Skip to main content

Every once in a while, someone asks me to protect an Azure workload that does have the most direct approach available for it in a Veeam product. Today I’ll focus on Azure Key Vault, but I’ll see if I can broaden the scope a bit over time with future posts.

 

Why backup Azure Key Vault

Azure Key Vault is used as a source to manage anything from encryption scopes on Azure Storage to allowing customer managed keys for services, storing public/private key pairs, custom secrets, and certificates. Losing Azure Key Vault contents could pose a serious problem, but exporting data out for backup purposes could also create quite some risk – thankfully backup jobs allow data encryption.

 

Soft delete

Azure Key Vault comes with soft delete, allowing recovery of deleted vaults and deleted objects (keys, secrets and certificates). Once an object is deleted the default recovery period is 90 days, unless the object is purged entirely. This should be your first line of defense.

 

Backup

Azure Key Vault comes with PowerShell and AZ CLI commands to (1) get values or to (2) perform backup and restore. One simple strategy would be to have a workload that gets the contents of Azure Key Vault and then to back up this workload. You could for example, create a script that pulls the relevant data on a small Azure VM and backup that VM with Veeam. With some clever scheduling it would be possible to not have this VM running very long either – to save money.

 

1. Getting Azure Key Vault object values

Let's have a look at how we get the contents of an Azure Key Vault programmatically. To keep things interesting, there is a bit of variation in functionality across PowerShell and AZ CLI.

Getting values exposes the public part of keys and certs, as well as secret values in plain text.

az keyvault key download --name <key-name> --vault-name <vault-name> --file <key.pem>
az keyvault secret download --name <secret-name> --vault-name <vault-name> --file <secret.txt>
az keyvault certificate download --name <cert-name> --vault-name <vault-name> --file <certificate.pem>

or

Get-AzKeyVaultKey -Name <key-name> -VaultName <vault-name> -OutFile <key>
Get-AzKeyVaultSecret -Name <my-secret> -VaultName -AsPlainText
Get-AzKeyVaultCertificate -Name <cert-name> -VaultName <vault-name>

Remember you can also export the access policies for the key vault, as part of the accessPolicies properties.

az keyvault show --name $keyVaultName

"accessPolicies": c
{
"applicationId": null,
"objectId": "00000000-0000-0000-0000-000000000000",
"permissions": {
"certificates": "],
"keys":
"get",
"wrapkey",
"unwrapkey"
],
"secrets": ],
"storage": null
},
"tenantId": "00000000-0000-0000-0000-000000000000"
}
]

2. Built-in Azure Key Vault backup and restore commands

When using built-in backup and restore commands this is tied to the source subscription and region this backup was made in. Backup files made are encrypted and can only be read by Azure Key Vault upon restore.

az keyvault key backup --vault-name <vault-name> --name <key-name> --file <key.backup>`
az keyvault secret backup --vault-name <vault-name> --name <secret-name> --file <secret.backup>
az keyvault certificate backup --vault-name <vault-name> --name <cert-name> --file <certificate.backup>

or

Backup-AzKeyVaultKey -VaultName <vault-name> -name <key-name> -OutputFile <key.backup>
Backup-AzKeyVaultSecret -VaultName <vault-name> -name <secret-name> -OutputFile <secret.backup>
Backup-AzKeyVaultCertificate -VaultName <vault-name> -name <cert-name> -OutputFile <certificate.backup>

The following commands allow you to backup Azure Key Vault to an Azure Blob storage account. This will require a SAS token for access. Restore can only be done to the source subscription and region the backups were made in.

az keyvault backup start (learn more)

or Backup-AzKeyVault (learn more)

az keyvault restore start

or Restore-AzKeyVault

 

Required permissions

In order to access Azure Key Vault, appropriate permissions are required. There are quite a few built-in roles available. But if you want to roll your own custom role the minimum permissions needed follow below:

Microsoft.KeyVault/vaults/keys/read, 
Microsoft.KeyVault/vaults/keys/backup/action,
Microsoft.KeyVault/vaults/keys/restore/action,

 

Summary

So you see it's pretty easy actually to backup and restore data from Azure Key Vault, and if you have soft delete turned on there are simple ways to undo a mistake before more elaborate recovery is needed.

Hope that was helpful - just keep in mind that any raw secrets exported should be encrypted again, plain text secrets are an absolute no-no and so using the built-in Azure Key Vault backup and restores for object values makes the most sense from a security perspective.

 

Be the first to comment!

Comment