Can I backup my ADLS Master Encrypotion Key if I orignally generated it in Azure Premium KeyVault (HSM) RRS feed

  • Question

  • I understand I can backup my ADSL mater encryption key (the guard against loss).

    I also understand I can generate the key directly in Azure key Vault, so assuming I am using Premimum Azure KeyVault (HSM) and generate the Mater key (which is an RSA key pair) in the HSM, but I have read of I cannot 'export' keys from the HSM.


    it occurs to me 'backing up' the mater key (is making a copy and therefore exporting), would appear at first glance to be mutually exclusive events with using a HSM.

    In otherwords if I want to be able to backup my ADLS master key, am I forced to use Standard KeyVault?




    Wednesday, January 17, 2018 11:19 AM

All replies

  • You can back up keys from either types of key vaults - HSM or Software. Here is some information about how the backup works: https://docs.microsoft.com/en-us/rest/api/keyvault/backupkey/backupkey

    The backup is not really exporting the keys in the clear. It is exporting a package that can be used within the Azure KeyVault service for restoration purposes. 

    • Proposed as answer by BrantEH Thursday, January 18, 2018 9:51 AM
    Wednesday, January 17, 2018 5:00 PM
  • Thanks very much Amit :)
    Thursday, January 18, 2018 9:51 AM