In this blog post, I will be talking about how to use Azure Key Vault with PowerShell to perform cryptographic operations, like encrypting and decrypting data.

We will start by creating the key vault in Azure, install an encryption key and register an application with its service principal. After that, we will give rights to that application on the key vault. Finally, we will use PowerShell to authentication to Azure AD, get an access token, use this token to access our key vault, and encrypt/decrypt a simple string.

What we will cover in this blog post:

  • Create a resource group in Azure.
  • Create an Azure Key Vault and configure it with access policies.
  • Create an encryption key in Azure key vault.
  • Create an application and register it with service principal in Azure AD.
  • Assign permission to the application on the key vault.
  • Use PowerShell to connect to Azure AD and get a token to access the key vault.
  • Construct a string [Hello World]
  • Use PowerShell to connect to the key vault using the access token to the key vault.
  • Encrypt the [Hello World] string using the key vault key.
  • Decrypt the encrypted payload again.

Before going through Azure key vault with PowerShell operations, it is better to introduce couple of concepts listed below:

Creating an Application Context

In order to move forward with this blog post, I want to start by introducing the concept of registering an app in Azure.

The Azure Key vault is protecting by RBAC model [Role-based access control], to protect the vault and its secrets/keys from unauthorized access and operations. Instead of using your actual user to access the vault using your code or script, it is highly recommended to created a security identity that can act by its own, to perform the actual cryptographic operations.

Why this is important? Perhaps you want your code to run in the context of an application, or an automation task. You do not want to use your identity to that. It is easy to audit access to the vault if you have a well-known security context that is bound to that application. Think of this like when you create a service account to run a workload.

To do that in Azure, you have to create an application, and give it a name and a secret. It is like normal user accounts in AD where you have the user UPN and password. Your user can authenticate using a password or digital certificate, and so the application that you will create in Azure. It can authentication using a secrete (password) or a digital certificate.

Creating an application and with its ID and secret is not enough. We need to create a Service Principal for that application, so that Azure AD can authentication your application and know about it. Since this is all about Azure key vault with PowerShell , we will create the application from PowerShell.

Separation of concern

Azure Key Vault creates a very solid separation of concerns.

  • Admin will create a vault, and configure it with access policies.
  • Application owner will create an application in Azure AD and assign it a service principal.
  • Admin will assign permission to that service principal on the key vault.
  • Developer will use the application name and secret in his code to access the vault secret.
  • An auditor can then see what is happening inside the vault.

The use of Byte Array instead of string

We will go through how to do cryptographic operations inside Azure key vault with PowerShell, but first we need to talk about Byte Arrays first. In this example, we will use PowerShell to encrypt a simple string [“Hello World“] using the key vault. Instead of just passing the string to the key vault, we will convert the string to a Byte Array.

A string contains character data that is subject to interpretation and it implies encoding, while the byte array is just a binary data, which makes it easier to deal with

In our example, we will convert the string variable that holds [“Hello World”] to a byte array, send it to the key vault for encryption.

Later on, we will decrypt the data back to byte array, and then convert that to a string again.

Azure key vault with PowerShell

Now, we can start working on Azure key vault with PowerShell.The first thing to do is to go and install AzureRM PowerShell module on your machine, import the AzureRM module on your PS session, and logon to your Azure Account.

Step 1: Create the Key Vault

We will start by creating an Azure Resource Group, and then we will create our Azure Key Vault:

  • Key Vault Name : IgniteKV
  • Resource Group Name : IgniteRG

For demo purposes, we will configure the key vault with all “Advance Access Policies“, so it can be used for disk encryption, used by Azure resource manager through templates, and used for deployments.

Here is how the Azure Key Vault looks like from the Azure portal with all advanced access policies checked:

Azure key vault with PowerShell 9


Now, we will create an application, which will give us a security context to access the key vault. To create the application, we will provide an application name and a secret. Although the secret can be a digital certificate, but for now we will use a simple string.

After creating the app, we will create a service principal for the app, so that i can authenticate with Azure AD in order to request a token. Later on, we will use that token to access the key vault.

Moreover, we will grant permission to the app, so that it can access the key vault and perform cryptographic operations.

Here is a look inside the Azure portal. You can see that app is being assigned permission to the key vault.

Azure key vault with PowerShell 3

Now, we can log to Azure portal > Key Vault. Then we can create a key in that vault so that we can use it for encryption. I already created an encryption key called IgniteKey.

Azure key vault with PowerShell 4

Azure key vault with PowerShell 10

Azure key vault with PowerShell 10

Step 2: Get a token from Azure AD

In this section, we will go to Azure AD using the context of the app (using the app name and secret), and we will get an access token.

I explained what each line of code is doing inside the code comments.


Step 3: Access the Key Vault from PowerShell

In this section, we will use the access token we obtained, and we will try to connect to the Azure key vault, and list the keys inside it.

Here is the output result. We can see the key we created earlier.

Azure key vault with PowerShell 6

Step 4: Encrypt a simple string from PowerShell

In this section, we will construct a string [“Hello World“], we will convert it to Byte Array, and will connect to the Azure Key Vault specifying:

  • Key vault name.
  • KeyID and version. If version is left blank, the most recent version of the key will be used.
  • The byte array to be encrypted.
  • Access token obtained.

The result will look like this:

Azure key vault with PowerShell 7

Step 5: Decrypt the cipher from PowerShell

Finally, we will take the encrypted data we get from the vault, and then we will try to ask the vault to decrypt it. We will get byte array as a response. We will then convert the byte array back to string, and we will get out [“Hello World“] back!

Final Thoughts

We saw how Azure Key Vault with PowerShell really works. We started by creating a resource group and a key vault in Azure. We then created a key inside the key vault for cryptographic operations. From the scripting side, we needed to create a service account to run the script [ this is called creating an application in Azure]. In order for Azure AD to recognize that application, we needed to register that application with a Service Principal.

After that, we discovered the authentication endpoint for the Azure Key vault. This was the Azure AD end point. Then we tried to contact Azure AD, supply the application ID and secret to get a token on the vault. The vault was configured previously to recognize that application and give it some rights on its key. Our PowerShell script will then construct a small string, sent it to the key vault for encryption, and then decrypting it back.

Azure key vault with PowerShell 22


Big credit goes to Chris Clayton (AzureCAT) and his great blog post. Most the PowerShell code in this blog post [Azure key vault with PowerShell ]related to getting AAD token and doing the actual calls to Azure AD key vault is originally taken from his blog post, with some modifications and explanation.

I also added couple of sections in this blog post to help readers create the actual vault, resource group, application, service principal, and add couple of screenshots.