1# Key Vault Keys — Java SDK Quick Reference
2 
3> Condensed from **azure-security-keyvault-keys-java**. Full patterns
4> (crypto operations, HSM keys, key rotation, backup/restore, import)
5> in the **azure-security-keyvault-keys-java** plugin skill if installed.
6 
7## Install
8```xml
9<dependency>
10    <groupId>com.azure</groupId>
11    <artifactId>azure-security-keyvault-keys</artifactId>
12    <version>4.9.0</version>
13</dependency>
14<dependency>
15    <groupId>com.azure</groupId>
16    <artifactId>azure-identity</artifactId>
17</dependency>
18```
19 
20## Quick Start
21 
22> **Auth:** `DefaultAzureCredential` is for local development. See [auth-best-practices.md](../auth-best-practices.md) for production patterns.
23 
24```java
25import com.azure.security.keyvault.keys.KeyClientBuilder;
26import com.azure.identity.DefaultAzureCredentialBuilder;
27var keyClient = new KeyClientBuilder()
28    .vaultUrl("https://<vault>.vault.azure.net")
29    .credential(new DefaultAzureCredentialBuilder().build())
30    .buildClient();
31```
32 
33## Best Practices
34- Use HSM keys for production — set `setHardwareProtected(true)` for sensitive keys
35- Enable soft delete — protects against accidental deletion
36- Key rotation — set up automatic rotation policies
37- Least privilege — use separate keys for different operations
38- Local crypto when possible — use CryptographyClient with local key material to reduce round-trips
39