PGP Keys in Azure Vault

Azure Key Vault can store secrets in sizes, up to 25 KB, which is ideal for saving OpenPGP keys, that can be used later by OpenPGP Library for .NET

А demo utility class that can load, save and delete keys is available at https://github.com/didisoft/Azure-Pgp-Function-App/blob/main/EncryptBlobPgp/VaultKeyStorage.cs

Below are a few examples that show how to use the VaultKeyStorage class:

Saving public key

The methods VaultKeyStorage.SavePublicKey associates a public key with an identifier. Usually, this identifier may be the email of the public key owner person or organization:

string vaultName = "your vault name";
string tenant = "your vault tenant id";
string clientId = "your vault client id";
string clientSecret = "your vault client secret";
// VaultKeyStorage from https://github.com/didisoft/Azure-Pgp-Function-App/blob/main/EncryptBlobPgp/
VaultKeyStorage vault = new VaultKeyStorage(vaultName, tenant, clientId, clientSecret);
 
// keyStream is a Stream obtained from a key file
await vault.SavePublicKeyAsync("recipient@company.com", keyStream);

Saving private key

The methods SavePrivateKey of VaultKeyStorage are designed, with the idea that we have only one private key. If your use case requires using multiple private keys you can modify VaultKeyStorage to store each private key associated with a unique identifier.

string vaultName = "your vault name";
string tenant = "your vault tenant id";
string clientId = "your vault client id";
string clientSecret = "your vault client secret";
// VaultKeyStorage from https://github.com/didisoft/Azure-Pgp-Function-App/blob/main/EncryptBlobPgp/
VaultKeyStorage vault = new VaultKeyStorage(vaultName, tenant, clientId, clientSecret);
 
// keyStream is a Stream obtained from the private key file
await vault.SavePrivateKeyAsync(keyStream);

Loading and using a public key

After loading a public key from Azure Vault we can use it in every method of the library.

string vaultName = "your vault name";
string tenant = "your vault tenant id";
string clientId = "your vault client id";
string clientSecret = "your vault client secret";
// VaultKeyStorage from https://github.com/didisoft/Azure-Pgp-Function-App/blob/main/EncryptBlobPgp/
VaultKeyStorage vault = new VaultKeyStorage(vaultName, tenant, clientId, clientSecret);
string publicKey = vault.GetPublicKey("recipient@acmcompany.com");
 
PGPLib pgp = new PGPLib();
string encryptedString = pgp.EncryptString("Hello World", publicKey);

Loading and using a private key

In the same way, we can use a private key loaded from Azure Key Vault in the methods where OpenPGP data is being decrypted or signed:

string vaultName = "your vault name";
string tenant = "your vault tenant id";
string clientId = "your vault client id";
string clientSecret = "your vault client secret";
// VaultKeyStorage from https://github.com/didisoft/Azure-Pgp-Function-App/blob/main/EncryptBlobPgp/
VaultKeyStorage vault = new VaultKeyStorage(vaultName, tenant, clientId, clientSecret);
string privateKey = vault.GetPrivateKey();
 
PGPLib pgp = new PGPLib();
string originalString = pgp.DecryptString(encryptedString, privateKey, "private key password");

Summary

VaultKeyStorage is a sample class that allows PGP keys to be saved and loaded from Azure Key Vault. It is designed to be used with the Azure Key Vault Key Management Service (KMS) to provide a secure way to store and manage PGP keys. The class provides a simple interface for creating, loading, and managing PGP keys in Azure Key Vault.

The VaultKeyStorage class is released under the MIT License and you can use and modify VaultKeyStorage in your projects without any restrictions.