Store pgp keys in azure key vault
The short answer is that you can put anything you want in KeyVault as a secret, then extract it. Export your keys as a text file, save it in KeyVault as a secret, and you're on your way.
I was able to get this to work by modifying the code at https://github.com/lfalck/AzureFunctionsPGPDecrypt
Basically you can use gpg4win to generate keys, then call:
gpg --export-secret-keys --armor > key.asc
In Azure Key Vault, create two new Secrets (not Keys). One should be the contents of the key.asc file created above, and the other should be the passphrase used to protect the private key in gpg. Then the code in the link will read those secrets from Key Vault and pass them into the PGPCore library for decryption.
I'll also point out the for some reason the code in that repository requires the secrets to be converted to Base64 before putting them into KeyVault, because it will Base64 decode them before using them. This doesn't seem strictly necessary to me, but if you mess around with the code above you'll want to do that encoding.
This is presented as an Azure Function, but the concepts demonstrated there could be used in other contexts.
Arif Coskun
Updated on September 18, 2022Comments
-
Arif Coskun over 1 year
I want to transfer encrypted file from SFTP server (Ubuntu) to azure storage using azure data factory pipeline. Customer is using PGP to encrypt file at rest and push them to sftp server. so the file will be PGP encrypted when arriving at sftp. I need to decrypt the file to read from there. Besides, I want to store PGP private key in the azure key vault to use it from the Azure data factory. But the problem is I can not load PGP keys to the azure key vault since it is only accepting pfx and PEM format. So my question is - Can I convert PGP keys to a different format? If so, can I use it file decryption after changing it different format?
-
user10216038 almost 5 yearsI don't think I'm following? "... I need to decrypt the file to read from there ". Why are you decrypting the file to transfer it? You want to store your private key on a cloud service? This is generally not a good thing to do. Conversely if you are decrypting the file before transfer, how would a private key come into play after transfer?
-
Admin almost 5 yearsWell. I realized, the question seems confusing. shory summary is - Can we store pgp private key in azure key vault ? -
Admin almost 5 yearsyou guys have any idea?
-
Arif Coskun over 4 yearsany help would be appreciated.
-
-
Arif Coskun over 4 yearsThanks for the help. Can you give sample usage of azure function?
-
Arif Coskun over 4 yearsI am getting below error when I try to run function. Exception while executing function: PGPDecrypt <--- unknown object in stream Reserved
-
Arif Coskun over 4 yearsany idea what might be the issue?
-
Mike over 4 yearsSo basically you need to export the key from gpg using
gpg --export-secret-keys --armor > key.ascThen you need to take the full text of that and Base64 encode it. Then that Base64-encoded text is what you upload to KeyVault. Also do the same with the passphrase. Base64 encode it then upload it as a secret to KeyVault. I think that was how I resolved that issue if I remember correctly. -
Arif Coskun over 4 yearsThanks Mike. I have resolved my issue by encode my privake key file itself instead copying content.
-
mherzig about 3 yearsJust a note as to why you need to base64 encode the keys first--Key Vault doesn't keep newlines, so it just stores the whole chunk as one line of text. Doing base64 first will encode the newlines which would then be restored once you decode.
