how to import only the public side of an RSA key

Question

We have data to be exported via Azure Blob Storage that we want to encrypt with the recipent's RSA public key. However, the only way I can find to import a public key (without the private key) to is as a Key Vault Secret. Unfortunately, secrets don't seem to be able to do the same cool stuff as keys:

1. Container/Blob Encryption Scopes
2. Key Wrapping

A lot of the security of Public/Private key pairs is derived from the sender not having the private part. Seems like essential functionality to provide in some way.

So... Is there a way to import just the public side of an RSA key into an Azure Key Vault Key?

If not, is there a way to do Encyption Scopes or Key Wrapping with a RSA public key stored as a secret?

Answer 1

Hi @Moyer, Todd , you could try using BYOK specification. You can use the az keyvault key import command with the --ops verify option. This option specifies that the key can only be used for verifying signatures and not for encryption or decryption. Something like this:

az keyvault key import --vault-name MyKeyVault --name MyPublicKey --pem-file public_key.pem --ops verify

For Encryption Scopes or Key Wrapping with a RSA public key stored as a secret, unfortunately, it is not possible. Secrets in Azure Key Vault are designed to store small amounts of sensitive data, such as passwords, connection strings, and API keys. They do not support the advanced cryptographic operations that keys do, such as encryption scopes or key wrapping. If you need to perform these operations, you will need to use a key instead of a secret.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James