Encryption keys in Key Vault

This class represents the collection of encryption keys stored in a vault. It provides methods for managing keys, including creating, importing and deleting keys, and doing backups and restores. For operations with a specific key, see key.


For get, create and import, an object of class stored_key, representing the key itself. This has methods for carrying out the operations given by the key_ops argument.

For list, a vector of key names.

For backup, a string representing the backup blob for a key. If the key has multiple versions, the blob will contain all versions.


This class provides the following methods:

create(name, type=c("RSA", "EC"), hardware=FALSE,
       ec_curve=NULL, rsa_key_size=NULL, key_ops=NULL,
       attributes=vault_object_attrs(), ...)
import(name, key, hardware=FALSE,
       attributes=vault_object_attrs(), ...)
delete(name, confirm=TRUE)


  • name: The name of the key.

  • type: For create, the type of key to create: RSA or elliptic curve (EC). Note that for keys backing a certificate, only RSA is allowed.

  • hardware: For create, Whether to use a hardware key or software key. The former requires a premium key vault.

  • ec_curve: For an EC key, the type of elliptic curve.

  • rsa_key_size: For an RSA key, the key size, either 2048, 3072 or 4096.

  • key_ops: A character vector of operations that the key supports. The possible operations are "encrypt", "decrypt", "sign", "verify", "wrapkey" and "unwrapkey". See key for more information.

  • attributes: Optional attributes for the key, such as the expiry date and activation date. A convenient way to provide this is via the vault_object_attrs helper function.

  • key: For import, the key to import. This can be the name of a PEM file, a JSON web key (JWK) string, or a key object generated by the openssl package. See the examples below.

  • hardware: For import, whether to import this key as a hardware key (HSM). Only supported for a premium key vault.

  • ...: For create and import, other named arguments which will be treated as tags.

  • include_managed: For list, whether to include keys that were created by Key Vault to support a managed certificate.

  • backup: For restore, a string representing the backup blob for a key.

See Also

key, vault_object_attrs

Azure Key Vault documentation, Azure Key Vault API reference

  • keys
vault <- key_vault("mykeyvault")

vault$keys$create("myRSAkey", type="RSA", rsa_key_size=4096)
vault$keys$create("myECkey", type="EC", ec_curve="P-384")


# specifying an expiry date
today <-
vault$keys$create("mynewkey", attributes=vault_object_attrs(expiry_date=today+365))

# setting management tags
vault$keys$create("mynewkey", tag1="a value", othertag="another value")

# importing a key from a PEM file
vault$keys$import("importedkey1", "myprivatekey.pem")

# importing a key generated by OpenSSL
vault$keys$import("importedkey2", openssl::rsa_keygen())

# importing a JWK (which is a JSON string)
key <- openssl::read_key("myprivatekey.pem")
jwk <- jose::write_jwk(key)
vault$keys$import("importedkey3", jwk)

# backup and restore a key
bak <- vault$keys$backup("mynewkey")
vault$keys$delete("mynewkey", confirm=FALSE)

# }
Documentation reproduced from package AzureKeyVault, version 1.0.0, License: MIT + file LICENSE

Community examples

Looks like there are no examples yet.