Metadata-Version: 2.1
Name: azure-keyvault-keys
Version: 4.5.1
Summary: Microsoft Azure Key Vault Keys Client Library for Python
Home-page: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys
Author: Microsoft Corporation
Author-email: azurekeyvault@microsoft.com
License: MIT License
Description: # Azure Key Vault Keys client library for Python
        Azure Key Vault helps solve the following problems:
        - Cryptographic key management (this library) - create, store, and control
        access to the keys used to encrypt your data
        - Secrets management
        ([azure-keyvault-secrets](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-secrets)) -
        securely store and control access to tokens, passwords, certificates, API keys,
        and other secrets
        - Certificate management
        ([azure-keyvault-certificates](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-certificates)) -
        create, manage, and deploy public and private SSL/TLS certificates
        - Vault administration ([azure-keyvault-administration](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration)) - role-based access control (RBAC), and vault-level backup and restore options
        
        [Source code][key_client_src] | [Package (PyPI)][pypi_package_keys] | [API reference documentation][reference_docs] | [Product documentation][keyvault_docs] | [Samples][key_samples]
        
        ## _Disclaimer_
        
        _Azure SDK Python packages support for Python 2.7 has ended 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691_
        
        ## Getting started
        ### Install packages
        Install [azure-keyvault-keys][pypi_package_keys] and
        [azure-identity][azure_identity_pypi] with [pip][pip]:
        ```Bash
        pip install azure-keyvault-keys azure-identity
        ```
        [azure-identity][azure_identity] is used for Azure Active Directory
        authentication as demonstrated below.
        
        ### Prerequisites
        * An [Azure subscription][azure_sub]
        * Python 3.6 or later
        * A Key Vault. If you need to create one, you can use the
        [Azure Cloud Shell][azure_cloud_shell] to create one with these commands
        (replace `"my-resource-group"` and `"my-key-vault"` with your own, unique
        names):
        
          (Optional) if you want a new resource group to hold the Key Vault:
          ```sh
          az group create --name my-resource-group --location westus2
          ```
        
          Create the Key Vault:
          ```Bash
          az keyvault create --resource-group my-resource-group --name my-key-vault
          ```
        
          Output:
          ```json
          {
              "id": "...",
              "location": "westus2",
              "name": "my-key-vault",
              "properties": {
                  "accessPolicies": [...],
                  "createMode": null,
                  "enablePurgeProtection": null,
                  "enableSoftDelete": null,
                  "enabledForDeployment": false,
                  "enabledForDiskEncryption": null,
                  "enabledForTemplateDeployment": null,
                  "networkAcls": null,
                  "provisioningState": "Succeeded",
                  "sku": { "name": "standard" },
                  "tenantId": "...",
                  "vaultUri": "https://my-key-vault.vault.azure.net/"
              },
              "resourceGroup": "my-resource-group",
              "type": "Microsoft.KeyVault/vaults"
          }
          ```
        
          > The `"vaultUri"` property is the `vault_url` used by [KeyClient][key_client_docs]
        
        ### Authenticate the client
        This document demonstrates using [DefaultAzureCredential][default_cred_ref]
        to authenticate as a service principal. However, [KeyClient][key_client_docs]
        accepts any [azure-identity][azure_identity] credential. See the
        [azure-identity][azure_identity] documentation for more information about other
        credentials.
        
        #### Create a service principal (optional)
        This [Azure Cloud Shell][azure_cloud_shell] snippet shows how to create a
        new service principal. Before using it, replace "your-application-name" with
        a more appropriate name for your service principal.
        
        Create a service principal:
        ```Bash
        az ad sp create-for-rbac --name http://my-application --skip-assignment
        ```
        
        > Output:
        > ```json
        > {
        >     "appId": "generated app id",
        >     "displayName": "my-application",
        >     "name": "http://my-application",
        >     "password": "random password",
        >     "tenant": "tenant id"
        > }
        > ```
        
        Use the output to set **AZURE_CLIENT_ID** ("appId" above), **AZURE_CLIENT_SECRET**
        ("password" above) and **AZURE_TENANT_ID** ("tenant" above) environment variables.
        The following example shows a way to do this in Bash:
        ```Bash
        export AZURE_CLIENT_ID="generated app id"
        export AZURE_CLIENT_SECRET="random password"
        export AZURE_TENANT_ID="tenant id"
        ```
        
        Authorize the service principal to perform key operations in your Key Vault:
        ```Bash
        az keyvault set-policy --name my-key-vault --spn $AZURE_CLIENT_ID --key-permissions backup delete get list create update decrypt encrypt
        ```
        > Possible permissions:
        > - Key management: backup, delete, get, list, purge, recover, restore, create, update, import
        > - Cryptographic operations: decrypt, encrypt, unwrapKey, wrapKey, verify, sign
        
        If you have enabled role-based access control (RBAC) for Key Vault instead, you can find roles like "Key Vault Crypto Officer" in our [RBAC guide][rbac_guide].
        If you are managing your keys using Managed HSM, read about its [access control][access_control] that supports different built-in roles isolated from Azure Resource Manager (ARM).
        
        #### Create a client
        Once the **AZURE_CLIENT_ID**, **AZURE_CLIENT_SECRET** and
        **AZURE_TENANT_ID** environment variables are set,
        [DefaultAzureCredential][default_cred_ref] will be able to authenticate the
        [KeyClient][key_client_docs].
        
        Constructing the client also requires your vault's URL, which you can
        get from the Azure CLI or the Azure Portal. In the Azure Portal, this URL is
        the vault's "DNS Name".
        
        ```python
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient
        
        credential = DefaultAzureCredential()
        
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        ```
        
        ## Key concepts
        ### Keys
        Azure Key Vault can create and store RSA and elliptic curve keys. Both can
        optionally be protected by hardware security modules (HSMs). Azure Key Vault
        can also perform cryptographic operations with them. For more information about
        keys and supported operations and algorithms, see the
        [Key Vault documentation](https://docs.microsoft.com/azure/key-vault/keys/about-keys).
        
        [KeyClient][key_client_docs] can create keys in the vault, get existing keys
        from the vault, update key metadata, and delete keys, as shown in the
        [examples](#examples "examples") below.
        
        ## Examples
        This section contains code snippets covering common tasks:
        * [Create a key](#create-a-key "Create a key")
        * [Retrieve a key](#retrieve-a-key "Retrieve a key")
        * [Update an existing key](#update-an-existing-key "Update an existing key")
        * [Delete a key](#delete-a-key "Delete a key")
        * [Configure automatic key rotation](#configure-automatic-key-rotation "Configure automatic key rotation")
        * [List keys](#list-keys "List keys")
        * [Perform cryptographic operations](#cryptographic-operations)
        * [Async API](#async-api "Async API")
        * [Asynchronously create a key](#asynchronously-create-a-key "Asynchronously create a key")
        * [Asynchronously list keys](#asynchronously-list-keys "Asynchronously list keys")
        
        ### Create a key
        [create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_rsa_key) and
        [create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_ec_key)
        create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new version
        of that key is created.
        
        ```python
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient
        
        credential = DefaultAzureCredential()
        
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        
        # Create an RSA key
        rsa_key = key_client.create_rsa_key("rsa-key-name", size=2048)
        print(rsa_key.name)
        print(rsa_key.key_type)
        
        # Create an elliptic curve key
        ec_key = key_client.create_ec_key("ec-key-name", curve="P-256")
        print(ec_key.name)
        print(ec_key.key_type)
        ```
        
        ### Retrieve a key
        [get_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.get_key) retrieves a key
        previously stored in the Vault.
        ```python
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient
        
        credential = DefaultAzureCredential()
        
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        key = key_client.get_key("key-name")
        print(key.name)
        ```
        
        ### Update an existing key
        [update_key_properties](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.update_key_properties)
        updates the properties of a key previously stored in the Key Vault.
        ```python
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient
        
        credential = DefaultAzureCredential()
        
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        
        # we will now disable the key for further use
        updated_key = key_client.update_key_properties("key-name", enabled=False)
        
        print(updated_key.name)
        print(updated_key.properties.enabled)
        ```
        
        ### Delete a key
        [begin_delete_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.begin_delete_key)
        requests Key Vault delete a key, returning a poller which allows you to wait for the deletion to finish. Waiting is
        helpful when the vault has [soft-delete][soft_delete] enabled, and you want to purge (permanently delete) the key as
        soon as possible. When [soft-delete][soft_delete] is disabled, `begin_delete_key` itself is permanent.
        
        ```python
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient
        
        credential = DefaultAzureCredential()
        
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        deleted_key = key_client.begin_delete_key("key-name").result()
        
        print(deleted_key.name)
        print(deleted_key.deleted_date)
        ```
        
        ### Configure automatic key rotation
        [update_key_rotation_policy](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.5.0b5/azure.keyvault.keys.html#azure.keyvault.keys.KeyClient.update_key_rotation_policy)
        allows you to configure automatic key rotation for a key by specifying a rotation policy.
        In addition,
        [rotate_key](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.5.0b5/azure.keyvault.keys.html#azure.keyvault.keys.KeyClient.rotate_key)
        allows you to rotate a key on-demand by creating a new version of the given key.
        
        ```python
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient, KeyRotationLifetimeAction, KeyRotationPolicyAction
        
        credential = DefaultAzureCredential()
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        
        # Set the key's automated rotation policy to rotate the key 30 days before the key expires
        actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_before_expiry="P30D")]
        # You may also specify the duration after which the newly rotated key will expire
        # In this example, any new key versions will expire after 90 days
        updated_policy = key_client.update_key_rotation_policy("key-name", expires_in="P90D", lifetime_actions=actions)
        
        # You can get the current rotation policy for a key with get_key_rotation_policy
        current_policy = key_client.get_key_rotation_policy("key-name")
        
        # Finally, you can rotate a key on-demand by creating a new version of the key
        rotated_key = key_client.rotate_key("key-name")
        ```
        
        ### List keys
        [list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.list_properties_of_keys)
        lists the properties of all of the keys in the client's vault.
        
        ```python
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient
        
        credential = DefaultAzureCredential()
        
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        keys = key_client.list_properties_of_keys()
        
        for key in keys:
            # the list doesn't include values or versions of the keys
            print(key.name)
        ```
        
        ### Cryptographic operations
        [CryptographyClient](https://aka.ms/azsdk/python/keyvault-keys/crypto/docs#azure.keyvault.keys.crypto.CryptographyClient)
        enables cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key.
        
        ```py
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient
        from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm
        
        credential = DefaultAzureCredential()
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        
        key = key_client.get_key("key-name")
        crypto_client = CryptographyClient(key, credential=credential)
        plaintext = b"plaintext"
        
        result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)
        decrypted = crypto_client.decrypt(result.algorithm, result.ciphertext)
        ```
        
        See the
        [package documentation][crypto_client_docs]
        for more details of the cryptography API.
        
        ### Async API
        This library includes a complete set of async APIs. To use them, you must
        first install an async transport, such as [aiohttp](https://pypi.org/project/aiohttp/).
        See
        [azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/CLIENT_LIBRARY_DEVELOPER.md#transport)
        for more information.
        
        Async clients and credentials should be closed when they're no longer needed. These
        objects are async context managers and define async `close` methods. For
        example:
        
        ```py
        from azure.identity.aio import DefaultAzureCredential
        from azure.keyvault.keys.aio import KeyClient
        
        credential = DefaultAzureCredential()
        
        # call close when the client and credential are no longer needed
        client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        ...
        await client.close()
        await credential.close()
        
        # alternatively, use them as async context managers (contextlib.AsyncExitStack can help)
        client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        async with client:
          async with credential:
            ...
        ```
        
        ### Asynchronously create a key
        [create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_rsa_key) and
        [create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_ec_key)
        create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new
        version of the key is created.
        
        ```python
        from azure.identity.aio import DefaultAzureCredential
        from azure.keyvault.keys.aio import KeyClient
        
        credential = DefaultAzureCredential()
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        
        # Create an RSA key
        rsa_key = await key_client.create_rsa_key("rsa-key-name", size=2048)
        print(rsa_key.name)
        print(rsa_key.key_type)
        
        # Create an elliptic curve key
        ec_key = await key_client.create_ec_key("ec-key-name", curve="P-256")
        print(ec_key.name)
        print(ec_key.key_type)
        ```
        
        ### Asynchronously list keys
        [list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.list_properties_of_keys)
        lists the properties of all of the keys in the client's vault.
        
        ```python
        from azure.identity.aio import DefaultAzureCredential
        from azure.keyvault.keys.aio import KeyClient
        
        credential = DefaultAzureCredential()
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        keys = key_client.list_properties_of_keys()
        
        async for key in keys:
            print(key.name)
        ```
        
        ## Troubleshooting
        
        See the `azure-keyvault-keys`
        [troubleshooting guide](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/TROUBLESHOOTING.md)
        for details on how to diagnose various failure scenarios.
        
        ### General
        Key Vault clients raise exceptions defined in [azure-core][azure_core_exceptions].
        For example, if you try to get a key that doesn't exist in the vault, [KeyClient][key_client_docs]
        raises [ResourceNotFoundError](https://aka.ms/azsdk-python-core-exceptions-resource-not-found-error):
        
        ```python
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient
        from azure.core.exceptions import ResourceNotFoundError
        
        credential = DefaultAzureCredential()
        key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
        
        try:
            key_client.get_key("which-does-not-exist")
        except ResourceNotFoundError as e:
            print(e.message)
        ```
        
        ### Logging
        This library uses the standard
        [logging](https://docs.python.org/3/library/logging.html) library for logging.
        Basic information about HTTP sessions (URLs, headers, etc.) is logged at INFO
        level.
        
        Detailed DEBUG level logging, including request/response bodies and unredacted
        headers, can be enabled on a client with the `logging_enable` argument:
        ```py
        from azure.identity import DefaultAzureCredential
        from azure.keyvault.keys import KeyClient
        import sys
        import logging
        
        # Create a logger for the 'azure' SDK
        logger = logging.getLogger('azure')
        logger.setLevel(logging.DEBUG)
        
        # Configure a console output
        handler = logging.StreamHandler(stream=sys.stdout)
        logger.addHandler(handler)
        
        credential = DefaultAzureCredential()
        
        # This client will log detailed information about its HTTP sessions, at DEBUG level
        client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential, logging_enable=True)
        ```
        
        Similarly, `logging_enable` can enable detailed logging for a single operation,
        even when it isn't enabled for the client:
        ```py
        client.get_key("my-key", logging_enable=True)
        ```
        
        ## Next steps
        Several samples are available in the Azure SDK for Python GitHub repository.
        These provide example code for additional Key Vault scenarios:
        * [hello_world.py][hello_world_sample] and
        [hello_world_async.py][hello_world_async_sample] - create/get/update/delete keys
        * [list_operations.py][list_operations_sample] and
        [list_operations_async.py][list_operations_async_sample] - basic list operations for keys
        * [backup_restore_operations.py][backup_operations_sample] and
        [backup_restore_operations_async.py][backup_operations_async_sample] - backup and
        recover keys
        * [recover_purge_operations.py][recover_purge_sample] and
        [recover_purge_operations_async.py][recover_purge_async_sample] - recovering and purging keys
        
        ###  Additional Documentation
        For more extensive documentation on Azure Key Vault, see the
        [API reference documentation][reference_docs].
        
        ## Contributing
        This project welcomes contributions and suggestions. Most contributions require
        you to agree to a Contributor License Agreement (CLA) declaring that you have
        the right to, and actually do, grant us the rights to use your contribution.
        For details, visit https://cla.microsoft.com.
        
        When you submit a pull request, a CLA-bot will automatically determine whether
        you need to provide a CLA and decorate the PR appropriately (e.g., label,
        comment). Simply follow the instructions provided by the bot. You will only
        need to do this once across all repos using our CLA.
        
        This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct].
        For more information, see the
        [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
        contact opencode@microsoft.com with any additional questions or comments.
        
        [access_control]: https://docs.microsoft.com/azure/key-vault/managed-hsm/access-control
        [azure_cloud_shell]: https://shell.azure.com/bash
        [azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/core/azure-core#azure-core-library-exceptions
        [azure_identity]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity
        [azure_identity_pypi]: https://pypi.org/project/azure-identity/
        [azure_sub]: https://azure.microsoft.com/free/
        [default_cred_ref]: https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential
        [code_of_conduct]: https://opensource.microsoft.com/codeofconduct/
        [hello_world_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py
        [hello_world_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py
        [backup_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py
        [backup_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py
        [list_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py
        [list_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py
        [recover_purge_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py
        [recover_purge_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py
        [keyvault_docs]: https://docs.microsoft.com/azure/key-vault/
        [pip]: https://pypi.org/project/pip/
        [pypi_package_keys]: https://pypi.org/project/azure-keyvault-keys/
        [rbac_guide]: https://docs.microsoft.com/azure/key-vault/general/rbac-guide
        [reference_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs
        [key_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient
        [crypto_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/crypto/docs
        [key_client_src]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys
        [key_samples]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples
        [soft_delete]: https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview
        
        ![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-python%2Fsdk%2Fkeyvault%2Fazure-keyvault-keys%2FREADME.png)
        
        
        # Release History
        
        ## 4.5.1 (2022-04-18)
        
        ### Bugs Fixed
        - Fixed error that could occur when fetching a key rotation policy that has no defined
          `lifetime_actions`.
        
        ## 4.5.0 (2022-03-28)
        
        ### Features Added
        - Key Vault API version 7.3 is now the default
        - Added support for multi-tenant authentication when using `azure-identity`
          1.8.0 or newer ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698))
        - (From 4.5.0b1) `KeyClient` has a `get_random_bytes` method for getting a requested number of
          random bytes from a managed HSM
        - (From 4.5.0b2) Added support for secure key release from a Managed HSM
          ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588))
          - Added `release_key` method to `KeyClient` for releasing the private component of a key
          - Added `exportable` and `release_policy` keyword-only arguments to key creation and import
            methods
          - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used
            in key release
        - (From 4.5.0b4) Added `KeyClient.get_cryptography_client`, which provides a simple way to
          create a `CryptographyClient` for a key, given its name and optionally a version
          ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621))
        - (From 4.5.0b4) Added support for automated and on-demand key rotation in Azure Key Vault
          ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840))
          - Added `KeyClient.rotate_key` to rotate a key on-demand
          - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy
        - (From 4.5.0b6) Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to
          support immutable release policies. Once a release policy is marked as immutable, it can no
          longer be modified.
        
        ### Breaking Changes
        > These changes do not impact the API of stable versions such as 4.4.0.
        > Only code written against a beta version such as 4.5.0b1 may be affected.
        - `KeyClient.update_key_rotation_policy` accepts a required `policy` argument
          ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))
        - The optional `version` parameter in `KeyClient.release_key` is now a keyword-only argument
          ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))
        - Renamed the `name` parameter in `KeyClient.get_key_rotation_policy` and
          `KeyClient.update_key_rotation_policy` to `key_name`
          ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))
        - Enum values in `azure-keyvault-keys` are now uniformly lower-cased
          ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))
        
        ### Bugs Fixed
        - `KeyType` now ignores casing during declaration, which resolves a scenario where Key Vault
          keys created with non-standard casing could not be fetched with the SDK
          ([#22797](https://github.com/Azure/azure-sdk-for-python/issues/22797))
        
        ### Other Changes
        - (From 4.5.0b6) Python 2.7 is no longer supported. Please use Python version 3.6 or later.
        - (From 4.5.0b6) Updated minimum `azure-core` version to 1.20.0
        - (From 4.5.0b3) Updated type hints to fix mypy errors
          ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158))
        - (From 4.5.0b4) `CryptographyClient` no longer requires a key version when providing a key ID to its constructor
          (though providing a version is still recommended)
        - (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge
          authentication requests now pass in a `tenant_id` keyword argument
          ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)). See
          https://aka.ms/azsdk/python/identity/tokencredential for more details on how to integrate
          this parameter if `get_token` is implemented by a custom credential.
        - (From 4.5.0b6) Updated type hints for `KeyProperties` model's `managed`, `exportable`, and
          `release_policy` properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368))
        
        ## 4.5.0b6 (2022-02-08)
        
        ### Features Added
        - Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to support immutable
          release policies. Once a release policy is marked as immutable, it can no longer be modified.
        
        ### Breaking Changes
        > These changes do not impact the API of stable versions such as 4.4.0.
        > Only code written against a beta version such as 4.5.0b1 may be affected.
        - Renamed the required argument `data` in `KeyReleasePolicy`'s constructor to
          `encoded_policy`
        
        ### Other Changes
        - Python 2.7 is no longer supported. Please use Python version 3.6 or later.
        - Updated minimum `azure-core` version to 1.20.0
        - Updated type hints for `KeyProperties` model's `managed`, `exportable`, and `release_policy`
          properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368))
        - (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge
          authentication requests now pass in a `tenant_id` keyword argument
          ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698))
        
        ## 4.5.0b5 (2021-11-11)
        
        ### Features Added
        - Added support for multi-tenant authentication when using `azure-identity` 1.7.1 or newer
          ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698))
        
        ### Breaking Changes
        > These changes do not impact the API of stable versions such as 4.4.0.
        > Only code written against a beta version such as 4.5.0b1 may be affected.
        - `KeyClient.get_random_bytes` now returns bytes instead of RandomBytes. The RandomBytes class
          has been removed
        - Renamed the `version` keyword-only argument in `KeyClient.get_cryptography_client` to
          `key_version`
        - Renamed `KeyReleasePolicy.data` to `KeyReleasePolicy.encoded_policy`
        - Renamed the `target` parameter in `KeyClient.release_key` to `target_attestation_token`
        
        ### Other Changes
        - Updated minimum `azure-core` version to 1.15.0
        
        ## 4.5.0b4 (2021-10-07)
        
        ### Features Added
        - Added `KeyClient.get_cryptography_client`, which provides a simple way to create a
          `CryptographyClient` for a key, given its name and optionally a version
          ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621))
        - Added support for automated and on-demand key rotation in Azure Key Vault
          ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840))
          - Added `KeyClient.rotate_key` to rotate a key on-demand
          - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy
        
        ### Other Changes
        - `CryptographyClient` no longer requires a key version when providing a key ID to its constructor
          (though providing a version is still recommended)
        
        ## 4.5.0b3 (2021-09-09)
        
        ### Other Changes
        - Updated type hints to fix mypy errors
          ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158))
        
        ## 4.5.0b2 (2021-08-10)
        
        ### Features Added
        - Added support for secure key release from a Managed HSM
          ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588))
          - Added `release_key` method to `KeyClient` for releasing the private component of a key
          - Added `exportable` and `release_policy` keyword-only arguments to key creation and import
            methods
          - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used
            in key release
        
        ### Breaking Changes
        > These changes do not impact the API of stable versions such as 4.4.0.
        > Only code written against a beta version such as 4.5.0b1 may be affected.
        - `KeyClient.get_random_bytes` now returns a `RandomBytes` model with bytes in a `value`
          property, rather than returning the bytes directly
          ([#19895](https://github.com/Azure/azure-sdk-for-python/issues/19895))
        
        ## 4.5.0b1 (2021-07-08)
        Beginning with this release, this library requires Python 2.7 or 3.6+.
        
        ### Features Added
        - Key Vault API version 7.3-preview is now the default
        - `KeyClient` has a `get_random_bytes` method for getting a requested number of random
          bytes from a managed HSM
        
        ## 4.4.0 (2021-06-22)
        This is the last version to support Python 3.5. The next version will require Python 2.7 or 3.6+.
        ### Changed
        - Key Vault API version 7.2 is now the default
        - (From 4.4.0b1) Updated minimum `msrest` version to 0.6.21
        
        ### Added
        - `KeyClient` has a `create_oct_key` method for creating symmetric keys
        - `KeyClient`'s `create_key` and `create_rsa_key` methods now accept a `public_exponent`
          keyword-only argument ([#18016](https://github.com/Azure/azure-sdk-for-python/issues/18016))
        - (From 4.4.0b1) Added support for Key Vault API version 7.2
          ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566))
          - Added `oct_hsm` to `KeyType`
          - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption
            algorithms to `EncryptionAlgorithm`
          - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm`
          - `CryptographyClient`'s `encrypt` method accepts `iv` and
            `additional_authenticated_data` keyword arguments
          - `CryptographyClient`'s `decrypt` method accepts `iv`,
            `additional_authenticated_data`, and `authentication_tag` keyword arguments
          - Added `iv`, `aad`, and `tag` properties to `EncryptResult`
        - (From 4.4.0b3) `CryptographyClient` will perform all operations locally if initialized with
          the `.from_jwk` factory method
          ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565))
        - (From 4.4.0b3) Added requirement for `six`>=1.12.0
        - (From 4.4.0b4) `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally
          ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762))
        
        ### Breaking Changes
        > These changes do not impact the API of stable versions such as 4.3.1.
        > Only code written against a beta version such as 4.4.0b1 may be affected.
        - `parse_key_vault_key_id` and `KeyVaultResourceId` have been replaced by a
          `KeyVaultKeyIdentifier` class, which can be initialized with a key ID
        
        ## 4.4.0b4 (2021-04-06)
        ### Added
        - `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally
          ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762))
        
        ## 4.4.0b3 (2021-03-11)
        ### Added
        - `CryptographyClient` will perform all operations locally if initialized with
          the `.from_jwk` factory method
          ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565))
        - Added requirement for six>=1.12.0
        
        ## 4.4.0b2 (2021-02-10)
        ### Fixed
        - API versions older than 7.2-preview no longer raise `ImportError` when
          performing async operations ([#16680](https://github.com/Azure/azure-sdk-for-python/pull/16680))
        
        ## 4.4.0b1 (2021-02-10)
        ### Changed
        - Key Vault API version 7.2-preview is now the default
        - Updated msrest requirement to >=0.6.21
        
        ### Added
        - Support for Key Vault API version 7.2-preview
          ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566))
          - Added `oct_hsm` to `KeyType`
          - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption
            algorithms to `EncryptionAlgorithm`
          - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm`
          - `CryptographyClient`'s `encrypt` method accepts `iv` and
            `additional_authenticated_data` keyword arguments
          - `CryptographyClient`'s `decrypt` method accepts `iv`,
            `additional_authenticated_data`, and `authentication_tag` keyword arguments
          - Added `iv`, `aad`, and `tag` properties to `EncryptResult`
        - Added method `parse_key_vault_key_id` that parses out a full ID returned by
        Key Vault, so users can easily access the key's `name`, `vault_url`, and `version`.
        
        ## 4.3.1 (2020-12-03)
        ### Fixed
        - `CryptographyClient` operations no longer raise `AttributeError` when
          the client was constructed with a key ID
          ([#15608](https://github.com/Azure/azure-sdk-for-python/issues/15608))
        
        ## 4.3.0 (2020-10-06)
        ### Changed
        - `CryptographyClient` can perform decrypt and sign operations locally
          ([#9754](https://github.com/Azure/azure-sdk-for-python/issues/9754))
        
        ### Fixed
        - Correct typing for async paging methods
        
        ## 4.2.0 (2020-08-11)
        ### Fixed
        - Values of `x-ms-keyvault-region` and `x-ms-keyvault-service-version` headers
          are no longer redacted in logging output
        - `CryptographyClient` will no longer perform encrypt or wrap operations when
          its key has expired or is not yet valid
        
        ### Changed
        - Key Vault API version 7.1 is now the default
        - Updated minimum `azure-core` version to 1.7.0
        
        ### Added
        - At construction, clients accept a `CustomHookPolicy` through the optional
          keyword argument `custom_hook_policy`
        - All client requests include a unique ID in the header `x-ms-client-request-id`
        - Dependency on `azure-common` for multiapi support
        
        ## 4.2.0b1 (2020-03-10)
        - Support for Key Vault API version 7.1-preview
        ([#10124](https://github.com/Azure/azure-sdk-for-python/pull/10124))
          - Added `import_key` to `KeyOperation`
          - Added `recoverable_days` to `CertificateProperties`
          - Added `ApiVersion` enum identifying Key Vault versions supported by this package
        
        ## 4.1.0 (2020-03-10)
        - `KeyClient` instances have a `close` method which closes opened sockets. Used
        as a context manager, a `KeyClient` closes opened sockets on exit.
        ([#9906](https://github.com/Azure/azure-sdk-for-python/pull/9906))
        - Pollers no longer sleep after operation completion
        ([#9991](https://github.com/Azure/azure-sdk-for-python/pull/9991))
        
        ## 4.0.1 (2020-02-11)
        - `azure.keyvault.keys` defines `__version__`
        - Challenge authentication policy preserves request options
        ([#8999](https://github.com/Azure/azure-sdk-for-python/pull/8999))
        - Updated `msrest` requirement to >=0.6.0
        - Challenge authentication policy requires TLS
        ([#9457](https://github.com/Azure/azure-sdk-for-python/pull/9457))
        - Methods no longer raise the internal error `KeyVaultErrorException`
        ([#9690](https://github.com/Azure/azure-sdk-for-python/issues/9690))
        - Fix `AttributeError` in async CryptographyClient when verifying signatures remotely
        ([#9734](https://github.com/Azure/azure-sdk-for-python/pull/9734))
        
        ## 4.0.0 (2019-10-31)
        ### Breaking changes:
        - Removed `KeyClient.get_cryptography_client()` and `CryptographyClient.get_key()`
        - Moved the optional parameters of several methods into kwargs (
        [docs](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.0.0/index.html)
        detail the new keyword arguments):
          - `create_key` now has positional parameters `name` and `key_type`
          - `create_ec_key` and `create_rsa_key` now have one positional parameter, `name`
          - `update_key_properties` now has two positional parameters, `name` and
             (optional) `version`
          - `import_key` now has positional parameters `name` and `key`
        - `CryptographyClient` operations return class instances instead of tuples and renamed the following
        properties
            - Renamed the `decrypted_bytes` property of `DecryptResult` to `plaintext`
            - Renamed the `unwrapped_bytes` property of `UnwrapResult` to `key`
            - Renamed the `result` property of `VerifyResult` to `is_valid`
        - Renamed the `UnwrapKeyResult` and `WrapKeyResult` classes to `UnwrapResult` and `WrapResult`
        - Renamed `list_keys` to `list_properties_of_keys`
        - Renamed `list_key_versions` to `list_properties_of_key_versions`
        - Renamed sync method `delete_key` to `begin_delete_key`
        - The sync method `begin_delete_key` and async `delete_key` now return pollers that return a `DeletedKey`
        - Renamed `Key` to `KeyVaultKey`
        - `KeyVaultKey` properties `created`, `expires`, and `updated` renamed to `created_on`,
        `expires_on`, and `updated_on`
        - The `vault_endpoint` parameter of `KeyClient` has been renamed to `vault_url`
        - The property `vault_endpoint` has been renamed to `vault_url` in all models
        
        ### New features:
        - Now all `CryptographyClient` returns include `key_id` and `algorithm` properties
        
        
        ## 4.0.0b4 (2019-10-08)
        - Enums `JsonWebKeyCurveName`, `JsonWebKeyOperation`, and `JsonWebKeyType` have
        been renamed to `KeyCurveName`, `KeyOperation`, and `KeyType`, respectively.
        - `Key` now has attribute `properties`, which holds certain properties of the
        key, such as `version`. This changes the shape of the returned `Key` type,
        as certain properties of `Key` (such as `version`) have to be accessed
        through the `properties` property.
        
        - `update_key` has been renamed to `update_key_properties`
        - The `vault_url` parameter of `KeyClient` has been renamed to `vault_endpoint`
        - The property `vault_url` has been renamed to `vault_endpoint` in all models
        
        ### Fixes and improvements:
        - The `key` argument to `import_key` should be an instance of `azure.keyvault.keys.JsonWebKey`
        ([#7590](https://github.com/Azure/azure-sdk-for-python/pull/7590))
        
        
        ## 4.0.0b3 (2019-09-11)
        ### Breaking changes:
        - `CryptographyClient` methods `wrap` and `unwrap` are renamed `wrap_key` and
        `unwrap_key`, respectively.
        
        ### New features:
        - `CryptographyClient` performs encrypt, verify and wrap operations locally
        when its key's public material is available (i.e., when it has keys/get
        permission).
        
        ## 4.0.0b2 (2019-08-06)
        ### Breaking changes:
        - Removed `azure.core.Configuration` from the public API in preparation for a
        revamped configuration API. Static `create_config` methods have been renamed
        `_create_config`, and will be removed in a future release.
        - Removed `wrap_key` and `unwrap_key` from `KeyClient`. These are now available
        through `CryptographyClient`.
        - This version of the library requires `azure-core` 1.0.0b2
          - If you later want to revert to a version requiring azure-core 1.0.0b1,
          of this or another Azure SDK library, you must explicitly install azure-core
          1.0.0b1 as well. For example:
          `pip install azure-core==1.0.0b1 azure-keyvault-keys==4.0.0b1`
        
        ### New features:
        - Added `CryptographyClient`, a client for performing cryptographic operations
        (encrypt/decrypt, wrap/unwrap, sign/verify) with a key.
        - Distributed tracing framework OpenCensus is now supported
        - Added support for HTTP challenge based authentication, allowing clients to
        interact with vaults in sovereign clouds.
        
        ### Other changes:
        - Async clients use [aiohttp](https://pypi.org/project/aiohttp/) for transport
        by default. See
        [azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/README.md/#transport)
        for more information about using other transports.
        
        ## 4.0.0b1 (2019-06-28)
        Version 4.0.0b1 is the first preview of our efforts to create a user-friendly
        and Pythonic client library for Azure Key Vault. For more information about
        preview releases of other Azure SDK libraries, please visit
        https://aka.ms/azure-sdk-preview1-python.
        
        This library is not a direct replacement for `azure-keyvault`. Applications
        using that library would require code changes to use `azure-keyvault-keys`.
        This package's
        [documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md)
        and
        [samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples)
        demonstrate the new API.
        
        ### Major changes from `azure-keyvault`
        - Packages scoped by functionality
            - `azure-keyvault-keys` contains a client for key operations,
            `azure-keyvault-secrets` contains a client for secret operations
        - Client instances are scoped to vaults (an instance interacts with one vault
        only)
        - Asynchronous API supported on Python 3.5.3+
            - the `azure.keyvault.keys.aio` namespace contains an async equivalent of
            the synchronous client in `azure.keyvault.keys`
        - Authentication using `azure-identity` credentials
          - see this package's
          [documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md)
          , and the
          [Azure Identity documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md)
          for more information
        
        ### `azure-keyvault` features not implemented in this release
        - Certificate management APIs
        - Cryptographic operations, e.g. sign, un/wrap_key, verify, en- and
        decrypt
        - National cloud support. This release supports public global cloud vaults,
            e.g. https://{vault-name}.vault.azure.net
        
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: License :: OSI Approved :: MIT License
Requires-Python: >=3.6
Description-Content-Type: text/markdown
