Announcing Backup and Restore of Keys, Secrets and Certificates

Hello Folks,

Today we're very excited to announce the General Availability of a feature where in you could backup and restore a Key, Certificate, Secret or a Managed Storage account key in Azure Key Vault.

By default, Azure Key Vault has multiple layers of redundancy within the region where it is hosted, and it is replicated to another region within the same geographic region. In the unlikely event of a region failure in Microsoft Azure, the remaining region will take over the Azure Key Vault after a few minutes, but the Azure Key Vault will be in read-only mode. All that high availability and resiliency of the service is built-in — customers wouldn't have to configure anything.

In some scenarios, the enterprise or the developer wants to control the disaster recovery capabilities and create a replica of a Key Vault to another region without relying on Microsoft Azure to perform the failover.

Azure Key Vault allows the process to export Keys, Secrets, Certificates and Storage Account Keys from Key Vault in a protected form as long as they are in the same subscription and same geography.

Note - This operation does NOT return the key or secret material in a form that can be used outside the Azure Key Vault system.

The returned key or secret material is protected either to a Azure Key Vault HSM or to Azure Key Vault itself.

The intent of this operation is to allow a client to GENERATE a secret in one Azure Key Vault instance, BACKUP the secret, and then RESTORE it in another Azure Key Vault instance.

Another important point to note is individual versions of a key/secret CANNOT be backed up, instead all versions of the key/secret will be downloaded

Now without any further ado let's see how this works

    • In Azure CLI you would use
      az keyvault key backup --file <FileName> --name <NameOfTheKeyStoredInKeyVault> --vault-name <VaultName>
      The parameters --file, --name and --vault-name are required.
      --file is the local file path in which to store the key backup
      --name is the Name of the key stored in Azure Key Vault
      --vault-name is the Name of the Key Vault the key is stored in
      For more about this command please read documentationNow to restore the key you would use
      az keyvault key restore --file <FileName> --vault-name <VaultName>
      --file is the local backup from which to restore the key
      --vault-name is the name of the vault you would want to restore to.
      Similarly the command for Secret backup is
      az keyvault key backup --file <FileName> --name <NameOfTheKeyStoredInKeyVault> --vault-name <VaultName>

    • In Powershell to Back up a key with an automatically generated file name you would use
      Example 1: PS C:\Users\username\> Backup-AzureKeyVaultKey -VaultName 'MyKeyVault' -Name 'MyKey'
      This command retrieves the key named MyKey from the key vault named MyKeyVault and saves a backup of that key to a file that is automatically named for you, and displays the file name.Example 2: Back up a key to a specified file name
      PS C:\> Backup-AzureKeyVaultKey -VaultName 'MyKeyVault' -Name 'MyKey' -OutputFile 'C:\Backup.blob'
      This command retrieves the key named MyKey from the key vaultnamed MyKeyVault and saves a backup of that key to a file named Backup.blob.

      Example 3: Back up a previously retrieved key to a specified file name, overwriting the destination file without prompting.
      PS C:\> $key = Get-AzureKeyVaultKey -VaultName 'MyKeyVault' -Name 'MyKey'

      PS C:\> Backup-AzureKeyVaultKey -Key $key -OutputFile 'C:\Backup.blob' -Force

      This command creates a backup of the key named $key.Name in the vault named $key.VaultName to a file named Backup.blob, silently overwriting the file if it exists already.

      To learn more about how to back up a certificate using Powershell please take a look at these AzureKeyVaultCertificate
      For backing up a secret visit - BackupAzureKeyVaultSecret
      For backing up a Managed Storage Account key visit - BackupManagedStorageAccount

    • If you want to use the REST API then you would use this HTTP command
      POST {vaultBaseUrl}/keys/{key-name}/backup?api-version=2016-10-01
      where the vaultBaseUrl is the full URI of the vault. For example is the name of the key and api-version is the Client API version.

      And to backup a secret you would use
      POST {vaultBaseUrl}/secrets/{secret-name}/backup?api-version=2016-10-01


To learn more about how to back up a secret refer our REST API documentation here for secrets

That's all folks!
We are very excited about this feature and would love to hear feedback about the same. Please post your comments on our feedback forum