We have a requirement to create RSA key pair using Azure key vault and copy the RSA public key to external system. The requirement is the external system will encrypt the data using public key and internal system will talk to azure key vault and de-crypt the data. I don't have access to Azure key vault yet, so going through the documentation. I have two basic questions:
Is there a way to export the RSA public key in a text format using Azure portal without using API (https://learn.microsoft.com/en-us/rest/api/keyvault/getkey/getkey).
If I don't select 'set activation' or 'set expiration' date while creating the keys, will the key expire? Do they have a default expiration value?
Thanks in advance.
Is there a way to export the RSA public key in a text format using Azure portal without using API
The only way to export the key in the portal is Download Backup, you will get a file like xxxxvault1-testkey-20181227.keybackup, but the key will be encrypted, it could not be used outside the Azure Key Vault system.
If you want to export the key that will not be encrypted, you could use Azure CLI:
az keyvault key show --vault-name 'keyvaultname' --name 'testkey' --version 'e8dfb0f7b7a045b5a1e80442af833270' > C:\Users\joyw\Desktop\output.txt
It will export the key as a file output.txt.
If I don't select 'set activation' or 'set expiration' date while creating the keys, will the key expire? Do they have a default expiration value?
AFAIK, if you don't set expiration date, it will never expire.
Related
I am new to Azure and trying to understand if there any co-relation between key and secret in azure key vault
i have below question on using key against a secret
Eg:
Secret with db credentials
Represent key for accessing secret
Is this possible in azure key-vault?
Yes, it is possible,
You can store your DB Password in a secret and your DB user in another secret, or even store both in the same secret. At the end key vault save strings.
In Key Vault you must follow the next steps to create a secret:
Open the secret section and go to Generate/Import
insert the Name (Key) and the secret value (value), and then create your secret
After that, you can refer to the name to get the value of the secret
Hope this helps!
I am trying to create SFTP lined service (Using keys) in azure data factory.
Soruce (SFTP) team has shared public key.
But in ADF, it is asking for private key content and pass phrase.
Please help me if this is somthing source team has to share the pass phrase and private key content or do I need to generate these keys using public key shared by source.
Regards,
Srinivas.
Convert your public key file into base64 string (On MAC: run in terminal base64 -i youkey.pub) then you can use that value for privateKeyContent
In adf connector authenticationType change to SshPublicKey.
passPhrase - is required only if you key is protected with password.
Also i would suggest you to store those sensitive data in keyvault
I have a Function App Hosted in Azure. I access the functions via a Key in the Host Keys that i created , MyKey. This is linked to a secret in the KeyVault via the following format :
#Microsoft.KeyVault(SecretUri=secret_uri_with_version)
Now if the Key inside the function App is renewed, I lose the edited value as above and it is replaced with a random key value .
How can i make it so that if someone renews the key in the function app then the link to the Key Vault is not lost ?
I want to aquire a token from an Azure app registration with a certificate.
I followed the instructions here and generated a self signed certificate with Powershell. I also imported the public key into the portal.
But if I want to access the app via .NET, I need to provide the following MSAL configuration:
The CertificateFileContents is just the public key I exported from the certgmgr. But what should I put as the CertificatePass? Is this a hash? Or a private key? I could not find anything in the docs and also the link above does not give me any advice...
Also I do not really understand why the private key is not imported to the portal?
In my experience, CertificatePass should be required when you export a private key.
This document has such content before:
Export the private key, specify a password for the cert file, and
export to a file.
But now it only tells you to export a public key. You can see details from this issue.
So based on the SharePoint document, if you are reading a PFX file from your local machine, I think you should use private key with a password.
Okay, the CertificatePass was the password for the certificate itself.
The Azure Portal itself only holds the public key.
The client application needs to provide the whole certificate with private and public key.
If you export a private/public key from certificate manager in Windows 10, you will not be able to directly export this as base64, but you can create a pfx file.
Those files can later be encoded to Base64 with a tool of your choice. For example this.
The password for your certificate has to be the CertificatePass, the FileContents are the Base64 public and private key, but decrypted with the password.
This is of course only an approach for testing purpose. In a production environment you would rather use key vault or something similar to not have any secrets in your appsettings.json.
In Azure Portal > Key vaults > Secrets, I have secrets with json values (I did not create it). Something like:
...
"SubscriptionId": "XXXXXXX",
"BaseAuthUri": "https://login.microsoftonline.com/XXXXX/oauth/authorize?client_id="&api-version=
...
I would like to add another url value to it. How can I edit the
secrets with Azure portal?
How the value of api-version set?
Thanks
You can only change secret attributes such as expiration date, activation date. You cannot change secret's value programatically or via Azure Portal. If you want to update your secret without creating a new vault (meaning the secret identifier still remains intact) you can create a new version of the existing secret.
If the secret value contains the variables to get authorization code, you don't need api version because the URI you call is the authorization endpoint.