Share via

When you create an RSA key in azure keyvault (lets say RSA or EC) is it creating a public or a private key?

Anuj Jain 71 Reputation points
2022-10-07T00:22:18.453+00:00

Hi,
When you create an RSA key in the Azure key vault (let's say RSA or EC), is the key vault generating a public or a private key?
Either way, how can you download your public key that you can give someone else to sign anything?
And how do you download the private key that you can use to decrypt the signed stuff?

My question is about the private/public key generation and handling of the key vault.
I understand that the answer may be that the private key never leaves the vault, and the key that is downloadable/copied is the public key.

In that case, does why does the VM creation process allow one to create an SSH key pair?

In other words, I find it odd that the key vault, the service used to manage key, will not let you generate a key-pair.
Am I off on this subject?

Thanks again for your answer.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,448 questions
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-10-10T11:43:17.097+00:00

    Hi @Anuj Jain ,

    Thanks for reaching out.

    Your understanding is correct here and all the queries you have are valid from developer's point of view.

    All the secrets, keys, certificates, SSH pairs generated are always in key pair value either to validate or sign by other party to work together.
    But if those private keys are exposed to attackers, then all our services and resources are compromised.

    To avoid the exposure to private keys, we need to store them at safe place which reduce the chance of accidental cause.

    Azure Key Vault is used to store private keys. When you create RSA or EC is Azure Key vault, it creates a private key, but we can't retrieve or download private keys for RSA. It is part of security guarantee that key is generated in vault or HSM tied to security world, and it never leaves the security boundary.

    Microsoft and your application don't have access to the stored keys directly once a key is created or added to a key vault. Applications must use your keys by calling cryptography methods on the Key Vault service.

    However, you can download the public key from the

    1. Azure portal (in .pem format)

    249032-image.png
    2.Using CLI 

      az keyvault key show --vault-name 'keyvaultname' --name 'keyName' --version 'keyVersion' > C:\Users\Desktop\output.txt

    It will export the key as text file.

    VM creation or most of the time certificates as well provide private/public key pair, but those private keys are always in compromised state and always require owners to keep them in safe place. To avoid this, Azure adds one more layer of security, Azure Key Vault which provide safe vault for those large number of secrets, passwords, keys which is difficult to keep safe.

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.