![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 6%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,394 questions
Hi ,
Thanks for reaching out to Microsoft Q&A.
Azure Key Vault does not allow the export of private keys for security reasons. Microsoft enforces strict controls to prevent the extraction of private keys once they are stored in Key Vault.
Since you cannot directly download or export private keys from Azure Key Vault, here are a few alternative ways you can try to migrate them:
- Re-import the original key in the new location
If you still have access to the original private key file (e.g., .pem, .pfx), you can simply import it into the new key management system.
- Use Key Vault Backup and Restore (Only for HSM-backed keys)
If you're using Azure Key Vault Managed HSM, you can back up and restore keys to another HSM instance.
Use the following Azure CLI commands:
az keyvault key backup --vault-name <SourceKeyVault> --name <KeyName> --file <BackupFile> az keyvault key restore --vault-name <TargetKeyVault> --file <BackupFile>
Limitation: This only works between Azure Key Vaults and cannot be used to export the key outside Azure.
- Migrate using a new Key Pair
- If you cannot access the original key, consider generating a new key in the target system and rotating the old key to the new one.
- Use an Application Proxy
- If you need to use the key elsewhere without extracting it, you can build an application that proxies signing/decryption requests from the new system to the Azure Key Vault.
- Use a Certificate Export (if applicable)
- If your private key is stored inside a certificate, and you have a policy that allows exporting, you may be able to retrieve the certificate with the private key:
az keyvault secret show --vault-name <KeyVaultName> --name <CertificateName>
- Then, convert it back into a usable private key format (if export is allowed).
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.