azure-keyvault-keys-rust
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAzure Key Vault Keys SDK for Rust
适用于Rust的Azure Key Vault Keys SDK
Client library for Azure Key Vault Keys — secure storage and management of cryptographic keys.
这是Azure Key Vault Keys的客户端库,用于安全存储和管理加密密钥。
Installation
安装
sh
cargo add azure_security_keyvault_keys azure_identitysh
cargo add azure_security_keyvault_keys azure_identityEnvironment Variables
环境变量
bash
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/bash
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/Authentication
身份验证
rust
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_keys::KeyClient;
let credential = DeveloperToolsCredential::new(None)?;
let client = KeyClient::new(
"https://<vault-name>.vault.azure.net/",
credential.clone(),
None,
)?;rust
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_keys::KeyClient;
let credential = DeveloperToolsCredential::new(None)?;
let client = KeyClient::new(
"https://<vault-name>.vault.azure.net/",
credential.clone(),
None,
)?;Key Types
密钥类型
| Type | Description |
|---|---|
| RSA | RSA keys (2048, 3072, 4096 bits) |
| EC | Elliptic curve keys (P-256, P-384, P-521) |
| RSA-HSM | HSM-protected RSA keys |
| EC-HSM | HSM-protected EC keys |
| 类型 | 说明 |
|---|---|
| RSA | RSA密钥(2048、3072、4096位) |
| EC | 椭圆曲线密钥(P-256、P-384、P-521) |
| RSA-HSM | HSM保护的RSA密钥 |
| EC-HSM | HSM保护的EC密钥 |
Core Operations
核心操作
Get Key
获取密钥
rust
let key = client
.get_key("key-name", None)
.await?
.into_model()?;
println!("Key ID: {:?}", key.key.as_ref().map(|k| &k.kid));rust
let key = client
.get_key("key-name", None)
.await?
.into_model()?;
println!("Key ID: {:?}", key.key.as_ref().map(|k| &k.kid));Create Key
创建密钥
rust
use azure_security_keyvault_keys::models::{CreateKeyParameters, KeyType};
let params = CreateKeyParameters {
kty: KeyType::Rsa,
key_size: Some(2048),
..Default::default()
};
let key = client
.create_key("key-name", params.try_into()?, None)
.await?
.into_model()?;rust
use azure_security_keyvault_keys::models::{CreateKeyParameters, KeyType};
let params = CreateKeyParameters {
kty: KeyType::Rsa,
key_size: Some(2048),
..Default::default()
};
let key = client
.create_key("key-name", params.try_into()?, None)
.await?
.into_model()?;Create EC Key
创建EC密钥
rust
use azure_security_keyvault_keys::models::{CreateKeyParameters, KeyType, CurveName};
let params = CreateKeyParameters {
kty: KeyType::Ec,
curve: Some(CurveName::P256),
..Default::default()
};
let key = client
.create_key("ec-key", params.try_into()?, None)
.await?
.into_model()?;rust
use azure_security_keyvault_keys::models::{CreateKeyParameters, KeyType, CurveName};
let params = CreateKeyParameters {
kty: KeyType::Ec,
curve: Some(CurveName::P256),
..Default::default()
};
let key = client
.create_key("ec-key", params.try_into()?, None)
.await?
.into_model()?;Delete Key
删除密钥
rust
client.delete_key("key-name", None).await?;rust
client.delete_key("key-name", None).await?;List Keys
列出密钥
rust
use azure_security_keyvault_keys::ResourceExt;
use futures::TryStreamExt;
let mut pager = client.list_key_properties(None)?.into_stream();
while let Some(key) = pager.try_next().await? {
let name = key.resource_id()?.name;
println!("Key: {}", name);
}rust
use azure_security_keyvault_keys::ResourceExt;
use futures::TryStreamExt;
let mut pager = client.list_key_properties(None)?.into_stream();
while let Some(key) = pager.try_next().await? {
let name = key.resource_id()?.name;
println!("Key: {}", name);
}Backup Key
备份密钥
rust
let backup = client.backup_key("key-name", None).await?;
// Store backup.value safelyrust
let backup = client.backup_key("key-name", None).await?;
// Store backup.value safelyRestore Key
恢复密钥
rust
use azure_security_keyvault_keys::models::RestoreKeyParameters;
let params = RestoreKeyParameters {
key_bundle_backup: backup_bytes,
};
client.restore_key(params.try_into()?, None).await?;rust
use azure_security_keyvault_keys::models::RestoreKeyParameters;
let params = RestoreKeyParameters {
key_bundle_backup: backup_bytes,
};
client.restore_key(params.try_into()?, None).await?;Cryptographic Operations
加密操作
Key Vault can perform crypto operations without exposing the private key:
rust
// For cryptographic operations, use the key's operations
// Available operations depend on key type and permissions:
// - encrypt/decrypt (RSA)
// - sign/verify (RSA, EC)
// - wrapKey/unwrapKey (RSA)Key Vault可以在不暴露私钥的情况下执行加密操作:
rust
// For cryptographic operations, use the key's operations
// Available operations depend on key type and permissions:
// - encrypt/decrypt (RSA)
// - sign/verify (RSA, EC)
// - wrapKey/unwrapKey (RSA)Best Practices
最佳实践
- Use Entra ID auth — for dev,
DeveloperToolsCredentialfor productionManagedIdentityCredential - Use HSM keys for sensitive workloads — hardware-protected keys
- Use EC for signing — more efficient than RSA
- Use RSA for encryption — when encrypting data
- Backup keys — for disaster recovery
- Enable soft delete — required for production vaults
- Use key rotation — create new versions periodically
- 使用Entra ID身份验证 — 开发环境使用,生产环境使用
DeveloperToolsCredentialManagedIdentityCredential - 对敏感工作负载使用HSM密钥 — 硬件保护的密钥
- 使用EC进行签名 — 比RSA更高效
- 使用RSA进行加密 — 加密数据时使用
- 备份密钥 — 用于灾难恢复
- 启用软删除 — 生产环境保管库的必备配置
- 使用密钥轮换 — 定期创建新版本密钥
RBAC Permissions
RBAC权限
Assign these Key Vault roles:
- — use keys for crypto operations
Key Vault Crypto User - — full CRUD on keys
Key Vault Crypto Officer
分配以下Key Vault角色:
- — 使用密钥执行加密操作
Key Vault Crypto User - — 对密钥拥有完整的CRUD权限
Key Vault Crypto Officer