Azure Key Vault - An Introduction with step-by-step directions

Summary ⁓ Azure Key Vault provides HSM security at low cost, high security and great efficiency. Learn the basics and get started quickly using a step by step guide.

Wikipedia defines a Hardware Security Module (HSM) as:

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

The HSM is used when security is paramount. As with other hardware devices, there is a fair bit of technicality involved in procuring, cost, installation, upgrade and maintenance (to name a few)... and that's before you can use it for all the benefit it provides!

To help you out of this hardware misery, Microsoft offers you Azure Key Vault (AKV) in the cloud. It offers the benefits of HSM, minus the headache in managing it.

here I come

How safe is storing sensitive information in AKV?

Storing information in a database and an HSM is very different. The data doesn't simply stay in a file on your server. This information is stored in hardware device and the device offers you many features like auditing, tamper-proofing, encryption, etc. What Microsoft provides in the form of AKV is an interface using which you can access the HSM device in a secure way.

If you want further assurance about the integrity of the key, you can generate it right inside of the HSM. How cool is that? Microsoft processes keys in FIPS 140-2 Level 2 validated HSMs and even Microsoft can't see or extract your keys. With logging enabled, you can pipe the logs to Azure HD Insight or SIEM solutions for threat detection.

Microsoft does, just like other Azure IaaS resources. They provide an SLA of 99.9% successful processing for Key Vault transactions within 5 seconds.

How can the Application access this key?

Applications have no direct access to the keys. You need to use an appropriate SDK based on your framework/language. Azure CLI, Portal & PowerShell provides an easy interface to work with the keys.

What kind of data should be stored?

Secrets which are less than 10KB should be stored in the AKV. You can also store PFX files and manage your SSL certificates using AKV. Database Connection strings, Social Network client keys, Subscription Keys, License Keys, and many other keys could be stored and managed easily using AKV.

What kind of operations are supported?

For Keys: Create, Import, Get, List, Backup, Restore, Delete, Update, Sign, Verify, Wrap, Unwrap, Encrypt & Decrypt

For Secrets: Create, Update, Get, List, Delete

For Certificates: Create, Update Policy, Contacts, Import, Renewal, Update

What about the cost?

Zero setup fee
Secrets: $0.03/10,000 requests
Keys: $1 per key per month
Certificates: $3 per renewal request

Azure Cost Calculator

Is there a quick way to test it out?

You bet! Follow along... (you can do it yourself, or simply checkout the screenshots to get an overall understanding).

Step 1: Create a Key Vault in Azure

Step1

This process takes less than a minute usually. Note down the URL of your key vault (DNS Name). You will need it later.

keyvault

Step 2: Create a Secret

In the Azure Key Vault settings that you just created you will see a screen similar to the following. Click Secrets in the blade, followed by Add button on the top right.

Step2.1

Type in your secret details:

Step2.2

Step 3: Register an Azure Application and create Keys

Azure Portal > Azure Active Directory > App Registrations > New

Step3.1

Note down your details. Remember, your client id is same as Application ID.

Step3.2

Let's say you have a server where you intend to access the key from. You can use the server's hostname as the key summary. If this server is compromised, you can revoke the access to AKV by simply deleting this key. That's neat!!! Step3.3

Step 4: Retrieve a Secret

So far, we have created a key vault to store information, and also created an application that has access to read the key. Now, let's retrieve the secret! You will typically use a package or module, SDK, Azure CLI, PowerShell, or plain vanilla API. For the sake of simplicity, I will assume you know Node.js and use a package called masterkey.

Create a file

$ vi /usr/local/.masterkey/azuresecret.json
{
  "nodeAppName":{
    "clientId":"0e57c295-d206-4710-adb2-5f184d67f067",
    "clientSecret": "yW/T7ufh9bY5q0sSkwjhG6QkmXoBupz6omDMv2V9lD8=",
    "vaultUri": "https://attosol-demo.vault.azure.net/"
  }
}

Install masterkey

npm install -g masterkey

Try to get the key, and you should hit an error! That's because, you have still not told Azure Key Vault to trust your application.

masterkey --get https://attosol-demo.vault.azure.net/secrets/dbstring --app nodeAppName
#######################################
Listing all Secrets from the KeyVault
#######################################
Unable to list secrets.

Give the permission to your app:

Portal > Your Key Vault > Access Policies > Add New > Select Principal:

select principal

Select the principal, click Ok, and Save... the try the command again!

masterkey --get https://attosol-demo.vault.azure.net/secrets/dbstring --app nodeAppName
###################################
Get a Secret from the KeyVault
###################################
http://somevalue:9999/booyaa

There you go... Your secret!!! And nothing to worry about the secrets I revealed about my app, since I am gonna delete it right away ;-)

What next?

Stay tuned for upcoming articles. You may contact us for your software and consultancy requirements.