Azure KeyVault used for Blockchain data encryption with Java / Spring (2)

How to use KeyVault with Java

1. First step is to create your Azure account, if you don't have one already.

2. Next, use Azure CLI to create Azure KeyVault. I insist on that, use the CLI, and not the web interface. You will thanks me later when you'll want to do the same process again at deploy time when you'll just run a script (as opposed to "what button did I pressed to do that ? / how do I get to that page ?" approach)

3. create users (server users) for KeyVault. For your servers to be able to interact with KeyVault, they need to authenticate. You'll need to create users.

Client authentication to the KeyVault can be done in several ways. Using managed identities for Azure resources, using certificates, or using a service principal / secret approach (user and password, basically). For simplicity, here I've used user/password approach. Make sure it's not recommended for production. See more on authentication here - .

4. grant rights to the KeyVault. Below I grant everything, you might want to choose to grant just some of the permissions.

5. add libraries to your project; below is using Gradle

6. set the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID to the correct values (you got at step 3) for authentication; you can do that in your IDE, or in the operating system directly.

7. create a KeyClient

8. create a RSA asymmetric key

9. use the RSA key to encrypt something (for example, the value of a symmetric key)

For cryptographs-knows-why reasons encrypting a symmetric key is called wrapping the key. What the wrap method does above is no more no less than encrypting the value provided using the RSA asymmetric key stored in KeyVault and provides the encrypted result.

10. use the RSA key to decrypt something.

You can find the same steps above also here, maybe with more details

In the end, I think Azure KeyVault is a solid option for data encryption and secret storage. It's just the documentation that is really bad.