Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Create the KeyClient with the appropriate programmatic authentication credentials, then create a CryptographyClient use the client to set, update, and rotate a key in Azure Key Vault.
Signing data
A few suggestions for signing data:
- Hash large data before signing
- Hash one-way data before signing such as passwords
- Small 2-way data can be signed directly
Sign and verify large or one-way data with key
To sign and verify your digested message, use the following methods:
For digested messages:
- sign to sign the digest of a message. This is useful for large data or one-way data such as passwords.
- verify to verify the digest of a message.
import { createHash } from "crypto";
import { DefaultAzureCredential } from '@azure/identity';
import {
CryptographyClient,
KeyClient,
KnownSignatureAlgorithms
} from '@azure/keyvault-keys';
// get service client
const credential = new DefaultAzureCredential();
const serviceClient = new KeyClient(
`https://${process.env.AZURE_KEYVAULT_NAME}.vault.azure.net`,
credential
);
// get existing key
const keyVaultKey = await serviceClient.getKey('MyRsaKey');
if (keyVaultKey?.name) {
// get encryption client with key
const cryptoClient = new CryptographyClient(keyVaultKey, credential);
// get digest
const digestableData = "MyLargeOrOneWayData";
const digest = createHash('sha256')
.update(digestableData)
.update(process.env.SYSTEM_SALT || '')
.digest();
// sign digest
const { result: signature } = await cryptoClient.sign(KnownSignatureAlgorithms.RS256, digest);
// store signed digest in database
// verify signature
const { result: verified } = await cryptoClient.verify(KnownSignatureAlgorithms.RS256, digest, signature);
console.log(`Verification ${verified ? 'succeeded' : 'failed'}.`);
}
Sign and verify small data with key
To sign and verify your data, use the following methods:
For data:
- signData to sign a block of data.
- verifyData to verify data.
import { createHash } from "crypto";
import { DefaultAzureCredential } from '@azure/identity';
import {
CryptographyClient,
KeyClient,
KnownSignatureAlgorithms
} from '@azure/keyvault-keys';
// get service client
const credential = new DefaultAzureCredential();
const serviceClient = new KeyClient(
`https://${process.env.AZURE_KEYVAULT_NAME}.vault.azure.net`,
credential
);
// get existing key
const keyVaultKey = await serviceClient.getKey('MyRsaKey');
if (keyVaultKey?.name) {
// get encryption client with key
const cryptoClient = new CryptographyClient(keyVaultKey, credential);
const data = 'Hello you bright big beautiful world!';
// sign
const { result: signature } = await cryptoClient.signData(
KnownSignatureAlgorithms.RS256,
Buffer.from(data, 'utf8')
);
// verify signature
const { result: verified } = await cryptoClient.verifyData(
KnownSignatureAlgorithms.RS256,
Buffer.from(data, 'utf8'),
signature
);
console.log(`Verification ${verified ? 'succeeded' : 'failed'}.`);
}