[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-186d4f3e-4adc-42fd-a6b8-b4c2475a99c5":3,"$fe3_xxkWJ5816z7FMlZg6Fjvpnq4Y-LqUJX8rqNwmSvA":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"186d4f3e-4adc-42fd-a6b8-b4c2475a99c5","azure-security-keyvault-keys-dotnet","Azure Key Vault 密钥 SDK for .NET。用于管理 Azure Key Vault 和 Managed HSM 中加密密钥的客户端库。用于密钥创建、轮换、加密、解密、签名和验证。","cat_coding_devops","mod_coding","sickn33,coding","---\nname: azure-security-keyvault-keys-dotnet\ndescription: Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.\nrisk: unknown\nsource: community\ndate_added: '2026-02-27'\n---\n\n# Azure.Security.KeyVault.Keys (.NET)\n\nClient library for managing cryptographic keys in Azure Key Vault and Managed HSM.\n\n## Installation\n\n```bash\ndotnet add package Azure.Security.KeyVault.Keys\ndotnet add package Azure.Identity\n```\n\n**Current Version**: 4.7.0 (stable)\n\n## Environment Variables\n\n```bash\nKEY_VAULT_NAME=\u003Cyour-key-vault-name>\n# Or full URI\nAZURE_KEYVAULT_URL=https:\u002F\u002F\u003Cvault-name>.vault.azure.net\n```\n\n## Client Hierarchy\n\n```\nKeyClient (key management)\n├── CreateKey \u002F CreateRsaKey \u002F CreateEcKey\n├── GetKey \u002F GetKeys\n├── UpdateKeyProperties\n├── DeleteKey \u002F PurgeDeletedKey\n├── BackupKey \u002F RestoreKey\n└── GetCryptographyClient() → CryptographyClient\n\nCryptographyClient (cryptographic operations)\n├── Encrypt \u002F Decrypt\n├── WrapKey \u002F UnwrapKey\n├── Sign \u002F Verify\n└── SignData \u002F VerifyData\n\nKeyResolver (key resolution)\n└── Resolve(keyId) → CryptographyClient\n```\n\n## Authentication\n\n### DefaultAzureCredential (Recommended)\n\n```csharp\nusing Azure.Identity;\nusing Azure.Security.KeyVault.Keys;\n\nvar keyVaultName = Environment.GetEnvironmentVariable(\"KEY_VAULT_NAME\");\nvar kvUri = $\"https:\u002F\u002F{keyVaultName}.vault.azure.net\";\n\nvar client = new KeyClient(new Uri(kvUri), new DefaultAzureCredential());\n```\n\n### Service Principal\n\n```csharp\nvar credential = new ClientSecretCredential(\n    tenantId: \"\u003Ctenant-id>\",\n    clientId: \"\u003Cclient-id>\",\n    clientSecret: \"\u003Cclient-secret>\");\n\nvar client = new KeyClient(new Uri(kvUri), credential);\n```\n\n## Key Management\n\n### Create Keys\n\n```csharp\n\u002F\u002F Create RSA key\nKeyVaultKey rsaKey = await client.CreateKeyAsync(\"my-rsa-key\", KeyType.Rsa);\nConsole.WriteLine($\"Created key: {rsaKey.Name}, Type: {rsaKey.KeyType}\");\n\n\u002F\u002F Create RSA key with options\nvar rsaOptions = new CreateRsaKeyOptions(\"my-rsa-key-2048\")\n{\n    KeySize = 2048,\n    HardwareProtected = false, \u002F\u002F true for HSM-backed\n    ExpiresOn = DateTimeOffset.UtcNow.AddYears(1),\n    NotBefore = DateTimeOffset.UtcNow,\n    Enabled = true\n};\nrsaOptions.KeyOperations.Add(KeyOperation.Encrypt);\nrsaOptions.KeyOperations.Add(KeyOperation.Decrypt);\n\nKeyVaultKey rsaKey2 = await client.CreateRsaKeyAsync(rsaOptions);\n\n\u002F\u002F Create EC key\nvar ecOptions = new CreateEcKeyOptions(\"my-ec-key\")\n{\n    CurveName = KeyCurveName.P256,\n    HardwareProtected = true \u002F\u002F HSM-backed\n};\nKeyVaultKey ecKey = await client.CreateEcKeyAsync(ecOptions);\n\n\u002F\u002F Create Oct (symmetric) key for wrap\u002Funwrap\nvar octOptions = new CreateOctKeyOptions(\"my-oct-key\")\n{\n    KeySize = 256,\n    HardwareProtected = true\n};\nKeyVaultKey octKey = await client.CreateOctKeyAsync(octOptions);\n```\n\n### Retrieve Keys\n\n```csharp\n\u002F\u002F Get specific key (latest version)\nKeyVaultKey key = await client.GetKeyAsync(\"my-rsa-key\");\nConsole.WriteLine($\"Key ID: {key.Id}\");\nConsole.WriteLine($\"Key Type: {key.KeyType}\");\nConsole.WriteLine($\"Version: {key.Properties.Version}\");\n\n\u002F\u002F Get specific version\nKeyVaultKey keyVersion = await client.GetKeyAsync(\"my-rsa-key\", \"version-id\");\n\n\u002F\u002F List all keys\nawait foreach (KeyProperties keyProps in client.GetPropertiesOfKeysAsync())\n{\n    Console.WriteLine($\"Key: {keyProps.Name}, Enabled: {keyProps.Enabled}\");\n}\n\n\u002F\u002F List key versions\nawait foreach (KeyProperties version in client.GetPropertiesOfKeyVersionsAsync(\"my-rsa-key\"))\n{\n    Console.WriteLine($\"Version: {version.Version}, Created: {version.CreatedOn}\");\n}\n```\n\n### Update Key Properties\n\n```csharp\nKeyVaultKey key = await client.GetKeyAsync(\"my-rsa-key\");\n\nkey.Properties.ExpiresOn = DateTimeOffset.UtcNow.AddYears(2);\nkey.Properties.Tags[\"environment\"] = \"production\";\n\nKeyVaultKey updatedKey = await client.UpdateKeyPropertiesAsync(key.Properties);\n```\n\n### Delete and Purge Keys\n\n```csharp\n\u002F\u002F Start delete operation\nDeleteKeyOperation operation = await client.StartDeleteKeyAsync(\"my-rsa-key\");\n\n\u002F\u002F Wait for deletion to complete (required before purge)\nawait operation.WaitForCompletionAsync();\nConsole.WriteLine($\"Deleted key scheduled purge date: {operation.Value.ScheduledPurgeDate}\");\n\n\u002F\u002F Purge immediately (if soft-delete is enabled)\nawait client.PurgeDeletedKeyAsync(\"my-rsa-key\");\n\n\u002F\u002F Or recover deleted key\nKeyVaultKey recoveredKey = await client.StartRecoverDeletedKeyAsync(\"my-rsa-key\");\n```\n\n### Backup and Restore\n\n```csharp\n\u002F\u002F Backup key\nbyte[] backup = await client.BackupKeyAsync(\"my-rsa-key\");\nawait File.WriteAllBytesAsync(\"key-backup.bin\", backup);\n\n\u002F\u002F Restore key\nbyte[] backupData = await File.ReadAllBytesAsync(\"key-backup.bin\");\nKeyVaultKey restoredKey = await client.RestoreKeyBackupAsync(backupData);\n```\n\n## Cryptographic Operations\n\n### Get CryptographyClient\n\n```csharp\n\u002F\u002F From KeyClient\nKeyVaultKey key = await client.GetKeyAsync(\"my-rsa-key\");\nCryptographyClient cryptoClient = client.GetCryptographyClient(\n    key.Name, \n    key.Properties.Version);\n\n\u002F\u002F Or create directly with key ID\nCryptographyClient cryptoClient = new CryptographyClient(\n    new Uri(\"https:\u002F\u002Fmyvault.vault.azure.net\u002Fkeys\u002Fmy-rsa-key\u002Fversion\"),\n    new DefaultAzureCredential());\n```\n\n### Encrypt and Decrypt\n\n```csharp\nbyte[] plaintext = Encoding.UTF8.GetBytes(\"Secret message to encrypt\");\n\n\u002F\u002F Encrypt\nEncryptResult encryptResult = await cryptoClient.EncryptAsync(\n    EncryptionAlgorithm.RsaOaep256, \n    plaintext);\nConsole.WriteLine($\"Encrypted: {Convert.ToBase64String(encryptResult.Ciphertext)}\");\n\n\u002F\u002F Decrypt\nDecryptResult decryptResult = await cryptoClient.DecryptAsync(\n    EncryptionAlgorithm.RsaOaep256, \n    encryptResult.Ciphertext);\nstring decrypted = Encoding.UTF8.GetString(decryptResult.Plaintext);\nConsole.WriteLine($\"Decrypted: {decrypted}\");\n```\n\n### Wrap and Unwrap Keys\n\n```csharp\n\u002F\u002F Key to wrap (e.g., AES key)\nbyte[] keyToWrap = new byte[32]; \u002F\u002F 256-bit key\nRandomNumberGenerator.Fill(keyToWrap);\n\n\u002F\u002F Wrap key\nWrapResult wrapResult = await cryptoClient.WrapKeyAsync(\n    KeyWrapAlgorithm.RsaOaep256, \n    keyToWrap);\n\n\u002F\u002F Unwrap key\nUnwrapResult unwrapResult = await cryptoClient.UnwrapKeyAsync(\n    KeyWrapAlgorithm.RsaOaep256, \n    wrapResult.EncryptedKey);\n```\n\n### Sign and Verify\n\n```csharp\n\u002F\u002F Data to sign\nbyte[] data = Encoding.UTF8.GetBytes(\"Data to sign\");\n\n\u002F\u002F Sign data (computes hash internally)\nSignResult signResult = await cryptoClient.SignDataAsync(\n    SignatureAlgorithm.RS256, \n    data);\n\n\u002F\u002F Verify signature\nVerifyResult verifyResult = await cryptoClient.VerifyDataAsync(\n    SignatureAlgorithm.RS256, \n    data, \n    signResult.Signature);\nConsole.WriteLine($\"Signature valid: {verifyResult.IsValid}\");\n\n\u002F\u002F Or sign pre-computed hash\nusing var sha256 = SHA256.Create();\nbyte[] hash = sha256.ComputeHash(data);\n\nSignResult signHashResult = await cryptoClient.SignAsync(\n    SignatureAlgorithm.RS256, \n    hash);\n```\n\n## Key Resolver\n\n```csharp\nusing Azure.Security.KeyVault.Keys.Cryptography;\n\nvar resolver = new KeyResolver(new DefaultAzureCredential());\n\n\u002F\u002F Resolve key by ID to get CryptographyClient\nCryptographyClient cryptoClient = await resolver.ResolveAsync(\n    new Uri(\"https:\u002F\u002Fmyvault.vault.azure.net\u002Fkeys\u002Fmy-key\u002Fversion\"));\n\n\u002F\u002F Use for encryption\nEncryptResult result = await cryptoClient.EncryptAsync(\n    EncryptionAlgorithm.RsaOaep256, \n    plaintext);\n```\n\n## Key Rotation\n\n```csharp\n\u002F\u002F Rotate key (creates new version)\nKeyVaultKey rotatedKey = await client.RotateKeyAsync(\"my-rsa-key\");\nConsole.WriteLine($\"New version: {rotatedKey.Properties.Version}\");\n\n\u002F\u002F Get rotation policy\nKeyRotationPolicy policy = await client.GetKeyRotationPolicyAsync(\"my-rsa-key\");\n\n\u002F\u002F Update rotation policy\npolicy.ExpiresIn = \"P90D\"; \u002F\u002F 90 days\npolicy.LifetimeActions.Add(new KeyRotationLifetimeAction\n{\n    Action = KeyRotationPolicyAction.Rotate,\n    TimeBeforeExpiry = \"P30D\" \u002F\u002F Rotate 30 days before expiry\n});\n\nawait client.UpdateKeyRotationPolicyAsync(\"my-rsa-key\", policy);\n```\n\n## Key Types Reference\n\n| Type | Purpose |\n|------|---------|\n| `KeyClient` | Key management operations |\n| `CryptographyClient` | Cryptographic operations |\n| `KeyResolver` | Resolve key ID to CryptographyClient |\n| `KeyVaultKey` | Key with cryptographic material |\n| `KeyProperties` | Key metadata (no crypto material) |\n| `CreateRsaKeyOptions` | RSA key creation options |\n| `CreateEcKeyOptions` | EC key creation options |\n| `CreateOctKeyOptions` | Symmetric key options |\n| `EncryptResult` | Encryption result |\n| `DecryptResult` | Decryption result |\n| `SignResult` | Signing result |\n| `VerifyResult` | Verification result |\n| `WrapResult` | Key wrap result |\n| `UnwrapResult` | Key unwrap result |\n\n## Algorithms Reference\n\n### Encryption Algorithms\n| Algorithm | Key Type | Description |\n|-----------|----------|-------------|\n| `RsaOaep` | RSA | RSA-OAEP |\n| `RsaOaep256` | RSA | RSA-OAEP-256 |\n| `Rsa15` | RSA | RSA 1.5 (legacy) |\n| `A128Gcm` | Oct | AES-128-GCM |\n| `A256Gcm` | Oct | AES-256-GCM |\n\n### Signature Algorithms\n| Algorithm | Key Type | Description |\n|-----------|----------|-------------|\n| `RS256` | RSA | RSASSA-PKCS1-v1_5 SHA-256 |\n| `RS384` | RSA | RSASSA-PKCS1-v1_5 SHA-384 |\n| `RS512` | RSA | RSASSA-PKCS1-v1_5 SHA-512 |\n| `PS256` | RSA | RSASSA-PSS SHA-256 |\n| `ES256` | EC | ECDSA P-256 SHA-256 |\n| `ES384` | EC | ECDSA P-384 SHA-384 |\n| `ES512` | EC | ECDSA P-521 SHA-512 |\n\n### Key Wrap Algorithms\n| Algorithm | Key Type | Description |\n|-----------|----------|-------------|\n| `RsaOaep` | RSA | RSA-OAEP |\n| `RsaOaep256` | RSA | RSA-OAEP-256 |\n| `A128KW` | Oct | AES-128 Key Wrap |\n| `A256KW` | Oct | AES-256 Key Wrap |\n\n## Best Practices\n\n1. **Use Managed Identity** — Prefer `DefaultAzureCredential` over secrets\n2. **Enable soft-delete** — Protect against accidental deletion\n3. **Use HSM-backed keys** — Set `HardwareProtected = true` for sensitive keys\n4. **Implement key rotation** — Use automatic rotation policies\n5. **Limit key operations** — Only enable required `KeyOperations`\n6. **Set expiration dates** — Always set `ExpiresOn` for keys\n7. **Use specific versions** — Pin to versions in production\n8. **Cache CryptographyClient** — Reuse for multiple operations\n\n## Error Handling\n\n```csharp\nusing Azure;\n\ntry\n{\n    KeyVaultKey key = await client.GetKeyAsync(\"my-key\");\n}\ncatch (RequestFailedException ex) when (ex.Status == 404)\n{\n    Console.WriteLine(\"Key not found\");\n}\ncatch (RequestFailedException ex) when (ex.Status == 403)\n{\n    Console.WriteLine(\"Access denied - check RBAC permissions\");\n}\ncatch (RequestFailedException ex)\n{\n    Console.WriteLine($\"Key Vault error: {ex.Status} - {ex.Message}\");\n}\n```\n\n## Required RBAC Roles\n\n| Role | Permissions |\n|------|-------------|\n| Key Vault Crypto Officer | Full key management |\n| Key Vault Crypto User | Use keys for crypto operations |\n| Key Vault Reader | Read key metadata |\n\n## Related SDKs\n\n| SDK | Purpose | Install |\n|-----|---------|---------|\n| `Azure.Security.KeyVault.Keys` | Keys (this SDK) | `dotnet add package Azure.Security.KeyVault.Keys` |\n| `Azure.Security.KeyVault.Secrets` | Secrets | `dotnet add package Azure.Security.KeyVault.Secrets` |\n| `Azure.Security.KeyVault.Certificates` | Certificates | `dotnet add package Azure.Security.KeyVault.Certificates` |\n| `Azure.Identity` | Authentication | `dotnet add package Azure.Identity` |\n\n## Reference Links\n\n| Resource | URL |\n|----------|-----|\n| NuGet Package | https:\u002F\u002Fwww.nuget.org\u002Fpackages\u002FAzure.Security.KeyVault.Keys |\n| API Reference | https:\u002F\u002Flearn.microsoft.com\u002Fdotnet\u002Fapi\u002Fazure.security.keyvault.keys |\n| Quickstart | https:\u002F\u002Flearn.microsoft.com\u002Fazure\u002Fkey-vault\u002Fkeys\u002Fquick-create-net |\n| GitHub Source | https:\u002F\u002Fgithub.com\u002FAzure\u002Fazure-sdk-for-net\u002Ftree\u002Fmain\u002Fsdk\u002Fkeyvault\u002FAzure.Security.KeyVault.Keys |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,124,703,"2026-05-16 13:07:36",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"DevOps","devops","mdi-cog-outline","CI\u002FCD、容器化、部署运维",3,162,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"f5b39a6d-7ee7-421b-8dcc-924d8b463913","1.0.0","azure-security-keyvault-keys-dotnet.zip",4001,"uploads\u002Fskills\u002F186d4f3e-4adc-42fd-a6b8-b4c2475a99c5\u002Fazure-security-keyvault-keys-dotnet.zip","b24ed237ebf83f2f14fa887eae40e6de88d922940913dd7e13a4f3ed314536cc","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":12300}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]