Reputation: 3057
Retrieve AES key bytes
I have creead an AES key via the folloowing Azure CLI:
az keyvault key create --hsm-name myhsmkeyvault --name myaeskey2 --ops encrypt decrypt --tags --kty oct-HSM --size 128
Now, I have this expectation, if I show the key, then I see the n value (key byte) of this AES key. but the n value is null :
{
"attributes": {
"created": "2022-08-30T10:21:38+00:00",
"enabled": true,
"expires": null,
"exportable": false,
"notBefore": null,
"recoverableDays": 7,
"recoveryLevel": "CustomizedRecoverable",
"updated": "2022-08-30T10:21:38+00:00"
},
"key": {
"crv": null,
"d": null,
"dp": null,
"dq": null,
"e": null,
"k": null,
"keyOps": [
"encrypt",
"decrypt"
],
"kid": "https://myhsm.managedhsm.azure.net/keys/myaeskey2/88adxxxxx2865",
"kty": "oct-HSM",
"n": null,
"p": null,
"q": null,
"qi": null,
"t": null,
"x": null,
"y": null
},
"managed": null,
"releasePolicy": null,
"tags": null
}
Did I miss something here?
Upvotes: 1
Views: 595
Answers (1)
Reputation: 6877
The Get Key operation only returns the public portions of keys.
From the Get Key documentation:
If the requested key is symmetric, then no key material is released in the response.
The idea behind Key Vault is that keys don't leave the vault. Instead you're intended to send ENCRYPT/DECRYPT requests to have data encrypted/decrypted by the service.
From the "Key Operations" section of the "Key types, algorithms, and operations" documentation:
Key Vault doesn't support EXPORT operations. Once a key is provisioned in the system, it cannot be extracted or its key material modified.
An alternative approach is generating AES key locally, and then using the Key Vault WRAP/UNWRAP operations to encrypt the key before storing/transmitting it.
If you're using Python, see the documentation for wrap_key() and unwrap_key().
Example usage would be something like:
from azure.keyvault.keys.crypto import KeyWrapAlgorithm
# Create CryptographyClient instance.
key_id = "https://<your vault>.vault.azure.net/keys/<key name>/fe4fdcab688c479a9aa80f01ffeac26"
crypto_client = CryptographyClient(key_id, credential)
# Generate a 32-byte (256-bit) AES key.
key_bytes = secrets.token_bytes(32)
# Wrap the AES key.
wrap_result = client.wrap_key(KeyWrapAlgorithm.rsa_oaep, key_bytes)
encrypted_key = wrap_result.encrypted_key
# At this point, you can safely store/transmit the encrypted_key for later
# usage. In addition, using Key Vault in this manner allows enforcing
# access controls, logging usage, etc.
# When you want to use the key, you have to unwrap it.
unwrap_result = client.unwrap_key(KeyWrapAlgorithm.rsa_oaep, encrypted_key)
key = unwrap_result.key
I'm not super familiar with PySpark, but you'll probably want to convert the key to a BINARY literal format before using it in an expression. This sidesteps any potential issues with implicit crosscasting of STRING to BINARY.
import binascii
key_hex = f"X'{binascii.hexlify(key)}'"
Also note that the key property contains a JSON Web Key (JWK). The n property within the JWK is for an RSA modulus, while the k field would contain the symmetric key, if it were populated.
Upvotes: 2
Related Questions
- How to determine the Encryption Algorithm for Azure.Security.KeyVault.Keys.Cryptography.CryptographyClient.Decrypt on Keys
- How to get key from Azure KeyVault as a plain text?
- Azure Key Vault Secrets Query
- retrieve secret from azure key vault
- Accessing AzureKeyVault
- How to read value from azure key vault
- Fetching secrets from keyVault from Azure in c#
- Azure Key-vault Encryption
- Azure Key Vault - Obtaining Encryption Passphrase
- View contents of Secret in Azure KeyVault