key: Encryption key object
In AzureKeyVault: Key and Secret Management in 'Azure'

key	R Documentation

Encryption key object

Description

This class represents an encryption key stored in a vault. It provides methods for carrying out operations, including encryption and decryption, signing and verification, and wrapping and unwrapping.

Fields

This class provides the following fields:

key: The key details as a parsed JSON web key (JWK).
managed: Whether this key's lifetime is managed by Key Vault. TRUE if the key backs a certificate.

Methods

This class provides the following methods:

encrypt(plaintext, algorithm=c("RSA-OAEP", "RSA-OAEP-256", "RSA1_5"))
decrypt(ciphertext, algorithm=c("RSA-OAEP", "RSA-OAEP-256", "RSA1_5"), as_raw=TRUE)
sign(digest,
     algorithm=c("RS256", "RS384", "RS512", "PS256", "PS384", "PS512",
                 "ES256", "ES256K", "ES384", "ES512"))
verify(signature, digest,
       algorithm=c("RS256", "RS384", "RS512", "PS256", "PS384", "PS512",
                   "ES256", "ES256K", "ES384", "ES512"))
wrap(value, algorithm=c("RSA-OAEP", "RSA-OAEP-256", "RSA1_5"))
unwrap(value, algorithm=c("RSA-OAEP", "RSA-OAEP-256", "RSA1_5"), as_raw=TRUE)

update_attributes(attributes=vault_object_attrs(), ...)
list_versions()
set_version(version=NULL)
delete(confirm=TRUE)

Arguments

plaintext: For encrypt, the plaintext to encrypt.
ciphertext: For decrypt, the ciphertext to decrypt.
digest: For sign, a generated hash to sign. For verify, the digest to verify for authenticity.
signature: For verify, a signature to verify for authenticity.
value: For wrap, a symmetric key to be wrapped; for unwrap, the value to be unwrapped to obtain the symmetric key.
as_raw: For decrypt and unwrap, whether to return a character vector or a raw vector (the default).
algorithm: The algorithm to use for each operation. Note that the algorithm must be compatible with the key type, eg RSA keys cannot use ECDSA for signing or verifying.
attributes: For update_attributes, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the vault_object_attrs helper function.
...: For update_attributes, additional key-specific properties to update. See keys.
version: For set_version, the version ID or NULL for the current version.
confirm: For delete, whether to ask for confirmation before deleting the key.

Details

The operations supported by a key will be those given by the key_ops argument when the key was created. By default, a newly created RSA key supports all the operations listed above: encrypt/decrypt, sign/verify, and wrap/unwrap. An EC key only supports the sign and verify operations.

A key can have multiple versions, which are automatically generated when a key is created with the same name as an existing key. By default, the most recent (current) version is used for key operations; use list_versions and set_version to change the version.

Value

For the key operations, a raw vector (for decrypt and unwrap, if as_raw=TRUE) or character vector.

For list_versions, a data frame containing details of each version.

For set_version, the key object with the updated version.

Examples

## Not run: 

vault <- key_vault("mykeyvault")

vault$keys$create("mynewkey")
# new version of an existing key
vault$keys$create("mynewkey", type="RSA", rsa_key_size=4096)

key <- vault$keys$get("mynewkey")
vers <- key$list_versions()
key$set_version(vers[2])

plaintext <- "some secret text"

ciphertext <- key$encrypt(plaintext)
decrypted <- key$decrypt(ciphertext, as_raw=FALSE)
decrypted == plaintext  # TRUE

dig <- openssl::sha2(charToRaw(plaintext))
sig <- key$sign(dig)
key$verify(sig, dig)  # TRUE

wraptext <- key$wrap(plaintext)
unwrap_text <- key$unwrap(wraptext, as_raw=FALSE)
plaintext == unwrap_text  # TRUE


## End(Not run)

AzureKeyVault documentation built on April 12, 2025, 9:11 a.m.