How to Safely Store and Retrieve SSH Keys in Azure Key Vault Using Base64 Encoding
When working with Azure Key Vault, particularly in scenarios involving services like Azure Data Factory or connections in applications, storing sensitive data such as SSH private keys can be a challenge. Simply pasting the key's content into Key Vault often causes formatting issues, which can render the key unusable. This is a common problem faced when configuring linked services in ADF or any connection involving authentication in an Azure application.
A straightforward solution to this problem is to convert the SSH private key into a Base64-encoded string before storing it. Base64 encoding preserves the format, ensuring that the key can be retrieved and used without issues.
In this article, I’ll walk you through the steps to convert your SSH private key into Base64 and store it securely in Azure Key Vault.
Problem: SSH Private Key Formatting Issues in Azure Key Vault
When setting up a linked service in ADF or configuring SSH-based authentication for any application, pasting an SSH private key directly into Azure Key Vault as a secret can cause its structure to break. The Key Vault interface doesn’t retain the key’s exact formatting, which is crucial for successful authentication.
This is a common issue when managing secrets in Azure, especially with SSH private keys that rely heavily on precise formatting.
Solution: Convert SSH Private Key to Base64 and Store in Azure Key Vault
To avoid this formatting issue, we can first convert the SSH private key into a Base64 string, which encodes the key into a safe format for storage. Let’s break down the steps.
Step 1: Upload Your SSH Private Key to Azure CLI
First, ensure you have your SSH private key on your local machine. For this example, let’s assume the file is named id_rsa. Here’s an example of what an SSH private key typically looks like:
This key is enclosed between BEGIN and END markers, and preserving this format is critical for proper functionality.
Step 2: Convert SSH Private Key to Base64 Format
Now, let’s convert this SSH private key into a Base64 string using Azure CLI. This ensures that the data remains intact without altering its structure.
To convert the key, run the following command:
This command outputs the private key in Base64 format, making it safe to store in Azure Key Vault.
Sample Base64 Encoded SSH Private Key:
This is what the Base64 string looks like. Though shortened here, the actual string is much longer depending on your SSH private key.
Step 3: Store the Base64 String in Azure Key Vault
With the private key now in Base64 format, you can securely store it in Azure Key Vault as a secret. Use the following command to store the Base64-encoded private key:
az keyvault secret set --vault-name <YourVaultName> --name <SecretName> --value "<Base64String>"
Replace the following:
<YourVaultName>: The name of your Azure Key Vault.<SecretName>: A descriptive name for your secret.<Base64String>: The Base64-encoded string of your SSH private keyThis ensures that the key is stored correctly without any formatting issues.
Step 4: Retrieve the Secret
Whenever you need to retrieve the SSH private key from Azure Key Vault, you can do so using the following command:
az keyvault secret show --vault-name <YourVaultName> --name <SecretName>After retrieving the secret, you’ll still have the Base64-encoded version of the key. To decode it back into the original SSH private key format, use the following command:
echo <Base64String> | base64 --decode > id_rsa_decodedThis command will create a new file
id_rsa_decoded, which contains the original private key in the correct format.Conclusion
Handling SSH private keys in Azure Key Vault can be tricky, especially when configuring linked services in ADF or establishing connections in Azure applications. Formatting issues often arise when pasting the key directly into Key Vault, but by converting the key to Base64 format, you ensure that the key is stored safely and remains usable.
With these steps, you can easily convert your SSH private key, store it securely in Azure Key Vault, and retrieve it without any formatting issues!