Store Private Key into Azure KeyVault, value got changed

Question

I tried to store my private key to Azure Key Vault, but when I retrieve it out, my private key got changed.

If I put the private key into my web.config file, it works without any issue.

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAohoZ+TCXMn17BPFXFCuIHvh7oONSBNCjuixl2CbwrGO8tIAO
XIQP1sZa3lhXkUj0f4HewmYsx6JR+39Do21H+QtCZxR4qCvOJxrrFHqMrk76aQji
....
ZVmUljOatig+g+q+jMEf7IA5zcAgBdAAuausXrPoNcip89Yuqag1
-----END RSA PRIVATE KEY-----

Since my private key is just a text, I stored it as a Secrets. Am I doing the right thing?

I also tried to store the key as a Certificate, but the key is just a text with hidden CRLN, it is not PEM or PKCS#12. And in my case, I don't need to store the public key.

Below is my code to retrieve the key:

public static string GetDocuSignPrivateKey()
{
    var key = keyVaultClient.GetSecretAsync($"{vaultUrl}secrets/DocuSignPrivateKey/88e15b41234bf89619ddc9a2exxxx").Result;

    return key.Value;
}

Sorry, I just start using Azure KeyVault. Please help. Thank you.

Answer 1

I had a similar problem where I was trying to add a private cert to the key vault by creating a secret. I used powershell and the following code snippet to make it to work.

I navigated to the folder where your private cert is located and then I applied:

az login

az keyvault secret set --name privateCert --vault-name mykeyvault-qa-kv --file .\private.key

Answer 2

Added the private Key to Azure using below method in C# instead of adding manually, then use Get Secret Method:

string secretName = "pKey";
string secretValue = "-----BEGIN ENCRYPTED PRIVATE KEY----\nMII9w0BBQ\nzZ8=\n-----END ENCRYPTED PRIVATE KEY-----\n";
Task addKey = client.SetSecretAsync(secretName, secretValue);
addKey.Wait();

SecretClient client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential(),options);
KeyVaultSecret pKey = OKTAclient.GetSecret("pKey");                
string privateKey = pKey.Value; 

Answer 3

This is how I deployed a private key from a .ppk file to the keyvault using powershell. The first one is in nonproduction where I used AAD MFA, the second one is in production where I used a service principal.

1. AAD Multifactor Log In

   Connect-AzAccount -DeviceCode
   
   $fileContentInBvtes = get-content C:\Users\filedirectory\file.ppk -Encoding Byte
   $fileContentAsBase64 = [Svstem.Convert]::ToBase64String($fileContentInBytes)
   
   Set-AzKeyVaultSecret -VaultName 'CHANGEVALUETOKEYVAULTNAME' -SecretName 'CHANGEVALUETOSECRETNAME' -SecretValue (ConvertTo-SecureString -String $fileContentAsBase64 -force -AsPlainText) -ErrorAction Stop
   

2. Service Principal

   $secPassword = ConvertTo-SecureString -AsPlainText -Force -String 'CHANGEVALUETOSERVICEPRINCIPALPASSWORD'
   $Applicationld= 'CHANGEVALUETOSERVICEPRINCIPALID'
   
   $Credential = New-Object -TypeName Svstem.Management.Automation.PSCredential -Argumentlist $Applicationld, $secPassword
   
   Connect-AzAccount -ServicePrincipal -Tenantld 'CHANGEVALUETOTENANTID' -Credential $Credential
   
   $fileContentInBvtes = get-content C:\Users\filedirectory\file.ppk -Encoding Byte
   
   $fileContentAsBase64 = [Svstem.Convert]::ToBase64String($fileContentInBytes)
   
   Set-AzKeyVaultSecret -VaultName 'CHANGEVALUETOKEYVAULTNAME' -SecretName 'CHANGEVALUETOSECRETNAME' -SecretValue (ConvertTo-SecureString -String $fileContentAsBase64 -force -AsPlainText) -ErrorAction Stop
   

Answer 4

Thanks to @Matt Small 's response. I use Azure Cloud Shell to enter the private key and it works.

$secretvalue = ConvertTo-SecureString 'priKey here' -AsPlainText -Force

$secret = Set-AzKeyVaultSecret -VaultName 'vaultName' -Name 'secretName' -SecretValue $secretvalue