Generate GPG (PGP) key pair in Azure and store in Azure Key Vault

Gupta, Rajesh 81

Is there an easy way to generate GPG (PGP) key pair in Azure and store in Azure Key Vault?

lakshmikanth 1 Reputation point

2022-04-04T12:18:41.543+00:00

@JamesTran-MSFT : Could you please help me to provide command for converting base64 to .asc file. i was using below command but its generating in correct one.

[System.Text.Encoding]::UTF8.GetString(([System.Convert]::FromBase64String($privatekey)|?{$_}))|Out-File suseek_privatekey.asc

Accepted answer

JamesTran-MSFT 36,371 Reputation points Microsoft Employee

2021-09-09T21:45:47.993+00:00
@Gupta, Rajesh
Thank you for your post and I apologize for the delayed response!

I'm not too familiar with PGP keys, but I did find some information on this which I'll share below.

PGP KEY process:

Use PGP key tool to create PGP key pair with passphrase

Export from PGP key tool, the PGP public Key and PGP Private Key as text files (.asc)

Use Powershell to BASE 64 files: PGP public key, PGP Private Key, and PassPhrase

Import BASE 64 files in to Azure Key Vault Secrets via Azure Portal or Powershell

If this is the current process you're referring to when creating PGP keys and storing them in the Azure Key Vault, the Key type (.asc) currently isn't supported by the Key Vault. For more info. If this isn't the process you're using, can share some documentation or examples so I can gain a better understanding of your issue.

About keys

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.

1 person found this answer helpful.
Gupta, Rajesh 81 Reputation points

2021-09-10T14:29:37.43+00:00

@JamesTran-MSFT thanks for the info, this is helpful.

To be more specific, I am looking at way to generate and secure the private portion of GPG key in such a way that it remains securely within Azure Key Vault during the entire life cycle of the key. Maybe this could be a future enhancement to consider.

Scott Stauffer - Flight Centre 26 Reputation points

2021-12-23T19:20:11.397+00:00

I went to my Azure Key Vault in the Azure portal; In the Settings section on the left, I chose Keys; I clicked the + Generate/Import button to "Create a key" - No options for using a passphrase?! No option for Comments?

Yes, when generating OpenSSH keys (RSA 2048) from BASH with ssh-keygen, there is the option to create a "passphrase" - This is very much desired.
I'm hoping Microsoft adds this capability, in addition to "comments", "fingerprint",
and also to Save Public Key to a file that you can share with a partner organization.

I don't see anything in the documentation about handling these aspect of a secrets in Azure Key Vault, or generating them.
I'm a little surprised. I don't think I'm the only one...

If you were brought to this thread, please login and vote this comment up - It lets Microsoft know that this is important to its customers!

@JamesTran-MSFT

Gupta, Rajesh 81 Reputation points

2021-12-23T23:10:07.473+00:00

@Scott Stauffer - Flight Centre I agree with the enhancements you proposed. These capabilities will make Azure Key Vault truly enterprise ready.

Dai Truong 5 Reputation points

2023-11-23T08:57:58.4133333+00:00

I'm implementing Dynamics 365 for Sales and SAP S/4HANA integration on the cloud platform, and they use text files for integration. They use PGP Encryption. Do you know about Azure and Dynamics 365 support like?
Sign in to comment

1 additional answer

Scott Stauffer - Flight Centre 26 Reputation points

2021-12-24T00:27:30.837+00:00

Hello @Gupta, Rajesh

I discovered that there IS a way to do this.
I might do a quick YouTube video on this, BUT, for now...
You can click on the Cloud Shell button in the top banner row of the Azure Key Vault (or anywhere in the Azure Portal for that matter!)
The Cloud Shell icon looks like the PowerShell Icon.
The Cloud Shell allows you to run both BASH and PowerShell Commands. If it is your first time using the Cloud Shell, it may ask you to create some storage for the purposes of creating files in.

1/3
Please sign in to rate this answer.

2 people found this answer helpful.
Scott Stauffer - Flight Centre 26 Reputation points

2021-12-24T00:30:43.447+00:00

Within the BASH Shell, you can execute this command:

ssh-keygen -t rsa -b 2048 -m PEM -f "FileNameThatIsUsedForYourKeyPair.pem" -C "This Comment Shows up in the Fingerprint" -P "This is an optional Passphrase that adds an additional layer of security for

And it will return the following results:

my SSH RSA Key" Generating public/private rsa key pair. Your identification has been saved in FileNameThatIsUsedForYourKeyPair.pem Your public key has been saved in FileNameThatIsUsedForYourKeyPair.pem.pub The key fingerprint is: SHA256:w+8fKoa8wLDIEAYiWF6ShaOR8TYI8H0NX0VBdvRQao4 This Comment Shows up in the Fingerprint The key's randomart image is: +---[RSA 2048]----+ |X+o+o . .+*o+..| |O=++ + . . . + | |o+*.. . o o .| |oo . . . + | |. . S E . | |o. + o | |... o. . . . | | .o o. . . | | .o .o.. | +----[SHA256]-----+

2/3

Scott Stauffer - Flight Centre 26 Reputation points

2021-12-24T00:35:07.333+00:00

The -m PEM is what generates the Private key in a format that Azure Key Vault will allow you to import.
AKV will only allow files with .pem extensions and the follow the legacy PEM format as opposed to the NEW PEM format... apparently...
I needed RSA 2048 for my purposes.
It was also suggested that I use a Passphrase.
If you import the Private Key file into Azure (the .pem and not the .pub) and you used a Passphrase, then you will be asked to provide the "Password" in order to import the Key, or do ANYTHING with the Key for that matter (Yes, Password in Azure refers to the Passphrase).
It does not appear that the Azure UI will allow you to initially create a key with a Passphrase, and I guess this makes sense... as you are not able to remove this key from AKV once you put it there. You can take a backup, which allows you to restore it to Azure only, I suspect...

Hope this helps.

3/3

Gupta, Rajesh 81 Reputation points

2021-12-24T21:23:49.257+00:00

Thanks @Scott Stauffer - Flight Centre for the detailed info. I will give it a try, this looks reasonable from a usage perspective.

Dai Truong 5 Reputation points

2023-11-23T09:05:23.7366667+00:00

@Gupta, Rajesh Do you have solution for this requirement?
Sign in to comment