Azure Key Vault – Azure Saturday satazureday Ottawa

I had the opportunity to speak at satazureday Azure Saturday here in Ottawa last week, and went through the topic of Azure Key Vault. I also had a co-presenter to share the talk with; an upcoming public speaker Petrica Mihai. He created most of the slides and the demo code in C# 🙂
You can view the code at https://github.com/mihaipetri/AzureKeyVaultNet

In any case if you are interested here are the slides on Azure Key Vault.

And the transcript:

1. Azure Key Vault • What are we trying to solve with KeyVault?

• Let’s step back and look at a Cloud Design Pattern
• External Configuration Pattern

• Helps move configuration information out of the application deployment
• his pattern can provide for easier management and control of configuration data
• For sharing configuration data across applications and other application instances

• Configuration becomes part of deployment
• Multiple applications share the same configuration
• Hard to have access control over the configuration

• When you have shared configuration, multiple application
• You want to manage configuration centrally by DevOps
• Provide audit for each configuration

• When you only have a single application there is no need to use this pattern it will make things more complex

• Azure KeyVault (Today’sTalk)
• Vault by Hashicorp
• AWS KMS
• Keywhiz

• Safe1guard cryptographic keys and secrets used by cloud applications and services
• Use hardware security modules (HSMs)
• Simplify and automate tasks for SSL/TLS certificates

• Customers can import their own keys into Azure, and manage them
• Keys are stored in a vault and invoked by URI when needed
• KeyVault performs cryptographic operations on behalf of the application
• The application does not see the customers’ keys
• KeyVault is designed so that Microsoft does not see or extract your keys • Near real-time logging of key usage

• Objects stored in Azure KeyVault (keys, secrets, certificates) retain versions whenever a new instance of an object is created, and each version has a unique identifier and URL
• https://{keyvault-name}.vault.azure.net/{object-type}/{object- name}/{object-version}

• Cryptographic keys in Azure KeyVault are represented as JSONWeb Key [JWK] objects
• RSA: A 2048-bit RSA key.This is a “soft” key, which is processed in software by KeyVault but is stored encrypted at rest using a system key that is in an HSM
• RSA-HSM: An RSA key that is processed in an HSM
• https://myvault.vault.azure.net/keys/mykey/abcdea84815e4ca8bc19c f8eb943ee88

• Secrets are octet sequences with a maximum size of 25k bytes each
• The Azure KeyVault service does not provide any semantics for secrets; it accepts the data, encrypts and stores it, returning a secret identifier, “id”, that may be used to retrieve the secret
• https://myvault.vault.azure.net/secrets/mysecret/abcdea54614e4ca7 ge14cf2eb943ab23
• Create a Key Vault secret $secret = Set-AzureKeyVaultSecret -VaultName ‘MihaiKeyVault’ -Name ‘SQLPassword’ -SecretValue $secretvalue
• Azure Key Vault certificates
• Import/generate existing certificates, self-signed or Enroll from Public Certificate Authority (DigiCert, GlobalSign andWoSign)
• When a KeyVault certificate is created, an addressable key and secret are also created with the same name
• https://myvault.vault.azure.net/certificates/mycertificate/abcdea848 15e4ca8bc19cf8eb943bb45
• Create a Key Vault certificate
• Secure your Key Vault
• Access to a key vault is controlled through two separate interfaces: management plane and data plane
• Authentication establishes the identity of the caller
• Authorization determines what operations the caller is allowed to perform
• For authentication both management plane and data plane use Azure Active Directory
• For authorization, management plane uses role-based access control (RBAC) while data plane uses key vault access policy
• Access Control
• Access Control based on Azure AD
• Access assigned at theVault level
• – permissions to keys
• – permissions to secrets
• Authentication against AzureAD
• – application ID and key
• – application ID and certificate
• Azure Managed Service Identity (MSI)
• Manage the credentials that need to be in your code for authenticating to cloud services
• Azure KeyVault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them
• Managed Service Identity (MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD)
• You can use this identity to authenticate to any service that supports AzureAD authentication, including KeyVault, without having any credentials in your code

Azure Key Vault Logging

• Monitor how and when your key vaults are accessed, and by whom
• Save information in an Azure storage account that you provide
• Use standard Azure access control methods to secure your logs by restricting who can access them
• Delete logs that you no longer want to keep in your storage account
• Azure Key Vault Pricing • Operations (Standard or Premium) $0.030 per 10000 operations
• Advanced Operations (Standard or Premium) $0.150 per 10000 operations
• Certificate Renewals (Standard or Premium) $3.00 per renewal
• Hardware Security Module Protected Keys (Premium only) $1.00 per key
• Azure Key Vault DEMO
• Create KeyVault, Secrets, Keys and Certificates
• Create AzureAD Application
• Consuming Secrets and Keys https://azurekeyvaultnet.azurewebsites.net – live demo
• https://github.com/mihaipetri/AzureKeyVaultNet – demo code

Related posts:

1. Managing your secrets in a cloud environment – Update Conference
2. Cloud Design Patterns – Talk at Ottawa .NET Community
3. Speaking at ForwardJS Ottawa April
4. Azure functions – Serving Html Data from Azure Functions