Microsoft.KeyVault (stable:7.5)

2025/01/23 • 4 updated methods

decrypt (updated)
Description The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
Reference Link ¶

⚶ Changes

{
  "#id": "decrypt",
  "$parameters": {
    "parameters": {
      "$properties": [
        {
          "#name": "alg",
          "Enum": {
            "new": [
              [
                "RSA-OAEP",
                "[Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems."
              ],
              [
                "RSA-OAEP-256",
                "RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256."
              ],
              [
                "RSA1_5",
                "[Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption."
              ],
              [
                "A128GCM",
                "128-bit AES-GCM."
              ],
              [
                "A192GCM",
                "192-bit AES-GCM."
              ],
              [
                "A256GCM",
                "256-bit AES-GCM."
              ],
              [
                "A128KW",
                "128-bit AES key wrap."
              ],
              [
                "A192KW",
                "192-bit AES key wrap."
              ],
              [
                "A256KW",
                "256-bit AES key wrap."
              ],
              [
                "A128CBC",
                "128-bit AES-CBC."
              ],
              [
                "A192CBC",
                "192-bit AES-CBC."
              ],
              [
                "A256CBC",
                "256-bit AES-CBC."
              ],
              [
                "A128CBCPAD",
                "128-bit AES-CBC with PKCS padding."
              ],
              [
                "A192CBCPAD",
                "192-bit AES-CBC with PKCS padding."
              ],
              [
                "A256CBCPAD",
                "256-bit AES-CBC with PKCS padding."
              ]
            ],
            "old": [
              [
                "RSA-OAEP",
                "RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1."
              ],
              [
                "RSA-OAEP-256",
                "RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256."
              ],
              [
                "RSA1_5",
                "RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447."
              ],
              [
                "A128GCM",
                "128-bit AES-GCM."
              ],
              [
                "A192GCM",
                "192-bit AES-GCM."
              ],
              [
                "A256GCM",
                "256-bit AES-GCM."
              ],
              [
                "A128KW",
                "128-bit AES key wrap."
              ],
              [
                "A192KW",
                "192-bit AES key wrap."
              ],
              [
                "A256KW",
                "256-bit AES key wrap."
              ],
              [
                "A128CBC",
                "128-bit AES-CBC."
              ],
              [
                "A192CBC",
                "192-bit AES-CBC."
              ],
              [
                "A256CBC",
                "256-bit AES-CBC."
              ],
              [
                "A128CBCPAD",
                "128-bit AES-CBC with PKCS padding."
              ],
              [
                "A192CBCPAD",
                "192-bit AES-CBC with PKCS padding."
              ],
              [
                "A256CBCPAD",
                "256-bit AES-CBC with PKCS padding."
              ]
            ]
          }
        }
      ]
    }
  }
}

⚼ Request

POST:  /keys/{key-name}/{key-version}/decrypt
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
key-name:
{
Description: The name of the key. ,
Required: True ,
}
string ,
key-version:
{
Description: The version of the key. ,
Required: True ,
}
string ,
parameters:
{
Description: The parameters for the decryption operation. ,
Required: True ,
}
{
alg:
{
Description: algorithm identifier ,
Enum:
{
RSA-OAEP: [Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems. ,
RSA-OAEP-256: RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256. ,
RSA1_5: [Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption. ,
A128GCM: 128-bit AES-GCM. ,
A192GCM: 192-bit AES-GCM. ,
A256GCM: 256-bit AES-GCM. ,
A128KW: 128-bit AES key wrap. ,
A192KW: 192-bit AES key wrap. ,
A256KW: 256-bit AES key wrap. ,
A128CBC: 128-bit AES-CBC. ,
A192CBC: 192-bit AES-CBC. ,
A256CBC: 256-bit AES-CBC. ,
A128CBCPAD: 128-bit AES-CBC with PKCS padding. ,
A192CBCPAD: 192-bit AES-CBC with PKCS padding. ,
A256CBCPAD: 256-bit AES-CBC with PKCS padding. ,
}
,
Required: True ,
}
enum ,
value:
{
Description: The value to operate on. ,
Format: base64url ,
Required: True ,
}
string ,
iv:
{
Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
aad:
{
Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
tag:
{
Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,
Format: base64url ,
Required: False ,
}
string ,
}
,
}

⚐ Response (200)

{
kid:
{
Description: Key identifier ,
Required: False ,
}
string ,
value:
{
Description: The result of the operation. ,
Format: base64url ,
Required: False ,
}
string ,
iv:
{
Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
tag:
{
Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,
Format: base64url ,
Required: False ,
}
string ,
aad:
{
Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
}

⚐ Response (default)

{
error:
{
Description: The key vault server error. ,
Required: False ,
}
{
code:
{
Description: The error code. ,
Required: False ,
}
string ,
message:
{
Description: The error message. ,
Required: False ,
}
string ,
innererror:
{
Required: False ,
}
string ,
}
,
}
encrypt (updated)
Description The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is stored in Azure Key Vault. Note that the ENCRYPT operation only supports a single block of data, the size of which is dependent on the target key and the encryption algorithm to be used. The ENCRYPT operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission.
Reference Link ¶

⚶ Changes

{
  "#id": "encrypt",
  "$parameters": {
    "parameters": {
      "$properties": [
        {
          "#name": "alg",
          "Enum": {
            "new": [
              [
                "RSA-OAEP",
                "[Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems."
              ],
              [
                "RSA-OAEP-256",
                "RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256."
              ],
              [
                "RSA1_5",
                "[Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption."
              ],
              [
                "A128GCM",
                "128-bit AES-GCM."
              ],
              [
                "A192GCM",
                "192-bit AES-GCM."
              ],
              [
                "A256GCM",
                "256-bit AES-GCM."
              ],
              [
                "A128KW",
                "128-bit AES key wrap."
              ],
              [
                "A192KW",
                "192-bit AES key wrap."
              ],
              [
                "A256KW",
                "256-bit AES key wrap."
              ],
              [
                "A128CBC",
                "128-bit AES-CBC."
              ],
              [
                "A192CBC",
                "192-bit AES-CBC."
              ],
              [
                "A256CBC",
                "256-bit AES-CBC."
              ],
              [
                "A128CBCPAD",
                "128-bit AES-CBC with PKCS padding."
              ],
              [
                "A192CBCPAD",
                "192-bit AES-CBC with PKCS padding."
              ],
              [
                "A256CBCPAD",
                "256-bit AES-CBC with PKCS padding."
              ]
            ],
            "old": [
              [
                "RSA-OAEP",
                "RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1."
              ],
              [
                "RSA-OAEP-256",
                "RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256."
              ],
              [
                "RSA1_5",
                "RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447."
              ],
              [
                "A128GCM",
                "128-bit AES-GCM."
              ],
              [
                "A192GCM",
                "192-bit AES-GCM."
              ],
              [
                "A256GCM",
                "256-bit AES-GCM."
              ],
              [
                "A128KW",
                "128-bit AES key wrap."
              ],
              [
                "A192KW",
                "192-bit AES key wrap."
              ],
              [
                "A256KW",
                "256-bit AES key wrap."
              ],
              [
                "A128CBC",
                "128-bit AES-CBC."
              ],
              [
                "A192CBC",
                "192-bit AES-CBC."
              ],
              [
                "A256CBC",
                "256-bit AES-CBC."
              ],
              [
                "A128CBCPAD",
                "128-bit AES-CBC with PKCS padding."
              ],
              [
                "A192CBCPAD",
                "192-bit AES-CBC with PKCS padding."
              ],
              [
                "A256CBCPAD",
                "256-bit AES-CBC with PKCS padding."
              ]
            ]
          }
        }
      ]
    }
  }
}

⚼ Request

POST:  /keys/{key-name}/{key-version}/encrypt
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
key-name:
{
Description: The name of the key. ,
Required: True ,
}
string ,
key-version:
{
Description: The version of the key. ,
Required: True ,
}
string ,
parameters:
{
Description: The parameters for the encryption operation. ,
Required: True ,
}
{
alg:
{
Description: algorithm identifier ,
Enum:
{
RSA-OAEP: [Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems. ,
RSA-OAEP-256: RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256. ,
RSA1_5: [Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption. ,
A128GCM: 128-bit AES-GCM. ,
A192GCM: 192-bit AES-GCM. ,
A256GCM: 256-bit AES-GCM. ,
A128KW: 128-bit AES key wrap. ,
A192KW: 192-bit AES key wrap. ,
A256KW: 256-bit AES key wrap. ,
A128CBC: 128-bit AES-CBC. ,
A192CBC: 192-bit AES-CBC. ,
A256CBC: 256-bit AES-CBC. ,
A128CBCPAD: 128-bit AES-CBC with PKCS padding. ,
A192CBCPAD: 192-bit AES-CBC with PKCS padding. ,
A256CBCPAD: 256-bit AES-CBC with PKCS padding. ,
}
,
Required: True ,
}
enum ,
value:
{
Description: The value to operate on. ,
Format: base64url ,
Required: True ,
}
string ,
iv:
{
Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
aad:
{
Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
tag:
{
Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,
Format: base64url ,
Required: False ,
}
string ,
}
,
}

⚐ Response (200)

{
kid:
{
Description: Key identifier ,
Required: False ,
}
string ,
value:
{
Description: The result of the operation. ,
Format: base64url ,
Required: False ,
}
string ,
iv:
{
Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
tag:
{
Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,
Format: base64url ,
Required: False ,
}
string ,
aad:
{
Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
}

⚐ Response (default)

{
error:
{
Description: The key vault server error. ,
Required: False ,
}
{
code:
{
Description: The error code. ,
Required: False ,
}
string ,
message:
{
Description: The error message. ,
Required: False ,
}
string ,
innererror:
{
Required: False ,
}
string ,
}
,
}
unwrapKey (updated)
Description The UNWRAP operation supports decryption of a symmetric key using the target key encryption key. This operation is the reverse of the WRAP operation. The UNWRAP operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission.
Reference Link ¶

⚶ Changes

{
  "#id": "unwrapKey",
  "$parameters": {
    "parameters": {
      "$properties": [
        {
          "#name": "alg",
          "Enum": {
            "new": [
              [
                "RSA-OAEP",
                "[Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems."
              ],
              [
                "RSA-OAEP-256",
                "RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256."
              ],
              [
                "RSA1_5",
                "[Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption."
              ],
              [
                "A128GCM",
                "128-bit AES-GCM."
              ],
              [
                "A192GCM",
                "192-bit AES-GCM."
              ],
              [
                "A256GCM",
                "256-bit AES-GCM."
              ],
              [
                "A128KW",
                "128-bit AES key wrap."
              ],
              [
                "A192KW",
                "192-bit AES key wrap."
              ],
              [
                "A256KW",
                "256-bit AES key wrap."
              ],
              [
                "A128CBC",
                "128-bit AES-CBC."
              ],
              [
                "A192CBC",
                "192-bit AES-CBC."
              ],
              [
                "A256CBC",
                "256-bit AES-CBC."
              ],
              [
                "A128CBCPAD",
                "128-bit AES-CBC with PKCS padding."
              ],
              [
                "A192CBCPAD",
                "192-bit AES-CBC with PKCS padding."
              ],
              [
                "A256CBCPAD",
                "256-bit AES-CBC with PKCS padding."
              ]
            ],
            "old": [
              [
                "RSA-OAEP",
                "RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1."
              ],
              [
                "RSA-OAEP-256",
                "RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256."
              ],
              [
                "RSA1_5",
                "RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447."
              ],
              [
                "A128GCM",
                "128-bit AES-GCM."
              ],
              [
                "A192GCM",
                "192-bit AES-GCM."
              ],
              [
                "A256GCM",
                "256-bit AES-GCM."
              ],
              [
                "A128KW",
                "128-bit AES key wrap."
              ],
              [
                "A192KW",
                "192-bit AES key wrap."
              ],
              [
                "A256KW",
                "256-bit AES key wrap."
              ],
              [
                "A128CBC",
                "128-bit AES-CBC."
              ],
              [
                "A192CBC",
                "192-bit AES-CBC."
              ],
              [
                "A256CBC",
                "256-bit AES-CBC."
              ],
              [
                "A128CBCPAD",
                "128-bit AES-CBC with PKCS padding."
              ],
              [
                "A192CBCPAD",
                "192-bit AES-CBC with PKCS padding."
              ],
              [
                "A256CBCPAD",
                "256-bit AES-CBC with PKCS padding."
              ]
            ]
          }
        }
      ]
    }
  }
}

⚼ Request

POST:  /keys/{key-name}/{key-version}/unwrapkey
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
key-name:
{
Description: The name of the key. ,
Required: True ,
}
string ,
key-version:
{
Description: The version of the key. ,
Required: True ,
}
string ,
parameters:
{
Description: The parameters for the key operation. ,
Required: True ,
}
{
alg:
{
Description: algorithm identifier ,
Enum:
{
RSA-OAEP: [Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems. ,
RSA-OAEP-256: RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256. ,
RSA1_5: [Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption. ,
A128GCM: 128-bit AES-GCM. ,
A192GCM: 192-bit AES-GCM. ,
A256GCM: 256-bit AES-GCM. ,
A128KW: 128-bit AES key wrap. ,
A192KW: 192-bit AES key wrap. ,
A256KW: 256-bit AES key wrap. ,
A128CBC: 128-bit AES-CBC. ,
A192CBC: 192-bit AES-CBC. ,
A256CBC: 256-bit AES-CBC. ,
A128CBCPAD: 128-bit AES-CBC with PKCS padding. ,
A192CBCPAD: 192-bit AES-CBC with PKCS padding. ,
A256CBCPAD: 256-bit AES-CBC with PKCS padding. ,
}
,
Required: True ,
}
enum ,
value:
{
Description: The value to operate on. ,
Format: base64url ,
Required: True ,
}
string ,
iv:
{
Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
aad:
{
Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
tag:
{
Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,
Format: base64url ,
Required: False ,
}
string ,
}
,
}

⚐ Response (200)

{
kid:
{
Description: Key identifier ,
Required: False ,
}
string ,
value:
{
Description: The result of the operation. ,
Format: base64url ,
Required: False ,
}
string ,
iv:
{
Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
tag:
{
Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,
Format: base64url ,
Required: False ,
}
string ,
aad:
{
Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
}

⚐ Response (default)

{
error:
{
Description: The key vault server error. ,
Required: False ,
}
{
code:
{
Description: The error code. ,
Required: False ,
}
string ,
message:
{
Description: The error message. ,
Required: False ,
}
string ,
innererror:
{
Required: False ,
}
string ,
}
,
}
wrapKey (updated)
Description The WRAP operation supports encryption of a symmetric key using a key encryption key that has previously been stored in an Azure Key Vault. The WRAP operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using the public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission.
Reference Link ¶

⚶ Changes

{
  "#id": "wrapKey",
  "$parameters": {
    "parameters": {
      "$properties": [
        {
          "#name": "alg",
          "Enum": {
            "new": [
              [
                "RSA-OAEP",
                "[Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems."
              ],
              [
                "RSA-OAEP-256",
                "RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256."
              ],
              [
                "RSA1_5",
                "[Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption."
              ],
              [
                "A128GCM",
                "128-bit AES-GCM."
              ],
              [
                "A192GCM",
                "192-bit AES-GCM."
              ],
              [
                "A256GCM",
                "256-bit AES-GCM."
              ],
              [
                "A128KW",
                "128-bit AES key wrap."
              ],
              [
                "A192KW",
                "192-bit AES key wrap."
              ],
              [
                "A256KW",
                "256-bit AES key wrap."
              ],
              [
                "A128CBC",
                "128-bit AES-CBC."
              ],
              [
                "A192CBC",
                "192-bit AES-CBC."
              ],
              [
                "A256CBC",
                "256-bit AES-CBC."
              ],
              [
                "A128CBCPAD",
                "128-bit AES-CBC with PKCS padding."
              ],
              [
                "A192CBCPAD",
                "192-bit AES-CBC with PKCS padding."
              ],
              [
                "A256CBCPAD",
                "256-bit AES-CBC with PKCS padding."
              ]
            ],
            "old": [
              [
                "RSA-OAEP",
                "RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1."
              ],
              [
                "RSA-OAEP-256",
                "RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256."
              ],
              [
                "RSA1_5",
                "RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447."
              ],
              [
                "A128GCM",
                "128-bit AES-GCM."
              ],
              [
                "A192GCM",
                "192-bit AES-GCM."
              ],
              [
                "A256GCM",
                "256-bit AES-GCM."
              ],
              [
                "A128KW",
                "128-bit AES key wrap."
              ],
              [
                "A192KW",
                "192-bit AES key wrap."
              ],
              [
                "A256KW",
                "256-bit AES key wrap."
              ],
              [
                "A128CBC",
                "128-bit AES-CBC."
              ],
              [
                "A192CBC",
                "192-bit AES-CBC."
              ],
              [
                "A256CBC",
                "256-bit AES-CBC."
              ],
              [
                "A128CBCPAD",
                "128-bit AES-CBC with PKCS padding."
              ],
              [
                "A192CBCPAD",
                "192-bit AES-CBC with PKCS padding."
              ],
              [
                "A256CBCPAD",
                "256-bit AES-CBC with PKCS padding."
              ]
            ]
          }
        }
      ]
    }
  }
}

⚼ Request

POST:  /keys/{key-name}/{key-version}/wrapkey
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
key-name:
{
Description: The name of the key. ,
Required: True ,
}
string ,
key-version:
{
Description: The version of the key. ,
Required: True ,
}
string ,
parameters:
{
Description: The parameters for wrap operation. ,
Required: True ,
}
{
alg:
{
Description: algorithm identifier ,
Enum:
{
RSA-OAEP: [Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems. ,
RSA-OAEP-256: RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256. ,
RSA1_5: [Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included solely for backwards compatibility. Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption. ,
A128GCM: 128-bit AES-GCM. ,
A192GCM: 192-bit AES-GCM. ,
A256GCM: 256-bit AES-GCM. ,
A128KW: 128-bit AES key wrap. ,
A192KW: 192-bit AES key wrap. ,
A256KW: 256-bit AES key wrap. ,
A128CBC: 128-bit AES-CBC. ,
A192CBC: 192-bit AES-CBC. ,
A256CBC: 256-bit AES-CBC. ,
A128CBCPAD: 128-bit AES-CBC with PKCS padding. ,
A192CBCPAD: 192-bit AES-CBC with PKCS padding. ,
A256CBCPAD: 256-bit AES-CBC with PKCS padding. ,
}
,
Required: True ,
}
enum ,
value:
{
Description: The value to operate on. ,
Format: base64url ,
Required: True ,
}
string ,
iv:
{
Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
aad:
{
Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
tag:
{
Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,
Format: base64url ,
Required: False ,
}
string ,
}
,
}

⚐ Response (200)

{
kid:
{
Description: Key identifier ,
Required: False ,
}
string ,
value:
{
Description: The result of the operation. ,
Format: base64url ,
Required: False ,
}
string ,
iv:
{
Description: Cryptographically random, non-repeating initialization vector for symmetric algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
tag:
{
Description: The tag to authenticate when performing decryption with an authenticated algorithm. ,
Format: base64url ,
Required: False ,
}
string ,
aad:
{
Description: Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. ,
Format: base64url ,
Required: False ,
}
string ,
}

⚐ Response (default)

{
error:
{
Description: The key vault server error. ,
Required: False ,
}
{
code:
{
Description: The error code. ,
Required: False ,
}
string ,
message:
{
Description: The error message. ,
Required: False ,
}
string ,
innererror:
{
Required: False ,
}
string ,
}
,
}