Is it possible to translate secrets in Azure Key Vault?

Question

I'm receiving a secret encrypted with Key A, and need to send it somewhere else encrypted under Key B.

Both keys can be symmetric or asymmetric - but I'd like to achieve this within the vault itself (first prize) - (avoiding a decrypt, having the secret in the clear, then an encrypt).

Is this possible with Azure Key Vault? If not, any workarounds?

Thanks.

Answer 1

As far as I am aware, at this point in time, it is not possible with the current Key Vault API's. The way I think of Key Vault at this point in time is it's just a tailored service for storing and gaining access to Keys, Secrets, Certificates and managing applications and users that can access them (with some fancy bits on top).

You will need to decrypt and re-encrypt somewhere outside of Key Vault.

One possible workaround though given you are in Azure is to create an Azure Function to do this work. At least then the process of the translation happens inside an isolated Function context (in Azure). The beauty of using an Azure Function is that you could do this with minimal code and without a full application, but you would need to ensure that Function can only be utilised by you.

A possible workflow could be:

1) If Key A is not in Key Vault, upload it.

2) If Key B is not in Key Vault, upload it.

3) Run Azure Function with inputs for Key Vault identifiers for Key A, Key B and A(Secret). Do the conversion and then the Function could store B(Secret) in Key Vault (or another Key Vault if you have access to one).

Alternatively it could just output the new encrypted secret.

C# Key Vault Client:
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application

An example of Azure Function and Key Vault in C# for reference: http://www.rahulpnath.com/blog/azure-key-vault-from-azure-functions/