- Manage Azure PowerShell global settings - Fri, Sep 22 2023
- Create and manage append blobs with PowerShell - Wed, Oct 12 2022
- Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
As a central key management service, a Key Vault has the following capabilities:
- Storing secure strings called secrets, such as passwords
- Encrypting virtual machine (VM) disks using Key Vault keys
- Storing certificates with their private keys
- Generating self-signed certificates
- Managing storage account access keys
Users or applications access keys and secrets stored in a Key Vault. Administrators and developers constantly use Key Vault secrets to access Azure services such as VMs, storage accounts, and databases. Thus, they don't have to place VM passwords or storage account keys directly in codes or templates. Instead, they connect to a Key Vault first to obtain keys and secrets, and then connect to resources using these keys and secrets to get authenticated.
There are basically three elements used in Key Vaults: keys, secrets, and certificates. Keys are the elements mostly used for encryption while secrets consist of authentication keys, passwords, and storage account keys. You can also store certificates in Key Vaults for many different purposes, such as encryption, authentication, and authorization.
Listing Key Vaults with details
The following commands can list existing Key Vaults in detail:
Get-AzureRmKeyVault Get-AzureRmKeyVault -VaultName devopskeyvault1 -ResourceGroupName "DevOpsTools"
You may have noticed each Key Vault has access policies. These allow administrators to define delegations flexibly over keys, certificates, secrets, and managed storage. Access policies apply to principals, such as user and applications. Different users can have different permissions for the same Key Vault. Basically, one permission can manage keys while the other can manage certificates in a particular Key Vault.
Creating a new Key Vault
Each Key Vault in Azure must have a unique name across the internet. That's because Azure assigns Key Vaults unique Uniform Resource Identifiers (URIs) based on the name specified upon creation. Therefore, Azure will use that Key Vault name as the prefix in the vault.azure.net domain.
The following command creates a new Key Vault:
New-AzureRmKeyVault -VaultName UniqueKeyVaultName1 -ResourceGroupName "DevOpsTools" ‑Location "West Europe"
After creating a Key Vault, you can then manage secrets, keys, and certificates for various tasks.
Managing secrets
You can create a new secret with these commands:
$secretvalue="secret value" | ConvertTo-SecureString -AsPlainText -Force Set-AzureKeyVaultSecret -VaultName "UniqueKeyVaultName1" -Name Secret1 -SecretValue $secretvalue
You can now use this secret as a secure string (such as a password) by calling it directly from the Key Vault instead of having to specify it in a script as plain text. This is pretty useful, especially for storing administrator credentials securely.
To get the secret value text back from the Key Vault, use the following:
(Get-AzureKeyVaultSecret -VaultName "UniqueKeyVaultName1" -Name Secret1).secretvaluetext
Managing keys
You can use the following commands to create a new Key Vault key (RSA key). There are two options here: software keys and hardware Keys. If you want to use your organization's own HSM-protected keys, you need to use the Hardware value as the Destination.
Add-AzureKeyVaultKey -VaultName "UniqueKeyVaultName1" -Name Key1 -Destination Software
You can now use this key for the following operations:
Get-AzureKeyVaultKey -VaultName "UniqueKeyVaultName1" -Name Key1 | select ‑ExpandProperty Attributes | select -ExpandProperty keyops
Managing certificates
To create a new self-signed certificate in Azure, you can use the following:
$certpolicy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=www.bakionur.com" ‑IssuerName Self -ValidityInMonths 12 Add-AzureKeyVaultCertificate -VaultName "UniqueKeyVaultName1" -Name Cert1 ‑CertificatePolicy $certpolicy
Note that it may take some time for the certificate to appear in Azure portal.
After a couple of minutes, you can get the details with the following command:
Get-AzureKeyVaultCertificate -VaultName "UniqueKeyVaultName1" -Name Cert1
And with the following command, you can import an existing .PFX file into Azure:
$PfxPassword = ConvertTo-SecureString -String "password" -AsPlainText -Force Import-AzureKeyVaultCertificate -VaultName "UniqueKeyVaultName1" -Name "Cert2" ‑FilePath "C:\temp\cert.pfx" -Password $PfxPassword
When importing a certificate into Azure, the certificate key becomes a Managed Key. It then appears under both the Keys and Certificates sections.
The below are the most used scenarios
Subscribe to 4sysops newsletter!
- Referencing to Key Vaults from ARM templates to get keys, secrets and certificates
- Calling out passwords from PowerShell scripts
- Storing Base64 data of a certificate as secret in a Key vault
- Encrypting a Virtual Machine with an Azure-managed key
We’ve had a quick look at the Key Vault fundamentals. Indeed, many more combinations are possible with Key Vaults in Azure environments.
Thanks for the Article,
Is there we have any article to encryption of ADLS with Key Vault ?
Thanks for the article,
Is there any article for encryption of ADLS with Key vault ?
Hi
is there any way to check the availability of vault key name in PowerShell like the same command we have for storage account name?
Hi Leila,
You can use the following code to check KeyVault Name availability on Azure.
Please ensure you’ve filled the first section of the code
## change here ##
$TENANTID=””
$SUBSCRIPTIONID=””
$APPID=””
$PASSWORD=””
$NameToCheck=”keyvaultname1″
#####
### do not make any changes here ###
$result=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{“grant_type” = “client_credentials”; “resource” = “https://management.core.windows.net/”; “client_id” = “$APPID”; “client_secret” = “$PASSWORD” }
$token=$result.access_token
$Body = @{
“name”= $NameToCheck
“type”= “Microsoft.KeyVault/vaults”
}
$Headers=@{
‘authorization’=”Bearer $token”
‘host’=”management.azure.com”
‘contentype’=’application/json’
}
$Uri = “https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.KeyVault/checkNameAvailability?api-version=2018-02-14”
Invoke-RestMethod -Uri $uri -Headers $Headers -Method POST -Body $body
######
Hi Sandeep,
you can use the following code
$Key = Add-AzureKeyVaultKey -Destination Software -Name “keyname” -VaultName “keyvaultname”
$KeyId = $Key.Version.ToString()
New-AzureRmResourceGroupDeployment -ResourceGroupName “resourcegroupname” -TemplateFile “armtemplate.json” -DataLakeStoreName “ADLSName” -KeyVaultName “keyvaultname” -DataLakeStoreKeyVaultKeyName $key -DataLakeStoreKeyVaultKeyVersion $KeyId
$ADSLACC = Get-AzureRmDataLakeStoreAccount -Name “ADSLName”
$ADSLACCSPNID = $ADSLACC.Identity.PrincipalId
Set-AzureRmKeyVaultAccessPolicy -VaultName “keyvaultname” -ObjectId $ADSLACCSPNID -PermissionsToKeys encrypt,decrypt,get -BypassObjectIdValidation
Enable-AdlStoreKeyVault -Account $ADSLACC.Name