Skip to main content

Azure Key Vault Encrypt and Decrypt File

Requirements

The Nautilus DevOps team is focusing on improving their data security by using Azure Key Vault. Your task is to create a Key Vault with a key and manage the encryption and decryption of a pre-existing sensitive file using this key.

Specific Requirements:

  1. Create a Key Vault:
  • Name the Key Vault nautilus-29948.
  • Set access policies to allow encryption and decryption operations.
  1. Create a Key:
  • Create a symmetric key named nautilus-key within the Key Vault for encryption and decryption operations.
  1. Encrypt the Sensitive Data:
  • Use the key to encrypt the provided SensitiveData.txt file (located in /root/) on the azure-client host.
  • Base64 encode the ciphertext and save the encrypted version as EncryptedData.bin in the /root/ directory.
  1. Verify Decryption:
  • Attempt to decrypt EncryptedData.bin and verify that the decrypted data matches the original SensitiveData.txt file.

Ensure that the Key Vault and key are correctly configured. The validation script will test your configuration by decrypting the EncryptedData.bin file using the key you created.

Note

Use the same key name and key vault name exactly as required, because validation is name-sensitive.

Prerequisites

  • Azure CLI installed and authenticated.
  • SensitiveData.txt exists in /root/.
  • Resource group exists and user has Key Vault permissions.

Steps

RG=$(az group list --query "[?contains(name, 'kml')].name" --output tsv)
KV_NAME="nautilus-29948"
KEY_NAME="nautilus-key"
LOCATION="eastus"

az keyvault create \
  --name "$KV_NAME" \
  --resource-group "$RG" \
  --location "$LOCATION"

az keyvault key create \
  --vault-name "$KV_NAME" \
  --name "$KEY_NAME" \
  --kty RSA

# Encrypt file content
PLAINTEXT_B64=$(base64 -w0 /root/SensitiveData.txt)
CIPHERTEXT=$(az keyvault key encrypt \
  --vault-name "$KV_NAME" \
  --name "$KEY_NAME" \
  --algorithm RSA-OAEP \
  --value "$PLAINTEXT_B64" \
  --query result -o tsv)

echo "$CIPHERTEXT" | base64 -d > /root/EncryptedData.bin

# Decrypt and compare
ENC_B64=$(base64 -w0 /root/EncryptedData.bin)
DEC_PLAIN=$(az keyvault key decrypt \
  --vault-name "$KV_NAME" \
  --name "$KEY_NAME" \
  --algorithm RSA-OAEP \
  --value "$ENC_B64" \
  --query result -o tsv)

echo "$DEC_PLAIN" | base64 -d > /root/DecryptedData.txt
cmp /root/SensitiveData.txt /root/DecryptedData.txt

Verification

  • Verify key exists:
    • az keyvault key show --vault-name "$KV_NAME" --name "$KEY_NAME" --query key.kid -o tsv
  • Verify encrypted file exists:
    • ls -l /root/EncryptedData.bin
  • Verify decrypted file matches original:
    • cmp /root/SensitiveData.txt /root/DecryptedData.txt

Resources