This sample demonstrates how to back up and restore a Key from Azure Key Vault. To get started, you'll need a URI to an Azure Key Vault. See the README for links and instructions.
To create a new KeyClient
to create, get, update, or delete keys, you need the endpoint to an Azure Key Vault and credentials.
You can use the DefaultAzureCredential to try a number of common authentication methods optimized for both running as a service and development.
In the sample below, you can set keyVaultUrl
based on an environment variable, configuration setting, or any way that works for your application.
var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
Let's create a RSA key valid for 1 year. If the key already exists in the Azure Key Vault, then a new version of the key is created.
string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}";
var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false)
{
KeySize = 2048,
ExpiresOn = DateTimeOffset.Now.AddYears(1)
};
KeyVaultKey storedKey = client.CreateRsaKey(rsaKey);
You might make backups in case keys get accidentally deleted. For long term storage, it is ideal to write the backup to a file, disk, database, etc. For the purposes of this sample, we are storing the back up in a temporary memory area.
byte[] backupKey = client.BackupKey(rsaKeyName);
If the key is deleted for any reason, we can use the backup value to restore it in the Azure Key Vault.
KeyVaultKey restoredKey = client.RestoreKeyBackup(memoryStream.ToArray());
To see the full example source, see: