How to backup all of your keys, certs and secrets included in all your Azure Key Vaults

After my previous article on the basic Powershell cmdlets for Azure Key Vault, I thought it would be interesting to provide to all users, who are already familiar with it, a method to export all keys, certs, and secrets stored in it once via Powershell.

Understanding Azure Key Vault Service

One of the prerequisites for getting the most out of this script is understanding or reading carefully Azure Key Vault official documentation first.
It seems obvious, but there are “details” like Identity and Access Management (IAM) and access policies which determine the scope and access your user has to the object (secret, key, certificate) in the Key Vault you want to access/backup. Important features of Azure Key Vault Service that my script solution cannot replace are soft-delete, retention period, and purge protection.

Why Backing-up an Azure Key Vault?

Why not?!  Seriously. If you care about your data, it’s your responsibility and choice to decide if you need to export it or not.

Depending on your use of Azure Key Vault and how you want to follow the recommendations/best practices of the vendor is common to have multiple Azure Key Vaults for different reasons like isolating apps, projects, departments, environments, locations, etc… just to name a few.

I can guarantee that even if you don’t need it right now or in the near future, understanding how to do it can be useful.

How to backup objects from the Vault with AZ CLI

The official documentation shows how to use AZ CLI to backup a single object from Key Vault:

I like Azure CLI, but the documentation was also including an example with Powershell, so I’ve written my own script/solution to do what I need.

Backup-MyKeyVault Powershell script

This is my script which I wrote and stored on my cloud shell (https://shell.azure.com) so whenever I need to export it I can simply run the script and download it from the browser.

I upload this script on my cloud shell

cloudshell-backupkeyvault

And download the ZIP files which has a folder structure to properly organise:

  • Secrets
  • Key
  • Certificates

Additional Notes

Please note that each Azure Key Vault will be saved with this naming convention “KEYVAULTNAME-DATE-TIME.ZIP”.
If the Key Vault is empty, in other words, there are no keys, certificates or secrets, there will be no zip archive generated.

Wrap-Up

As with many other scripts, this one was something I quickly wrote for pure necessity having to deal with different projects, and sometimes these projects or PoC were designed to be short-lived.

I hope you will find it useful and, as usual, you can find it on my GitHub repository.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.