Sign and Verify: Strictly, this operation is "sign hash" or "verify hash", as Key Vault doesn't support hashing of content as part of signature creation.Once a key has been created in Key Vault, the following cryptographic operations may be performed using the key: Rotate (preview): Rotate an existing key by generating new version of the key (Key Vault only).įor more information, see Key operations in the Key Vault REST API reference.Restore: Imports a previously backed up key.Backup: Exports a key in a protected form.Get: Allows a client to retrieve the public parts of a given key in a Key Vault.List versions: Allows a client to list all versions of a given key in a given Key Vault.List: Allows a client to list all keys in a given Key Vault.Delete: Allows a client with sufficient permissions to delete a key from Key Vault.Update: Allows a client with sufficient permissions to modify the metadata (key attributes) associated with a key previously stored within Key Vault.Asymmetric keys may be imported to Key Vault using a number of different packaging methods within a JWK construct. Import: Allows a client to import an existing key to Key Vault.Asymmetric keys may be created in Key Vault. The value of the key is generated by Key Vault and stored, and isn't released to the client. Create: Allows a client to create a key in Key Vault.Key Vault, including Managed HSM, supports the following operations on key objects: AES-CBC - AES encryption in Cipher Block Chaining Mode ( NIST SP 800-38a).AES-GCM - AES encryption in Galois Counter Mode ( NIST SP 800-38d).Symmetric key algorithms (Managed HSM only) RSNULL - See RFC2437, a specialized use-case to enable certain TLS scenarios.The application supplied digest value must be computed using SHA-512 and must be 64 bytes in length. The application supplied digest value must be computed using SHA-384 and must be 48 bytes in length. The application supplied digest value must be computed using SHA-256 and must be 32 bytes in length. PS512 - RSASSA-PSS using SHA-512 and MGF1 with SHA-512, as described in RFC7518.PS384 - RSASSA-PSS using SHA-384 and MGF1 with SHA-384, as described in RFC7518.PS256 - RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as described in RFC7518.RSA-OAEP-256 – RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256.Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. RSA-OAEP - RSAES using Optimal Asymmetric Encryption Padding (OAEP), with the default parameters specified by RFC 3447 in Section A.2.1.RSA1_5 - RSAES-PKCS1-V1_5 key encryption.The following algorithm identifiers are supported with RSA and RSA-HSM keys WRAPKEY/UNWRAPKEY, ENCRYPT/DECRYPT ES512 - ECDSA for SHA-512 digests and keys created with curve P-521.ES384 - ECDSA for SHA-384 digests and keys created with curve P-384.This algorithm is pending standardization. ES256K - ECDSA for SHA-256 digests and keys created with curve P-256K.ES256 - ECDSA for SHA-256 digests and keys created with curve P-256.P-521 - The NIST curve P-521, defined at DSS FIPS PUB 186-4.P-384 - The NIST curve P-384, defined at DSS FIPS PUB 186-4.P-256K - The SEC curve SECP256K1, defined at SEC 2: Recommended Elliptic Curve Domain Parameters.P-256 - The NIST curve P-256, defined at DSS FIPS PUB 186-4.The following algorithm identifiers are supported with EC-HSM keys Curve Types To see a summary of supported key types, protection types by each resource type, please see About keys.įollowing table shows a summary of key types and supported algorithms. Both resources types support various encryption keys. Key Vault supports two resource types: vaults and managed HSMs.