George Huang
George Huang

Reputation: 2523

Store Private Key into Azure KeyVault, value got changed

I tried to store my private key to Azure Key Vault, but when I retrieve it out, my private key got changed.

If I put the private key into my web.config file, it works without any issue.

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAohoZ+TCXMn17BPFXFCuIHvh7oONSBNCjuixl2CbwrGO8tIAO
XIQP1sZa3lhXkUj0f4HewmYsx6JR+39Do21H+QtCZxR4qCvOJxrrFHqMrk76aQji
....
ZVmUljOatig+g+q+jMEf7IA5zcAgBdAAuausXrPoNcip89Yuqag1
-----END RSA PRIVATE KEY-----

Since my private key is just a text, I stored it as a Secrets. Am I doing the right thing?

I also tried to store the key as a Certificate, but the key is just a text with hidden CRLN, it is not PEM or PKCS#12. And in my case, I don't need to store the public key.

Below is my code to retrieve the key:

public static string GetDocuSignPrivateKey()
{
    var key = keyVaultClient.GetSecretAsync($"{vaultUrl}secrets/DocuSignPrivateKey/88e15b41234bf89619ddc9a2exxxx").Result;

    return key.Value;
}

Sorry, I just start using Azure KeyVault. Please help. Thank you.

Upvotes: 2

Views: 4587

Answers (4)

abautista
abautista

Reputation: 2780

I had a similar problem where I was trying to add a private cert to the key vault by creating a secret. I used powershell and the following code snippet to make it to work.

I navigated to the folder where your private cert is located and then I applied:

az login

az keyvault secret set --name privateCert --vault-name mykeyvault-qa-kv --file .\private.key

Upvotes: 0

Amay Kulkarni
Amay Kulkarni

Reputation: 838

Added the private Key to Azure using below method in C# instead of adding manually, then use Get Secret Method:

string secretName = "pKey";
string secretValue = "-----BEGIN ENCRYPTED PRIVATE KEY----\nMII9w0BBQ\nzZ8=\n-----END ENCRYPTED PRIVATE KEY-----\n";
Task addKey = client.SetSecretAsync(secretName, secretValue);
addKey.Wait();

SecretClient client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential(),options);
KeyVaultSecret pKey = OKTAclient.GetSecret("pKey");                
string privateKey = pKey.Value; 

Upvotes: 0

tgtgtg
tgtgtg

Reputation: 61

This is how I deployed a private key from a .ppk file to the keyvault using powershell. The first one is in nonproduction where I used AAD MFA, the second one is in production where I used a service principal.

  1. AAD Multifactor Log In

    Connect-AzAccount -DeviceCode
    
    $fileContentInBvtes = get-content C:\Users\filedirectory\file.ppk -Encoding Byte
    $fileContentAsBase64 = [Svstem.Convert]::ToBase64String($fileContentInBytes)
    
    Set-AzKeyVaultSecret -VaultName 'CHANGEVALUETOKEYVAULTNAME' -SecretName 'CHANGEVALUETOSECRETNAME' -SecretValue (ConvertTo-SecureString -String $fileContentAsBase64 -force -AsPlainText) -ErrorAction Stop
    
  2. Service Principal

    $secPassword = ConvertTo-SecureString -AsPlainText -Force -String 'CHANGEVALUETOSERVICEPRINCIPALPASSWORD'
    $Applicationld= 'CHANGEVALUETOSERVICEPRINCIPALID'
    
    $Credential = New-Object -TypeName Svstem.Management.Automation.PSCredential -Argumentlist $Applicationld, $secPassword
    
    Connect-AzAccount -ServicePrincipal -Tenantld 'CHANGEVALUETOTENANTID' -Credential $Credential
    
    $fileContentInBvtes = get-content C:\Users\filedirectory\file.ppk -Encoding Byte
    
    $fileContentAsBase64 = [Svstem.Convert]::ToBase64String($fileContentInBytes)
    
    Set-AzKeyVaultSecret -VaultName 'CHANGEVALUETOKEYVAULTNAME' -SecretName 'CHANGEVALUETOSECRETNAME' -SecretValue (ConvertTo-SecureString -String $fileContentAsBase64 -force -AsPlainText) -ErrorAction Stop
    

Upvotes: 0

George Huang
George Huang

Reputation: 2523

Thanks to @Matt Small 's response. I use Azure Cloud Shell to enter the private key and it works.

$secretvalue = ConvertTo-SecureString 'priKey here' -AsPlainText -Force

$secret = Set-AzKeyVaultSecret -VaultName 'vaultName' -Name 'secretName' -SecretValue $secretvalue

Upvotes: 3

Related Questions