Share via

Private SSH key in Azure key vault

Prachi D 80 Reputation points
2025-03-26T14:47:12.16+00:00

I have a private ssh key stored in azure virtual machines which are highlighted by defender for cloud and I want to resolve that recommandation.

So as per suggested by MS the remediation will be to store the private ssh key in azure key vault and give access to managed identity of virtual machine to get that key, but my query is do I need to run some powershell script every time I want that key ? This key can be used by multiple users which are using that virtual machine so do I need to give them that script and ask them to retrieve it every time it's needed or is there any alternative way for it ? If you give detailed steps to do it that would be useful. Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,411 questions
Accepted answer
  1. Andriy Bilous 11,731 Reputation points MVP
    2025-03-29T08:29:38.95+00:00

    Hello Prachi D

    You are correct, ​storing SSH private keys directly on virtual machines (VMs) can pose security risks. Azure recommends storing these keys in Azure Key Vault and granting the VM's managed identity access to retrieve them.

    This approach ensures that sensitive keys are centrally managed and securely accessed.​

    Answering your questions:

    • Automated Retrieval: You can automate the retrieval of the SSH private key from Azure Key Vault during the VM's startup. By using the VM's system-assigned managed identity, the VM can authenticate to Azure Key Vault and fetch the required key without manual intervention.​
    • Access for Multiple Users: By storing the SSH private key in Azure Key Vault and configuring appropriate access policies, multiple users can securely retrieve the key as needed as VM can authenticate to Azure Key Vault itself

    Steps:

    1. Create an Azure Key Vault in your Azure subscription. ​
    2. Upload your SSH private key file to Azure Key Vault as a secret named "SSH-PrivateKey".
    3. Enable the system-assigned managed identity for your VM. This identity allows the VM to authenticate to Azure resources without storing credentials on the VM itself.​
    4. In Azure Key Vault, create an access policy that grants the VM's managed identity the permission to get secrets. This allows the VM to retrieve the SSH private key when needed.​
    5. Automate Key Retrieval on the VM:
      • Install Azure CLI or Use Azure SDKs: Ensure that the Azure CLI or appropriate Azure SDKs are available on the VM to interact with Azure Key Vault.​
      • Retrieve the Key Using a Script: Create a script that uses the VM's managed identity to authenticate to Azure Key Vault and retrieve the SSH private key. This script can be executed at startup or on-demand, depending on your requirements.​ 
             #!/bin/bash
     SSH_KEY=$(az keyvault secret show --name "SSH-PrivateKey" --vault-name <YourKeyVaultName> --query value -o tsv)
     # Use the SSH key as needed, for example, save it to a file with appropriate permissions
     echo "$SSH_KEY" > /home/youruser/.ssh/id_rsa
     chmod 600 /home/youruser/.ssh/id_rsa

    https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli​

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.