Adding a secret to Azure KeyVault

Why?

A secret store is useless unless there are secrets to store.

What?

Powershell will be used to import a secret into Azure KeyVault.

How?

Figure 1: Adding a secret to Azure KeyVault [1].
$password = ConvertTo-SecureString -String [password] -AsPlainText -Force

$key = Add-AzureKeyVaultKey `
-VaultName '[vault name]' `
-Name '[key name]' `
-KeyFilePath '[path to PFX file]' `
-KeyFilePassword $password

ConvertTo-SecureString is used to convert the PFX password string to a secure string that can be passed into the -KeyFilePassword parameter of the Add-AzureKeyVaultKey cmdlet.

Add-AzureKeyVaultKey can be used to import an existing key into KeyVault. It can also be used to create a new key.

If you create or import a key that has the same name as an existing key in your key vault, the original key is updated with the values that you specify for the new key. You can access the previous values by using the version-specific URI for that version of the key. To learn about key versions and the URI structure, see “About Keys and Secrets” in the Key Vault REST API documentation (http://go.microsoft.com/fwlink/?linkid=518560) [2].

As a best practice, back up your key after it is created or updated, by using the Backup-AzureKeyVaultKey cmdlet. There is no undelete functionality, so if you accidentally delete your key or delete it and then change your mind, the key is not recoverable unless you have a backup of it that you can restore [2].

Figure 2: cmdlet syntax for creating a new key [2].
Parameter Set: Create
Add-AzureKeyVaultKey `
[-VaultName] <String> ` # required
[-Name] <String> ` # required
-Destination <String> {HSM | Software} ` # required when creating, optional otherwise
[-Disable] `
[-Expires <DateTime]> ] `
[-KeyOps <String[]> ] `
[-NotBefore <DateTime]> ] `
[-Tags <System.Collections.Hashtable> ] `
[ <CommonParameters>]
Figure 3: cmdlet syntax for importing an existing key [2].
Parameter Set: Import
Add-AzureKeyVaultKey `
[-VaultName] <String> ` # required
[-Name] <String> ` # required
-KeyFilePath <String> ` # required
[-Destination <String> {HSM | Software} ] `
[-Disable] `
[-Expires <DateTime]> ] `
[-KeyFilePassword <SecureString> ] ` # required when importing PFX file
[-KeyOps <String[]> ] `
[-NotBefore <DateTime]> ] `
[-Tags <System.Collections.Hashtable> ] `
[ <CommonParameters>]

Outputs an instance of Microsoft.Azure.Commands.KeyVault.Models.KeyBundle. The output can be inspected to validate the key was successfully imported.

Figure 4: Validating the key was successfully imported [1].
$key.key.kid

Output: https://[vault name].vault.azure.net/keys/[key name]/[version id]
Example: https://sfkeyvault7.vault.azure.net/keys/SFKey/2642da0a4e6b4d38ab1a2d52e0edae8a

Further Reading

Refer to the following example to create a self-signed certificate to import into Azure KeyVault.

Creating a self-signed certificate

Refer to the following example to create an instance of Azure KeyVault to store imported secrets.

Setting up Azure KeyVault using Powershell

Works Cited

  1. Programming Microsoft Azure Service Fabric (ISBN 9781509301881), by Haishi Bai
  2. https://msdn.microsoft.com/en-us/library/dn868048.aspx

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: