Azure Key Vault Keys for Rust: Hardware-Backed Cryptographic Operations

Cryptographic keys are the foundation of security, but managing them safely is complex. Azure Key Vault provides hardware-backed key storage with cryptographic operations performed in HSMs, while Rust ensures type-safe usage that prevents common cryptographic errors.

What This Skill Does

Offers RSA and EC key generation, encryption and decryption operations, digital signing and verification, key rotation with version management, HSM-backed key protection, and wrap/unwrap operations for key encryption.

Getting Started

cargo add azure_security_keyvault_keys azure_identity

Encrypt and decrypt data:

use azure_security_keyvault_keys::KeyClient;

let client = KeyClient::new(vault_url, credential)?;

// Encrypt data (operation happens in Key Vault)
let encrypted = client.encrypt(
    "my-key",
    EncryptionAlgorithm::RsaOaep256,
    plaintext
).await?;

// Decrypt
let decrypted = client.decrypt(
    "my-key",
    EncryptionAlgorithm::RsaOaep256,
    encrypted.ciphertext
).await?;

Key Features

Hardware Security Modules protect keys in FIPS 140-2 validated hardware. Cryptographic Operations happen in Key Vault, keys never leave. Key Rotation maintains security with automatic versioning. Type Safety prevents algorithm mismatches at compile time.

When to Use

Use for encrypting sensitive data, signing and verifying documents, protecting encryption keys, implementing envelope encryption, and meeting compliance requirements. Essential for production security.

Source

Maintained by Microsoft. View on GitHub