key {AzureKeyVault} | R Documentation |
Encryption key object
Description
This class represents an encryption key stored in a vault. It provides methods for carrying out operations, including encryption and decryption, signing and verification, and wrapping and unwrapping.
Fields
This class provides the following fields:
-
key
: The key details as a parsed JSON web key (JWK). -
managed
: Whether this key's lifetime is managed by Key Vault. TRUE if the key backs a certificate.
Methods
This class provides the following methods:
encrypt(plaintext, algorithm=c("RSA-OAEP", "RSA-OAEP-256", "RSA1_5")) decrypt(ciphertext, algorithm=c("RSA-OAEP", "RSA-OAEP-256", "RSA1_5"), as_raw=TRUE) sign(digest, algorithm=c("RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES256K", "ES384", "ES512")) verify(signature, digest, algorithm=c("RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES256K", "ES384", "ES512")) wrap(value, algorithm=c("RSA-OAEP", "RSA-OAEP-256", "RSA1_5")) unwrap(value, algorithm=c("RSA-OAEP", "RSA-OAEP-256", "RSA1_5"), as_raw=TRUE) update_attributes(attributes=vault_object_attrs(), ...) list_versions() set_version(version=NULL) delete(confirm=TRUE)
Arguments
-
plaintext
: Forencrypt
, the plaintext to encrypt. -
ciphertext
: Fordecrypt
, the ciphertext to decrypt. -
digest
: Forsign
, a generated hash to sign. Forverify
, the digest to verify for authenticity. -
signature
: Forverify
, a signature to verify for authenticity. -
value
: Forwrap
, a symmetric key to be wrapped; forunwrap
, the value to be unwrapped to obtain the symmetric key. -
as_raw
: Fordecrypt
andunwrap
, whether to return a character vector or a raw vector (the default). -
algorithm
: The algorithm to use for each operation. Note that the algorithm must be compatible with the key type, eg RSA keys cannot use ECDSA for signing or verifying. -
attributes
: Forupdate_attributes
, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the vault_object_attrs helper function. -
...
: Forupdate_attributes
, additional key-specific properties to update. See keys. -
version
: Forset_version
, the version ID or NULL for the current version. -
confirm
: Fordelete
, whether to ask for confirmation before deleting the key.
Details
The operations supported by a key will be those given by the key_ops
argument when the key was created. By default, a newly created RSA key supports all the operations listed above: encrypt/decrypt, sign/verify, and wrap/unwrap. An EC key only supports the sign and verify operations.
A key can have multiple versions, which are automatically generated when a key is created with the same name as an existing key. By default, the most recent (current) version is used for key operations; use list_versions
and set_version
to change the version.
Value
For the key operations, a raw vector (for decrypt
and unwrap
, if as_raw=TRUE
) or character vector.
For list_versions
, a data frame containing details of each version.
For set_version
, the key object with the updated version.
See Also
Azure Key Vault documentation, Azure Key Vault API reference
Examples
## Not run:
vault <- key_vault("mykeyvault")
vault$keys$create("mynewkey")
# new version of an existing key
vault$keys$create("mynewkey", type="RSA", rsa_key_size=4096)
key <- vault$keys$get("mynewkey")
vers <- key$list_versions()
key$set_version(vers[2])
plaintext <- "some secret text"
ciphertext <- key$encrypt(plaintext)
decrypted <- key$decrypt(ciphertext, as_raw=FALSE)
decrypted == plaintext # TRUE
dig <- openssl::sha2(charToRaw(plaintext))
sig <- key$sign(dig)
key$verify(sig, dig) # TRUE
wraptext <- key$wrap(plaintext)
unwrap_text <- key$unwrap(wraptext, as_raw=FALSE)
plaintext == unwrap_text # TRUE
## End(Not run)