tl;dr

Our team encountered a decryption hurdle when entering a multi-line PGP private key into Azure Key-Vault’s UI due to its limitations with multi-line secrets. After initial decryption failures and thorough investigation, the resolution involved using PowerShell. The process includes adjusting newline characters in a text editor and utilizing Azure CLI to securely upload multi-line secrets to Azure Key-Vault. Head to the “Solution” or “Conclusion” section for the process.

Background

At work, on one of the projects our team manages, we process transaction data from bank files, aggregating it based on specific keys, then cross-reference this information with data from our Point-of-Sale (POS) systems. Until recently, our system depended on a single financial institution (FI) to supply us with transaction data, creating a vulnerable single point of failure. Recognizing this risk, we’ve dedicated the past few months to integrating a second FI into our workflow, enhancing system robustness. The files we receive are securely encrypted, utilizing PGP (Pretty Good Privacy) to ensure the confidentiality and integrity of these sensitive bank records. Here is the Wikipedia link to PGP.

PGP

PGP is just a typical asymmetric cryptographic algorithm. in short, data is encrypted using the receivers public key and decrypted by the receiver using the private key that is mathematically related to the public key, along with a passphrase to unlock the key. One of the properties that makes PGP secure is that it uses a MULTI-LINE private key. This leads me to the heart of today’s discussion and the challenge I encountered with decrypting a bank file when the private key is securely housed in Azure Key-Vault.

Problem

This sets the stage for the issue I grappled with. Upon receiving a test file, accompanied by the private key and passphrase for decryption, I crafted a Python script to handle the task. Given the script’s purpose for development testing, I hard-coded the private key directly into it. In VS Code, when I pasted the key contents, it uses \\n’s in order to indicate newlines.

I used the PGPy library in order to decrypt this and it worked fine! I figured my testing here was done and the same could be replicated on our test environment which is hosted in Azure. I went through the same procedure and pasted the private key as an Azure Key-Vault secret, so that it could be referenced as an environment variable in our deployed Function App. However, I was soon confronted with persistent exceptions indicating that the decryption process had failed. Despite my efforts to troubleshoot—meticulously verifying the private key, passphrase, and ensuring the deployment of the correct code—I was at a standstill. After extensive online research, I stumbled upon the solution.

Solution

Navigating this issue involves several steps. Firstly, I discovered that Azure Key-Vault does not support the input of multi-line secrets directly through its user interface. This crucial piece of information is somewhat concealed; it only becomes apparent if you hover over the ‘i’ icon next to the secret values field, a subtle detail that I believe deserves more prominent visibility.

As it stands, Azure recommends the use of PowerShell to manage multi-line secrets, providing a practical workaround for this limitation. Here is the process I typically follow in order to upload multi-line secrets into Azure Key-Vault such as GPG Private Keys:

• Copy the secret into a temporary Notepad++ file or any other rich text editor
• Press Ctrl + H to open the “Replace” dialog
• In the “Find what” box, enter \\n (The double backslash is used to escape the backslash character)
• In the “Replace with” box, enter \r\n for Windows newline or just \n for a Unix/Linux newline.
  
• If you did that correctly, your secret should look to be in the proper multi-line format beginning with —-BEGIN PGP PRIVATE KEY BLOCK—— in the first line and then a newline below it
• Now save the file with some name say secretfile.txt
• Open PowerShell in administrator mode
• Assuming you have Azure CLI installed you must run az keyvault secret set --vault-name "<your-unique-keyvault-name>" --name "MultilineSecret" --file "secretfile.txt”
• If you refresh you Key-Vault, you should see this new key with the name you provided
• Remember to delete the secret file from your machine as a security measure

Conclusion

As of 2023-10-18, Azure Key-Vault does not allow multi-line secrets to be entered as a secret value. You will need to use the Azure CLI on a Terminal or PowerShell in order to accomplish this task. Save the secret in a text file on your machine, use a text editor to replace all \\n with \r\n, and then use the command az keyvault secret set –vault-name “<your-unique-keyvault-name>” –name “MultilineSecret” –file “secretfile.txt” to push the secret to Key-Vault.