Share via

Can I restore Keys (and other secrets) from a Key vault into another Subscription?

Pierre Beucher 0 Reputation points
2024-07-09T12:37:35.8933333+00:00

Azure doc specifies that Keys and other secrets from a Key Vault backup must be restored into an Azure Key Vault of the same Subscription it originates (or so I understand).

When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography.

What if I lost access to original Subscription and I need to restore my data into another Subscription or Tenant? Is it possible?

For context: we're designing disaster recovery for systems relying on Azure Key Vault - including the "losing entire Subscription" scenario, in which case we need to restore into another Subscription. We need to know if our data can be recovered in such situation.

Thanks in advance !

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,319 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vahid Ghafarpour 21,805 Reputation points
    2024-07-09T20:10:25.2833333+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    You may consider backing up your entire subscription (including Key Vaults) using Azure Resource Manager templates or Azure Backup.

    This way, you can restore the entire subscription to a different location.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful **

    0 comments
  2. Akhilesh Vallamkonda 10,325 Reputation points Microsoft Vendor
    2024-07-11T15:04:08.72+00:00

    Hi @Pierre Beucher

    Thank you for reaching us!

    Azure Key Vault is automatically tied to the default Microsoft Entra ID tenant ID for the subscription in which it is created.

    All access policy entries and roles assignments are also tied to this tenant ID. If you move your Azure subscription from tenant A to tenant B, your existing key vaults will be inaccessible by the service principals (users and applications) in tenant B. To fix this issue, you need to follow below.

    • Change the tenant ID associated with all existing key vaults in the subscription to tenant B.
    • Remove all existing access policy entries.
    • Add new access policy entries associated with tenant B.

    For more information, please read Moving an Azure Key Vault to another subscription

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.