Is it possible to get the private key out of Azure Key Vault Keys?

Question

All of the data encryption/decryption examples I have seen with Azure key Vault do the encryption locally and decryption within Azure itself by using the keyVaultClient.DecryptAsync() method.

I understand that this is more secure as the private key never leaves Azure and leaks into your application code, but what if I want to do the decryption locally as well, how do i get the private key out?

I am using keyVaultClient.GetKeyAsync() but it only seems to contain the public key.

One of the issues I have with the in Azure decryption is that I can't replicate it in development environment without the developer having access to Azure. There does not seem to be an emulator for Azure Key Vault.

It looks like the only way to achieve what I want is by using Azure Key Vault Secret and storing a PFX certificate containing public/private keys in it?

Answer 1

Sorry, no.

Azure Key Vault does not support EXPORT operations: once a key is provisioned in the system it cannot be extracted or its key material modified.

You can do a BACKUP, but all that's good for is a restore to Azure. You can't use it anywhere else.

Answer 2

As TerryCarmen said, you could not decrypt in local,only public key is available to the system. The API call to GetKeyAsync doesn't return private key data.This is why the DecryptAsync wrapper method does use the Key Vault API for descryption.

In other words, private keys never leave the vault, which is one reason to use Key Vault for decryption instead of bringing private keys in to the process.

For more details, you could refer to this article.