Azure 密钥保管库开发人员指南Azure Key Vault Developer's Guide

使用 Key Vault 可以从应用程序中安全地访问敏感信息:Key Vault allows you to securely access sensitive information from within your applications:

  • 无需自己编写代码即可保护密钥和机密信息,并且能够轻松地在应用程序中使用它们。Keys and secrets are protected without having to write the code yourself and you are easily able to use them from your applications.
  • 能够让客户拥有和管理其自己的密钥,因此可以专注于提供核心软件功能。You are able to have your customers own and manage their own keys so you can concentrate on providing the core software features. 这样,应用程序便不会对客户的租户密钥和机密承担职责或潜在责任。In this way, your applications will not own the responsibility or potential liability for your customers’ tenant keys and secrets.
  • 应用程序可以使用密钥进行签名和加密,不过使密钥管理与应用程序分开,可以使解决方案适用于地理分散的应用。Your application can use keys for signing and encryption yet keeps the key management external from your application, allowing your solution to be suitable as a geographically distributed app.
  • 管理 Key Vault 证书。Manage Key Vault certificates. 有关详细信息,请参阅 About keys, secrets, and certificates(关于密钥、机密和证书)。For more information, see About keys, secrets, and certificates.

有关 Azure Key Vault 的更多常规信息,请参阅什么是 Key VaultFor more general information on Azure Key Vault, see What is Key Vault.

公共预览版Public Previews

我们会定期发布新 Key Vault 功能的公共预览版。Periodically, we release a public preview of a new Key Vault feature. 抢先试用这些版本,并通过反馈电子邮件地址 将想法告诉我们。Try out these and let us know what you think via, our feedback email address.

创建和管理密钥保管库Creating and Managing Key Vaults

虽然 Azure Key Vault 可用于安全存储凭据以及其他密钥和机密,但代码需要通过 Key Vault 的身份验证才能检索它们。Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Azure 资源的托管标识为 Azure 服务提供了 Azure Active Directory (Azure AD) 中的自动托管标识,更巧妙地解决了这个问题。Managed identities for Azure resources makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). 此标识可用于通过支持 Azure AD 身份验证的任何服务(包括 Key Vault)的身份验证,这样就无需在代码中插入任何凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.

有关 Azure 资源的托管标识的详细信息,请参阅标识概述For more information on managed identities for Azure resources, see the managed identities overview. 若要详细了解如何使用 AAD,请参阅将应用程序与 Azure Active Directory 集成For more information on working with AAD, see Integrating applications with Azure Active Directory.

使用密钥保管库中的密钥、机密或证书前,请通过 CLI、PowerShell、资源管理器模板或 REST 创建和管理密钥保管库,如以下文章所述:Before working with keys, secrets or certificates in your key vault, you'll create and manage your key vault through CLI, PowerShell, Resource Manager Templates or REST, as described in the following articles:

使用密钥保管库进行编码Coding with Key Vault

面向程序员的 Key Vault 管理系统包含多个接口。The Key Vault management system for programmers consists of several interfaces. 此部分收录了所有语言和一些代码示例的链接。This section contains links to all of the languages as well as some code examples.

支持的编程和脚本语言Supported programming and scripting languages


通过 REST 接口,可以访问所有 Key Vault 资源:保管库、密钥、机密等。All of your Key Vault resources are accessible through the REST interface; vaults, keys, secrets, etc.

Key Vault REST API Reference(Key Vault REST API 参考)。Key Vault REST API Reference.


适用于 Key Vault 的 .NET API 参考.NET API reference for Key Vault.

有关 .NET SDK 2.x 版的详细信息,请参阅发行说明For more information on the 2.x version of the .NET SDK, see the Release notes.


Java SDK for Key Vault(适用于 Key Vault 的 Java SDK)Java SDK for Key Vault


在 Node.js 中,Key Vault 管理 API 和 Key Vault 对象 API 相互独立。In Node.js, the Key Vault management API and the Key Vault object API are separate. 下面的概述文章介绍了如何访问这两个 API。The following overview article gives you access to both.

用于 Node.js 的 Azure Key Vault 模块Azure Key Vault modules for Node.js


用于 Python 的 Azure Key Vault 库Azure Key Vault libraries for Python

Azure CLIAzure CLI

适用于 Key Vault 的 Azure CLIAzure CLI for Key Vault

Azure PowerShellAzure PowerShell

适用于 Key Vault 的 Azure PowerShellAzure PowerShell for Key Vault

代码示例Code examples

有关在应用程序中使用密钥保管库的完整示例,请参阅:For complete examples using Key Vault with your applications, see:


以下文章和方案提供了特定于任务的指导,方便用户使用 Azure Key Vault:The following articles and scenarios provide task-specific guidance for working with Azure Key Vault:

与密钥保管库集成Integrated with Key Vault

这些文章介绍了使用 Key Vault 或与之集成的其他方案和服务。These articles are about other scenarios and services that use or integrate with Key Vault.

  • Azure 磁盘加密利用 Windows 的行业标准 BitLocker 功能和 Linux 的 DM-Crypt 功能,为 OS 和数据磁盘提供卷加密。Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. 该解决方案与 Azure 密钥保管库集成,可帮助你控制和管理密钥保管库订阅中的磁盘加密密钥和机密,同时确保虚拟机磁盘中的所有数据可在 Azure 存储中静态加密。The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.

Key Vault 概述和概念Key Vault overviews and concepts


支持库Supporting Libraries