } catch ( HttpResponseException e ) { System . out . println ( "HTTP error " + e . getResponse ( ) . getStatusCode ( ) ) ; System . out . println ( "Message: " + e . getMessage ( ) ) ; } Environment Variables AZURE_KEYVAULT_URL = https:// < vault-name

.vault.azure.net Best Practices Use HSM Keys for Production - Set setHardwareProtected(true) for sensitive keys Enable Soft Delete - Protects against accidental deletion Key Rotation - Set up automatic rotation policies Least Privilege - Use separate keys for different operations Local Crypto When Possible - Use CryptographyClient with local key material to reduce round-trips Trigger Phrases "Key Vault keys Java", "cryptographic keys Java" "encrypt decrypt Java", "sign verify Java" "RSA key", "EC key", "HSM key" "key rotation", "wrap unwrap key" When to Use This skill is applicable to execute the workflow or actions described in the overview.