---

name: azure-keyvault-secrets-ts description: "使用 Azure Key Vault Secrets SDK for JavaScript (@azure/keyvault-secrets) 管理密钥。用于存储和检索应用程序密钥或配置值。" risk: unknown source: community date_added: "2026-02-27"

Azure Key Vault Secrets SDK for TypeScript

使用 Azure Key Vault 管理密钥。

安装

# Secrets SDK
npm install @azure/keyvault-secrets @azure/identity

环境变量

KEY_VAULT_URL=https://<vault-name>.vault.azure.net
# 或
AZURE_KEYVAULT_NAME=<vault-name>

认证

import { DefaultAzureCredential } from "@azure/identity";
import { SecretClient } from "@azure/keyvault-secrets";

const credential = new DefaultAzureCredential();
const vaultUrl = \`https://\${process.env.AZURE_KEYVAULT_NAME}.vault.azure.net\`;

const keyClient = new KeyClient(vaultUrl, credential);
const secretClient = new SecretClient(vaultUrl, credential);

密钥操作

创建/设置密钥

const secret = await secretClient.setSecret("MySecret", "secret-value");

// 带属性
const secretWithAttrs = await secretClient.setSecret("MySecret", "value", {
  enabled: true,
  expiresOn: new Date("2025-12-31"),
  contentType: "application/json",
  tags: { environment: "production" }
});

获取密钥

// 获取最新版本
const secret = await secretClient.getSecret("MySecret");
console.log(secret.value);

// 获取特定版本
const specificSecret = await secretClient.getSecret("MySecret", {
  version: secret.properties.version
});

列出密钥

for await (const secretProperties of secretClient.listPropertiesOfSecrets()) {
  console.log(secretProperties.name);
}

// 列出版本
for await (const version of secretClient.listPropertiesOfSecretVersions("MySecret")) {
  console.log(version.version);
}

删除密钥

// 软删除
const deletePoller = await secretClient.beginDeleteSecret("MySecret");
await deletePoller.pollUntilDone();

// 清除（永久删除）
await secretClient.purgeDeletedSecret("MySecret");

// 恢复
const recoverPoller = await secretClient.beginRecoverDeletedSecret("MySecret");
await recoverPoller.pollUntilDone();

密钥操作

创建密钥

// 通用密钥
const key = await keyClient.createKey("MyKey", "RSA");

// 指定大小的 RSA 密钥
const rsaKey = await keyClient.createRsaKey("MyRsaKey", { keySize: 2048 });

// 椭圆曲线密钥
const ecKey = await keyClient.createEcKey("MyEcKey", { curve: "P-256" });

// 带属性
const keyWithAttrs = await keyClient.createKey("MyKey", "RSA", {
  enabled: true,
  expiresOn: new Date("2025-12-31"),
  tags: { purpose: "encryption" },
  keyOps: ["encrypt", "decrypt", "sign", "verify"]
});

获取密钥

const key = await keyClient.getKey("MyKey");
console.log(key.name, key.keyType);

列出密钥

for await (const keyProperties of keyClient.listPropertiesOfKeys()) {
  console.log(keyProperties.name);
}

轮换密钥

// 手动轮换
const rotatedKey = await keyClient.rotateKey("MyKey");

// 设置轮换策略
await keyClient.updateKeyRotationPolicy("MyKey", {
  lifetimeActions: [{ action: "Rotate", timeBeforeExpiry: "P30D" }],
  expiresIn: "P90D"
});

删除密钥

const deletePoller = await keyClient.beginDeleteKey("MyKey");
await deletePoller.pollUntilDone();

// 清除
await keyClient.purgeDeletedKey("MyKey");

加密操作

创建 CryptographyClient

import { CryptographyClient } from "@azure/keyvault-keys";

// 从密钥对象创建
const cryptoClient = new CryptographyClient(key, credential);

// 从密钥 ID 创建
const cryptoClient = new CryptographyClient(key.id!, credential);

加密/解密

// 加密
const encryptResult = await cryptoClient.encrypt({
  algorithm: "RSA-OAEP",
  plaintext: Buffer.from("My secret message")
});

// 解密
const decryptResult = await cryptoClient.decrypt({
  algorithm: "RSA-OAEP",
  ciphertext: encryptResult.result
});

console.log(decryptResult.result.toString());

签名/验证

import { createHash } from "node:crypto";

// 创建摘要
const hash = createHash("sha256").update("My message").digest();

// 签名
const signResult = await cryptoClient.sign("RS256", hash);

// 验证
const verifyResult = await cryptoClient.verify("RS256", hash, signResult.result);
console.log("Valid:", verifyResult.result);

包装/解包密钥

// 包装密钥（加密以便存储）
const wrapResult = await cryptoClient.wrapKey("RSA-OAEP", Buffer.from("key-material"));

// 解包
const unwrapResult = await cryptoClient.unwrapKey("RSA-OAEP", wrapResult.result);

备份和恢复

// 备份
const keyBackup = await keyClient.backupKey("MyKey");
const secretBackup = await secretClient.backupSecret("MySecret");

// 恢复