This article explains how to use Azure Key Vault to manage SSH keys for accessing Azure Virtual Machines. Handling sensitive data—particularly private keys—can be complex and risky. By using Azure Key Vault, we can securely store and control access to this information. The steps outlined below are performed using Azure CLI 2.0.
Azure Key Vault enables secure storage of confidential data such as cryptographic keys, passwords, and certificates. It does this through protected containers called vaults, where access policies can be assigned to users or applications. While it is possible to integrate your own Certificate Authority (CA) or request certificates from a public CA, this example uses self-signed certificates for simplicity.
Key Vault is commonly used to automate certificate delivery for web servers and other services. In this case, however, the focus is on securely distributing private SSH keys. By storing them in Key Vault, we can grant individual users-controlled access to specific secrets or keys.
After launching the Azure CLI, the first step is to register the Key Vault resource provider:
az provider register -n Microsoft.KeyVault
Next, create a resource group and a Key Vault to hold the SSH keys. In this example:
• Resource Group name: rg-keyvault-test
• Vault name: keyvaultteststore6412
• Region: westeurope
az group create -n rg-keyvault-test -l westeurope
az keyvault create -n keyvaultteststore6412 -g rg-keyvault-test -l westeurope --enabled-for-deployment
_______________________________________________________________________________
Once the vault is ready, create a self-signed certificate using the default policy:
az keyvault certificate create --vault-name keyvaultteststore6412 -n cert1 -p "$(az keyvault certificate get-default-policy -o json)"
To use the certificate for SSH access, download the secret and extract the private key. Since the connection to the VM will be from Linux, the private key must be converted and stripped of its password.
az keyvault secret download --vault-name keyvaultteststore6412 -n cert1 -e base64 -f cert1.pfx
openssl pkcs12 -in cert1.pfx -out cert1.pem -nocerts -nodes
chmod 0400 cert1.pem
ssh-keygen -f cert1.pem -y > cert1.pub
These steps:
1. Download the certificate in PFX format.
2. Extract the private key into PEM format without a password.
3. Secure the file permissions.
4. Generate the corresponding public key.
With the public key ready, deploy a new virtual machine and inject the SSH key during creation:
az vm create -g rg-keyvault-test -n keyvaultteststore6412 --admin-username centos --image centos --ssh-key-value "$(cat cert1.pub)"
This command provisions the VM and configures it to allow SSH authentication using the public key derived from the Key Vault certificate.
You can now verify the setup by connecting to the virtual machine using the private key (cert1.pem) that was downloaded and prepared earlier.
By following this approach, Azure Key Vault acts as a secure repository for managing SSH keys, reducing the risks associated with distributing and storing private credentials manually.
