使用 azure keyvault 服务获取 RSA256 私钥和公钥

Question

I am trying my hands on Azure Key Vault cloud service. I followed a few msdn articles to create a key in azure key vault.

Here is my code

public async Task<RSA256Key> GenerateRSAKey(string keyName)
        {

            using (KeyVaultClient client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken))) //GetToken returns access token to connect to Azure key vault
            {
                var newKeyParams = new NewKeyParameters()
                {
                    Kty = "RSA",
                    CurveName= "P-256",
                    KeySize = 2048
                };

                KeyBundle rsa = await client.CreateKeyAsync(_config.VaultUrl, keyName, newKeyParams);

            
        }
    }

This code works fine, it creates a key in azure keyvault. I want to get the public and private keys from the key generated using the above code. The KeyBundle response has a JsonWebKey property. I inspected this property and found that on N and E has values.

{
  "kid": "https://xxxx.vault.azure.net/keys/yyyy/zzzz",
  "kty": "RSA",
  "n": "wt1SiRuybjkoVwgbUJgHJY9W1WFDMHOzhKx3ewISCINWFgiH5RHOhGDqoIfFVuwGMk0mmnNXdVCFFrATYUPT0EhXqCv_9IDXSh9WW1VvvsZBp0nW1v8e80Mz_nDZ1DVgC2KY8G97JVyfomm6nZRcBVkklimmZEDl_oPpFg68rfnEz4qou-4DNMoF2k9U95xXZfusrFpP5IJnHaMqsCQTozIWu65sWv3I5sW3zRmx93nQWAbf0_FEf70SQ8qgDtP8IVKS7xd05epQkbPsPtI8KwW4tVUsmP7EJYaMxCvT-Y_bpdliwEWxIMTp6cwo3l7AWvb8YyAhPC1Z02Cliweo5Q",
  "e": "AQAB"
}

I want to use the RSA 256 private key to sign a JWT.

Answer 1

There is no way to download private part of the key once it was imported/generated. You can refer this article as an example

Secondly, speaking of public keys, only the public key is available to the system. The API call to GetKeyAsync doesn't return private key data. This is why the DecryptAsync wrapper method does use the Key Vault API for decryption. In other words, private keys never leave the vault, which is one reason to use Key Vault for decryption instead of bringing private keys into the process.

As an option, you can generate key-pair by your own and save a private key

using Azure.Identity;
using Azure.Security.KeyVault.Keys;

var vaultUri = new Uri("https://{kv-name}.vault.azure.net/");
var keyClient = new KeyClient(vaultUri, new DefaultAzureCredential());

// Generate key
var generatedKey = RSA.Create();

// You can save a private key
// var privateKey = generatedKey.ExportRSAPrivateKey();

var webKey = new JsonWebKey(generatedKey, includePrivateParameters: true);
var response = await keyClient.ImportKeyAsync(new ImportKeyOptions("name", webKey));

But if you want to store both public and private keys in Azure I would suggest you to store them as a certificate. In that case it would be possible to access certificate with public and private keys directly from Azure

using Azure.Identity;
using Azure.Security.KeyVault.Certificates;

var certClient = new CertificateClient(vaultUri, new DefaultAzureCredential());


X509Certificate2 cert = ...
...
var importCertOptions = new ImportCertificateOptions("name", cert.RawData);
var response = await certClient.ImportCertificateAsync(importCertOptions);