This document provides an overview of Azure Key Vault, a cloud service for securely storing and accessing secrets. It discusses how Key Vault can be used to store encryption keys, passwords, and certificates. Key Vault uses hardware security modules to cryptographically protect secrets and can be accessed via REST APIs. The document demonstrates how to create a Key Vault, add a secret, and consume that secret from an application using either a service principal or managed service identity.
16. Secrets
• Octet sequences with no semantics
• Max 25k bytes each
• Connection Strings, Passwords etc.
https://mytestvault.vault.azure.net/secrets/mytestsecret/dcerea54614e4ca7ge14cf2eb943dd45
17. Certificates
• Import Existing Certificates
• Self-signed or Enrol from Public Certificate Authority (DigiCert,
GlobalSign and WoSign)
https://mytestvault.vault.azure.net/certificates/mycertificate/cfedea84815e4ca8bc19cf8eb943ee13
28. MSI (Code Changes)
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new
KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallba
ck));
AzureServicesAuthConnectionString
RunAs=App;AppId=AppId;TenantId=TenantId;AppKey=Secret.
RunAs=App;AppId=AppId;TenantId=TenantId;CertificateThumbprint=Thumbprint;CertificateStoreLocation=CurrentUser
29. Key Vault and Development Cycle
• Externalize into configuration
Vault Url https://{keyvault-name}.vault.azure.net
Value /{object-type}/{object-name}/{object-version}
• Sensitive information is managed separately
Story 1
There is a Zen teaching story about a student who comes to the Master and tells him
"I'm getting really bored with just feeling my breath coming in and going out all the time. Don't you have a meditation that is more exciting?"
The Zen Master replied, "Yes. You are now ready for a greater teaching. Follow me." With that, the Master led the student into a courtyard where there was a large barrel of water. "Gaze into the barrel," said the Master. As the student leaned over and looked in, the Zen Master suddenly pushed the student's head into the water. The Master was quite strong, and he was able to hold the student under the water for quite a while, even though the student struggled desperately. Finally, the Master let the student come up for air, and as the student gasped the Master asked, "So... is that breath boring?“
Story 2
https://www.psychologytoday.com/au/blog/the-dance-connection/201503/unforgettable-zen-story-about-letting-go
Two traveling monks reached a town where there was a young woman waiting to step out of her sedan chair. The rains had made deep puddles and she couldn’t step across without spoiling her silken robes. She stood there, looking very cross and impatient. She was scolding her attendants. They had nowhere to place the packages they held for her, so they couldn’t help her across the puddle.
The younger monk noticed the woman, said nothing, and walked by. The older monk quickly picked her up and put her on his back, transported her across the water, and put her down on the other side. She didn’t thank the older monk, she just shoved him out of the way and departed.
As they continued on their way, the young monk was brooding and preoccupied. After several hours, unable to hold his silence, he spoke out. “That woman back there was very selfish and rude, but you picked her up on your back and carried her! Then she didn’t even thank you!
“I set the woman down hours ago,” the older monk replied. “Why are you still carrying her?”
Lots of reasons for applications ending up in here – Not updating patches, publicly exposed backups, XSS vulnerabilities, connection strings etc.
This was A6 in year 2013 – Moved higher in the list
Lots of places where we expose application specific sensitive information
Google dorks
Service is exposed over a REST API
Supports Hardware and Software Keys
HSM Device, keys are stored on physical device
It’s just like a dictionary that holds some keys and values
Initial version supports only RSA keys – Future versions may support other versions – but it’s been over 3 years since it is like that
Private portion never leaves the boundary of the vault
Sign/Verify (local)
Encrypt (local)/Decrypt
Wrap local)/Unwrap
Octet sequence - The term is often used when the term byte might be ambiguous, as the byte has historically been used for storage units of a variety of sizes.
The Azure Key Vault service does not provide any semantics for secrets; it merely accepts the data, encrypts and stores it, returning a secret identifier, “id”, that may be used to retrieve the secret at a later time.
When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata.
Anyone that has access to config/servers
To change a connection string you need to change in all applications that uses it.
Similarly with certificates – they get expired and you realize only after the applications go down.
Access Policies are at the Object type level – Keys, Secrets, Certificates
To set policies at the key level will need to create different key vaults
Azure Portal changes
MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
Separate the Vault url and the object identifier part if you want to avoid repeating the URL.
Admin can manage the sensitive information separately
When I was kid when we first learned about logarithm our teacher made us to get a log table, a physical book and then taught us to use that to find the log of numbers. Basically for those who have not used that before you go through a big table of values, first find the right table for your base , find the right cell and then if you want to improve precision you do a set of other steps and finally arrive at the value. It took a few days for us to get used to it. And then we were all, that’s when the teacher introduced calculators.
Similarly with programming, made to use a notepad with no intellisense etc and then code, use the command line to build programs. And when we were able to get things working, IDE’s were
Often find value when you understand things work and then take the shortcuts or easier routed for the same problem, so then you know how to find your way through when things go wrong.