Azure Key Vault can store sensitive data such as passwords and make them available when scripts and Azure Resource Manager (ARM) templates call them out for everyday tasks.

Baki Onur Okutucu

Onur is a subject matter expert for Office 365, Azure, and PowerShell technologies. He is the founder of Clouderz Ltd, a cloud consultancy based in London. For ten years in a row, Microsoft has recognized him as a Most Valuable Professional. You can follow Onur on Twitter: @BakiOnur.

As a central key management service, a Key Vault has the following capabilities:

  • Storing secure strings called secrets, such as passwords
  • Encrypting virtual machine (VM) disks using Key Vault keys
  • Storing certificates with their private keys
  • Generating self-signed certificates
  • Managing storage account access keys

Users or applications access keys and secrets stored in a Key Vault. Administrators and developers constantly use Key Vault secrets to access Azure services such as VMs, storage accounts, and databases. Thus, they don't have to place VM passwords or storage account keys directly in codes or templates. Instead, they connect to a Key Vault first to obtain keys and secrets, and then connect to resources using these keys and secrets to get authenticated.

There are basically three elements used in Key Vaults: keys, secrets, and certificates. Keys are the elements mostly used for encryption while secrets consist of authentication keys, passwords, and storage account keys. You can also store certificates in Key Vaults for many different purposes, such as encryption, authentication, and authorization.

Listing Key Vaults with details ^

The following commands can list existing Key Vaults in detail:

Listing Key Vaults

Listing Key Vaults

You may have noticed each Key Vault has access policies. These allow administrators to define delegations flexibly over keys, certificates, secrets, and managed storage. Access policies apply to principals, such as user and applications. Different users can have different permissions for the same Key Vault. Basically, one permission can manage keys while the other can manage certificates in a particular Key Vault.

Creating a new Key Vault ^

Each Key Vault in Azure must have a unique name across the internet. That's because Azure assigns Key Vaults unique Uniform Resource Identifiers (URIs) based on the name specified upon creation. Therefore, Azure will use that Key Vault name as the prefix in the vault.azure.net domain.

The following command creates a new Key Vault:

Creating a new Key Vault

Creating a new Key Vault

After creating a Key Vault, you can then manage secrets, keys, and certificates for various tasks.

Managing secrets ^

You can create a new secret with these commands:

Creating a new secret

Creating a new secret

You can now use this secret as a secure string (such as a password) by calling it directly from the Key Vault instead of having to specify it in a script as plain text. This is pretty useful, especially for storing administrator credentials securely.

To get the secret value text back from the Key Vault, use the following:

Getting secret value in plain text

Getting secret value in plain text

Managing keys ^

You can use the following commands to create a new Key Vault key (RSA key). There are two options here: software keys and hardware Keys. If you want to use your organization's own HSM-protected keys, you need to use the Hardware value as the Destination.

Creating a new Key Vault key

Creating a new Key Vault key

You can now use this key for the following operations:

Getting key operations

Getting key operations

Managing certificates ^

To create a new self-signed certificate in Azure, you can use the following:

Note that it may take some time for the certificate to appear in Azure portal.

Creating a new self signed certificate in a Key Vault

Creating a new self signed certificate in a Key Vault

After a couple of minutes, you can get the details with the following command:

Getting the certificate details

Getting the certificate details

And with the following command, you can import an existing .PFX file into Azure:

Importing an existing .PFX certificate into a Key Vault

Importing an existing .PFX certificate into a Key Vault

When importing a certificate into Azure, the certificate key becomes a Managed Key. It then appears under both the Keys and Certificates sections.

The below are the most used scenarios

  • Referencing to Key Vaults from ARM templates to get keys, secrets and certificates
  • Calling out passwords from PowerShell scripts
  • Storing Base64 data of a certificate as secret in a Key vault
  • Encrypting a Virtual Machine with an Azure-managed key

We’ve had a quick look at the Key Vault fundamentals. Indeed, many more combinations are possible with Key Vaults in Azure environments.

Join the 4sysops PowerShell group!

2+
Share

Related Posts

5 Comments
  1. sandeepH 3 months ago

    Thanks for the Article,

    Is there we have any article to encryption of ADLS with Key Vault ?

    0

  2. Sandeep0878 3 months ago

    Thanks for the article,

    Is there any article for encryption of ADLS with Key vault ?

     

    0

  3. Leila Chinaveh 4 weeks ago

    Hi

    is there any way to check the availability of vault key name in PowerShell like the same command we have for storage account name?

    0

  4. Author
    Baki Onur Okutucu 9 hours ago

    Hi Leila,

    You can use the following code to check KeyVault Name availability on Azure.

    Please ensure you've filled the first section of the code

    ## change here ##

    $TENANTID=""
    $SUBSCRIPTIONID=""
    $APPID=""
    $PASSWORD=""
    $NameToCheck="keyvaultname1"

    #####

    ### do not make any changes here ###

    $result=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = "$APPID"; "client_secret" = "$PASSWORD" }
    $token=$result.access_token

    $Body = @{

    "name"= $NameToCheck
    "type"= "Microsoft.KeyVault/vaults"
    }

    $Headers=@{
    'authorization'="Bearer $token"
    'host'="management.azure.com"
    'contentype'='application/json'
    }

    $Uri = "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.KeyVault/checkNameAvailability?api-version=2018-02-14"

    Invoke-RestMethod -Uri $uri -Headers $Headers -Method POST -Body $body

    ######

    0

  5. Author
    Baki Onur Okutucu 9 hours ago

    Hi Sandeep,

    you can use the following code

    $Key = Add-AzureKeyVaultKey -Destination Software -Name "keyname" -VaultName "keyvaultname"
    $KeyId = $Key.Version.ToString()
    New-AzureRmResourceGroupDeployment -ResourceGroupName "resourcegroupname" -TemplateFile "armtemplate.json" -DataLakeStoreName "ADLSName" -KeyVaultName "keyvaultname" -DataLakeStoreKeyVaultKeyName $key -DataLakeStoreKeyVaultKeyVersion $KeyId
    $ADSLACC = Get-AzureRmDataLakeStoreAccount -Name "ADSLName"
    $ADSLACCSPNID = $ADSLACC.Identity.PrincipalId
    Set-AzureRmKeyVaultAccessPolicy -VaultName "keyvaultname" -ObjectId $ADSLACCSPNID -PermissionsToKeys encrypt,decrypt,get -BypassObjectIdValidation
    Enable-AdlStoreKeyVault -Account $ADSLACC.Name

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2018

Log in with your credentials

or    

Forgot your details?

Create Account