Skip to content

Instantly share code, notes, and snippets.

@maskati

maskati/#keyvault-copy-across-subscriptions.md

Created February 6, 2025 07:01
Show Gist options
  • Save maskati/0e38d8cb3108cbdd74437a6e327ab115 to your computer and use it in GitHub Desktop.
Save maskati/0e38d8cb3108cbdd74437a6e327ab115 to your computer and use it in GitHub Desktop.
Download ZIP
Copy Azure Key Vault keys between subscriptions
Raw
#keyvault-copy-across-subscriptions.md

Copy Azure Key Vault keys between subscriptions

Azure Key Vault keys secure the private key material in a way that is not exportable. Key Vault backups are encrypted and restricted to the same Azure subscription and Azure geography.

You can copy a key from one subscription to another by:

  1. Taking a backup in the source subscription
  2. Creating a new key vault in the source subscription (any region in the same geography) and restoring the backup
  3. Moving the new key vault to the destination subscription

Some limitations:

Below is a script to copy a key from subscription s1 in westeurope to subscription s2 in northeurope.

# you need two subscriptions in the same entra tenant
$s1 = '00000000-0000-0000-0000-000000000001'
$l1 = 'westeurope'
$s2 = '00000000-0000-0000-0000-000000000002'
$l2 = 'northeurope'

# create key vault in subscription 1 and west europe
$rg1 = az group create --subscription $s1 -n rg-keyvault-test -l $l1 | convertfrom-json
$kv1 = az keyvault create --subscription $s1 -g $rg1.name -n "kv-$([guid]::newguid().tostring('N').substring(0,6))" -l $l1 --retention-days 7 --enable-rbac-authorization false | convertfrom-json

# create a key to test copying
$key1 = az keyvault key create --kty RSA --size 2048 --vault-name $kv1.name -n mykey

# take a backup of the key encrypted to europe geography and subscription 1
az keyvault key backup --vault-name $kv1.name -n mykey -f mykey.keyvaultbackup

# create target key vault in subscription 1 and north europe
$kv2 = az keyvault create --subscription $s1 -g $rg1.name -n "kv-$([guid]::newguid().tostring('N').substring(0,6))" -l $l2 --retention-days 7 --enable-rbac-authorization false | convertfrom-json

# restore key vault backup, this works because the backup was taken in the same subscription and geography
$key2 = az keyvault key restore --vault-name $kv2.name -f mykey.keyvaultbackup | convertfrom-json

# create destination group in subscription 2
$rg2 = az group create --subscription $s2 -n rg-keyvault-test -l $l2 | convertfrom-json

# move target key vault from subscription 1 to 2 (this will take a while)
az resource move --subscription $s1 --ids $kv2.id --destination-subscription-id $s2 --destination-group $rg2.name

# compare keys to verify
$compare1 = az keyvault key show --subscription $s1 --vault-name $kv1.name -n mykey | convertfrom-json
$compare2 = az keyvault key show --subscription $s2 --vault-name $kv2.name -n mykey | convertfrom-json
$compare1.key , $compare2.key | select kid, e, n | fl
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment