Microsoft Corporation Azure Keyvault Securitydomain Client Library for Python
Project description
Azure Key Vault Security Domain client library for Python
Azure Key Vault helps solve the following problems:
- Managed HSM security domain management (this library) - securely download and restore a managed HSM's security domain
- Cryptographic key management (azure-keyvault-keys)- create, store, and control access to the keys used to encrypt your data
- Secrets management (azure-keyvault-secrets) - securely store and control access to tokens, passwords, certificates, API keys, and other secrets
- Certificate management (azure-keyvault-certificates) - create, manage, and deploy public and private SSL/TLS certificates
- Vault administration (azure-keyvault-administration) - role-based access control (RBAC), and vault-level backup and restore options
Source code | Package (PyPI) | API reference documentation | Key Vault documentation | Managed HSM documentation | Samples
Getting started
Install the package
Install azure-keyvault-securitydomain and azure-identity with pip:
python -m pip install azure-keyvault-securitydomain azure-identity
azure-identity is used for Microsoft Entra ID authentication as demonstrated below.
Prequisites
- Python 3.9 or later
- An Azure subscription
- An existing Key Vault Managed HSM. If you need to create a Managed HSM, you can do so using the Azure CLI by following the steps in this document.
Authenticate the client
In order to interact with the Azure Key Vault service, you will need an instance of a SecurityDomainClient, as well as a vault URL and a credential object. This document demonstrates using a DefaultAzureCredential, which is appropriate for most scenarios. We recommend using a managed identity for authentication in production environments.
See azure-identity documentation for more information about other methods of authentication and their corresponding credential types.
Create a client
After configuring your environment for the DefaultAzureCredential to use a suitable method of
authentication, you can do the following to create a security domain client (replacing the value of VAULT_URL with
your vault's URL):
from azure.identity import DefaultAzureCredential
from azure.keyvault.securitydomain import SecurityDomainClient
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = SecurityDomainClient(vault_url=VAULT_URL, credential=credential)
NOTE: For an asynchronous client, import
azure.keyvault.securitydomain.aio'sSecurityDomainClientinstead.
Key concepts
Security domain
To operate, a managed HSM must have a security domain. The security domain is an encrypted blob file that contains artifacts like the HSM backup, user credentials, the signing key, and the data encryption key that's unique to the managed HSM. For more information, please see service documentation.
SecurityDomainClient
A SecurityDomainClient can download and upload managed HSM security domains and get transfer keys.
Download operation
A download operation retrieves the security domain of a managed HSM. This can be used to activate a provisioned managed HSM.
Upload operation
An upload operation restores a managed HSM using a provided security domain.
Transfer key
A transfer key, or exchange key, is used to encrypt a security domain before uploading it to a managed HSM. For more information, please see the disaster recovery guide.
Examples
This section contains code snippets covering common tasks:
Download a security domain
begin_download can be used by a SecurityDomainClient to fetch a managed HSM's security domain, and this will also
activate a provisioned managed HSM. By default, the poller returned by this operation will poll on the managed HSM's
activation status, finishing when it's activated. To return immediately with the security domain object without waiting
for activation, you can pass the keyword argument skip_activation_polling=True.
from azure.keyvault.securitydomain.models import SecurityDomain
security_domain: SecurityDomain = client.begin_download(certificate_info=certs_object).result()
assert security_domain.value
print("The managed HSM is now active.")
Get a transfer key
Using a different managed HSM than the one the security domain was downloaded from, get_transfer_key can be used by
a SecurityDomainClient to fetch a transfer key (also known as an exchange key).
from azure.keyvault.securitydomain.models import TransferKey
NEW_VAULT_URL = os.environ["NEW_VAULT_URL"]
upload_client = SecurityDomainClient(vault_url=NEW_VAULT_URL, credential=credential)
transfer_key: TransferKey = upload_client.get_transfer_key()
assert transfer_key.transfer_key_jwk
Upload a security domain
begin_upload can be used by a SecurityDomainClient to restore a different managed HSM with a security domain, for
example for disaster recovery. Like the download operation this will activate a provisioned managed HSM, but the poller
will return None if successful (and an error if unsuccessful) instead of the security domain object.
from azure.keyvault.securitydomain.models import SecurityDomainOperationStatus
result: SecurityDomainOperationStatus = upload_client.begin_upload(security_domain=result).result()
print("The managed HSM has been successfully restored with the security domain.")
Troubleshooting
See the Azure Key Vault SDK's troubleshooting guide for details on how to diagnose various failure scenarios.
Next steps
Samples are available in the Azure SDK for Python GitHub repository. These samples provide example code for the following scenarios:
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file azure_keyvault_securitydomain-1.0.0b1.tar.gz.
File metadata
- Download URL: azure_keyvault_securitydomain-1.0.0b1.tar.gz
- Upload date:
- Size: 68.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: RestSharp/106.13.0.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3291a191e778a947e4b28ed01327892a93aedcf8e0a0dd674cf116cb11043776
|
|
| MD5 |
91351bbddbd501081bc82819dcaa1c4e
|
|
| BLAKE2b-256 |
a6183a67754d999a0244f3551c8c28031cdfb5d2b6f072df6b55fc2bf2e69ec5
|
File details
Details for the file azure_keyvault_securitydomain-1.0.0b1-py3-none-any.whl.
File metadata
- Download URL: azure_keyvault_securitydomain-1.0.0b1-py3-none-any.whl
- Upload date:
- Size: 79.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: RestSharp/106.13.0.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6b97592dbf1ae8139a46a3e9e836a5889b30412f3f16da010d9ed031a8515dd6
|
|
| MD5 |
1e35bad6d90bf7673cc66d44cfe5e70d
|
|
| BLAKE2b-256 |
4177ad71f8f35ccf78b8e833b355493726ffe401840c448073fef0a8562e1e87
|
