/azure-keyvault-pgp

A CLI to use an Azure Keyvault key for PGP signing operations.

Primary LanguageGoApache License 2.0Apache-2.0

Azure Keyvault PGP

This project lets you create PGP-compatible signatures using Azure Keyvault asymmetric keys. It should be considered experimental.

The code comes from https://github.com/heptiolabs/google-kms-pgp, who figured all of this out. I just rewrote it to use Azure Keyvault. This is not an official Microsoft project.

Installing

$ go get -u -v github.com/jepio/azure-keyvault-pgp
[...]
$ azure-keyvault-pgp

usage: azure-keyvault-pgp --export|--sign|--clearsign
  -a, --armor               output in ascii armor
      --clearsign           sign a message in clear text
      --comment string      comment associated with the key
  -b, --detach-sign         make a detached signature
      --email string        email associated with the key
      --export              export public key
  -u, --local-user string   name of key to sign with
      --name string         name associated with the key
  -o, --output string       write output to file (use - for stdout)
  -s, --sign                sign a message

This binary has two modes of execution:

  • --export: generates and exports a PGP-compatible public key from a Azure Keyvault key.

  • --sign|--clearsign: signs input using the Azure Keyvault key, producing a PGP signature.

Usage: Generating a Key

$ az login
$ export AZURE_KEYVAULT_URL=https://<keyvault-name>.vault.azure.net

$ azure-keyvault-pgp --export \
								 --name "My User" \
								 --comment "A comment about my key" \
								 --email "myuser@example.com" \
								 --armor \
								 --output my-public-key.asc \
								 my-key

$ gpg --import my-public-key.asc
gpg: key 6014DEDCDEC1EF5F: "My User (A comment about my key) <myuser@example.com>" 1 new user ID
gpg: key 6014DEDCDEC1EF5F: "My User (A comment about my key) <myuser@example.com>" 1 new signature
gpg: Total number processed: 1
gpg:           new user IDs: 1
gpg:         new signatures: 1

You can import this key into GPG using gpg --import my-public-key.asc and optionally mark it trusted using gpg --edit-key 6014DEDCDEC1EF5F

Usage: Signing

$ az login
$ export AZURE_KEYVAULT_URL=https://<keyvault-name>.vault.azure.net

$ azure-keyvault-pgp --sign \
								 --detach-sign \
								 --armor \
								 --local-user my-key \
								 hello.txt

$ gpg --verify hello.txt.asc hello.txt
gpg: Signature made Fri Aug 31 11:48:35 2018 CDT
gpg:                using RSA key 6014DEDCDEC1EF5F
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   5  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   5  signed:   5  trust: 5-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "My User (A comment about my key) <myuser@example.com>" [ultimate]