OpenSkillIndex← back to search
claude-code

Skills azure-keyvault-keys-rust

install
source · Clone the upstream repo
git clone https://github.com/microsoft/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/microsoft/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.github/plugins/azure-sdk-rust/skills/azure-keyvault-keys-rust" ~/.claude/skills/microsoft-skills-azure-keyvault-keys-rust && rm -rf "$T"
manifest: .github/plugins/azure-sdk-rust/skills/azure-keyvault-keys-rust/SKILL.md
source content

Azure Key Vault Keys SDK for Rust

Client library for Azure Key Vault Keys — secure storage and management of cryptographic keys.

Installation

cargo add azure_security_keyvault_keys azure_identity

Environment Variables

AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/

Authentication

use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_keys::KeyClient;

let credential = DeveloperToolsCredential::new(None)?;
let client = KeyClient::new(
    "https://<vault-name>.vault.azure.net/",
    credential.clone(),
    None,
)?;

Key Types

TypeDescription
RSARSA keys (2048, 3072, 4096 bits)
ECElliptic curve keys (P-256, P-384, P-521)
RSA-HSMHSM-protected RSA keys
EC-HSMHSM-protected EC keys

Core Operations

Get Key

let key = client
    .get_key("key-name", None)
    .await?
    .into_model()?;

println!("Key ID: {:?}", key.key.as_ref().map(|k| &k.kid));

Create Key

use azure_security_keyvault_keys::models::{CreateKeyParameters, KeyType};

let params = CreateKeyParameters {
    kty: Some(KeyType::Rsa),
    key_size: Some(2048),
    ..Default::default()
};

let key = client
    .create_key("key-name", params.try_into()?, None)
    .await?
    .into_model()?;

Create EC Key

use azure_security_keyvault_keys::models::{CreateKeyParameters, KeyType, CurveName};

let params = CreateKeyParameters {
    kty: Some(KeyType::Ec),
    curve: Some(CurveName::P256),
    ..Default::default()
};

let key = client
    .create_key("ec-key", params.try_into()?, None)
    .await?
    .into_model()?;

Delete Key

client.delete_key("key-name", None).await?;

List Keys

use azure_security_keyvault_keys::ResourceExt;
use futures::TryStreamExt;

let mut pager = client.list_key_properties(None)?.into_stream();
while let Some(key) = pager.try_next().await? {
    let name = key.resource_id()?.name;
    println!("Key: {}", name);
}

Backup Key

let backup = client.backup_key("key-name", None).await?;
// Store backup.value safely

Restore Key

use azure_security_keyvault_keys::models::RestoreKeyParameters;

let params = RestoreKeyParameters {
    key_bundle_backup: backup_bytes,
};

client.restore_key(params.try_into()?, None).await?;

Cryptographic Operations

Key Vault can perform crypto operations without exposing the private key:

use azure_security_keyvault_keys::models::{
    CreateKeyParameters, EncryptionAlgorithm, KeyOperationParameters, KeyType,
};
use azure_security_keyvault_keys::ResourceExt;

// Create a KEK
let body = CreateKeyParameters {
    kty: Some(KeyType::Rsa),
    key_size: Some(2048),
    ..Default::default()
};
let key = client
    .create_key("kek-name", body.try_into()?, None)
    .await?
    .into_model()?;
let key_version = key.resource_id()?.version.expect("key version required");

// Wrap a key
let parameters = KeyOperationParameters {
    algorithm: Some(EncryptionAlgorithm::RsaOaep256),
    value: Some(data_to_wrap),
    ..Default::default()
};
let wrapped = client
    .wrap_key("kek-name", &key_version, parameters.try_into()?, None)
    .await?
    .into_model()?;

// Unwrap a key
let parameters = KeyOperationParameters {
    algorithm: Some(EncryptionAlgorithm::RsaOaep256),
    value: wrapped.result,
    ..Default::default()
};
let unwrapped = client
    .unwrap_key("kek-name", &key_version, parameters.try_into()?, None)
    .await?
    .into_model()?;

Best Practices

  1. Use Entra ID auth
    DeveloperToolsCredential
    for dev, 
    ManagedIdentityCredential
    for production
  2. Use HSM keys for sensitive workloads — hardware-protected keys
  3. Use EC for signing — more efficient than RSA
  4. Use RSA for encryption — when encrypting data
  5. Backup keys — for disaster recovery
  6. Enable soft delete — required for production vaults
  7. Use key rotation — create new versions periodically

RBAC Permissions

Assign these Key Vault roles:

  • Key Vault Crypto User
    — use keys for crypto operations
  • Key Vault Crypto Officer
    — full CRUD on keys

Reference Links

ResourceLink
API Referencehttps://docs.rs/azure_security_keyvault_keys
Source Codehttps://github.com/Azure/azure-sdk-for-rust/tree/main/sdk/keyvault/azure_security_keyvault_keys
crates.iohttps://crates.io/crates/azure_security_keyvault_keys