When working with Azure Key Vault and SSH keys, many developers encounter specific challenges. The key vault primarily handles certificates, keys, and secrets, but SSH key pairs require special handling due to their format and usage patterns.
The main issues occur when:
- Trying to store PEM files directly as secrets
- Newlines getting converted to spaces
- File corruption during conversion to PFX
Here's the correct approach to store your SSH keys:
For the private key (id_rsa):
# Convert your private key to base64 first
$ private_key_content = Get-Content -Path ~/.ssh/id_rsa -Raw
$ base64_private = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($private_key_content))
# Then store it in Azure Key Vault as a secret
az keyvault secret set --vault-name "YourVaultName" --name "GitPrivateKey" --value $base64_private
On your virtual machine, retrieve and use the key:
# Retrieve the secret
$ secret = az keyvault secret show --vault-name "YourVaultName" --name "GitPrivateKey" --query "value" -o tsv
# Convert back from base64
$ private_key = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($secret))
# Write to .ssh directory
mkdir -p ~/.ssh
echo "$private_key" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
For the public key (id_rsa.pub), you have two options:
# Option 1: Store directly in your Git service (recommended)
# Just copy the contents to your Git provider's SSH keys section
# Option 2: Store in Key Vault (if needed for reference)
az keyvault secret set --vault-name "YourVaultName" --name "GitPublicKey" --value "$(cat ~/.ssh/id_rsa.pub)"
- Use Azure Managed Identity for VM access to Key Vault
- Set appropriate access policies
- Rotate keys periodically
- Never hardcode key paths in your scripts
If you prefer to use Azure Key Vault's native key functionality:
# Import your private key as a key (not secret)
az keyvault key import --vault-name "YourVaultName" --name "GitSSHKey" --pem-file "~/.ssh/id_rsa" --protection software
Remember that this approach requires additional handling to extract the key in SSH-compatible format when needed.
When working with SSH keys for Git operations on Azure VMs, securely managing the private key becomes crucial. Azure Key Vault provides a robust solution, but the process of storing RSA key pairs isn't always straightforward.
The common pitfalls include:
- Newline characters being converted to spaces when pasting directly
- Improper handling of PEM file conversions
- Incorrect assumptions about PFX file formats for SSH keys
Here's the correct approach for storing your SSH keys:
First, ensure your private key is properly formatted:
# Convert your private key to a single-line format
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' id_rsa > id_rsa_single_line.txt
Then use Azure CLI to store it:
az keyvault secret set \
--vault-name "YourKeyVaultName" \
--name "ssh-private-key" \
--file id_rsa_single_line.txt \
--encoding utf-8
For the public key, you can store it directly:
az keyvault secret set \
--vault-name "YourKeyVaultName" \
--name "ssh-public-key" \
--file id_rsa.pub \
--encoding utf-8
Create a script to retrieve and configure the keys:
#!/bin/bash
# Retrieve private key
az keyvault secret show \
--vault-name "YourKeyVaultName" \
--name "ssh-private-key" \
--query value -o tsv > ~/.ssh/id_rsa
# Set proper permissions
chmod 600 ~/.ssh/id_rsa
# Retrieve public key if needed
az keyvault secret show \
--vault-name "YourKeyVaultName" \
--name "ssh-public-key" \
--query value -o tsv > ~/.ssh/id_rsa.pub
For enhanced security, implement key rotation:
# Generate new key pair
ssh-keygen -t rsa -b 4096 -f new_key -N ""
# Store new private key
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' new_key > new_key_single_line
az keyvault secret set --vault-name "YourKeyVaultName" --name "ssh-private-key" --file new_key_single_line
# Update public key in Git service
az keyvault secret set --vault-name "YourKeyVaultName" --name "ssh-public-key" --file new_key.pub
- Use Azure Managed Identity for VM access to Key Vault
- Implement proper RBAC for Key Vault access
- Enable Key Vault logging and monitoring
- Consider using Azure Key Vault's key generation features for new keys