Azure Key Vault - An Introduction with step-by-step directions

Wikipedia defines a Hardware Security Module (HSM) as:

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

The HSM is used when security is paramount. As with other hardware devices, there is a fair bit of technicality involved in procuring, cost, installation, upgrade and maintenance (to name a few)... and that's before you can use it for all the benefit it provides!

To help you out of this hardware misery, Microsoft offers you Azure Key Vault (AKV) in the cloud. It offers the benefits of HSM, minus the headache in managing it.

here I come

How safe is storing sensitive information in AKV?

Storing information in a database and an HSM is very different. The data doesn't simply stay in a file on your server. This information is stored in hardware device and the device offers you many features like auditing, tamper-proofing, encryption, etc. What Microsoft provides in the form of AKV is an interface using which you can access the HSM device in a secure way.

If you want further assurance about the integrity of the key, you can generate it right inside of the HSM. How cool is that? Microsoft processes keys in FIPS 140-2 Level 2 validated HSMs and even Microsoft can't see or extract your keys. With logging enabled, you can pipe the logs to Azure HD Insight or SIEM solutions for threat detection.

Who takes care of patching, provisioning, and other infrastructure related issues?

Microsoft does, just like other Azure IaaS resources. They provide an SLA of 99.9% successful processing for Key Vault transactions within 5 seconds.

How can the Application access this key?

Applications have no direct access to the keys. You need to use an appropriate SDK based on your framework/language. Azure CLI, Portal & PowerShell provides an easy interface to work with the keys.

What kind of data should be stored?

Secrets which are less than 10KB should be stored in the AKV. You can also store PFX files and manage your SSL certificates using AKV. Database Connection strings, Social Network client keys, Subscription Keys, License Keys, and many other keys could be stored and managed easily using AKV.

What kind of operations are supported?

For Keys: Create, Import, Get, List, Backup, Restore, Delete, Update, Sign, Verify, Wrap, Unwrap, Encrypt & Decrypt

For Secrets: Create, Update, Get, List, Delete

For Certificates: Create, Update Policy, Contacts, Import, Renewal, Update

What about the cost?

  • Zero setup fee
  • Secrets: $0.03/10,000 requests
  • Keys: $1 per key per month
  • Certificates: $3 per renewal request

Azure Cost Calculator

Is there a quick way to test it out?

You bet! Follow along... (you can do it yourself, or simply checkout the screenshots to get an overall understanding).

Step 1: Create a Key Vault in Azure

Login > Click New > Key Vault > Create
Step1

This process takes less than a minute usually. Note down the URL of your key vault (DNS Name). You will need it later.
keyvault

Step 2: Create a Secret

In the Azure Key Vault settings that you just created you will see a screen similar to the following. Click Secrets in the blade, followed by Add button on the top right.
Step2.1

Type in your secret details:
Step2.2

Step 3: Register an Azure Application and create Keys

Azure Portal > Azure Active Directory > App Registrations > New
Step3.1

Note down your details. Remember, your client id is same as Application ID.
Step3.2

Let's say you have a server where you intend to access the key from. You can use the server's hostname as the key description. If this server is compromised, you can revoke the access to AKV by simply deleting this key. That's neat!!!
Step3.3

Step 4: Retrieve a Secret

So far, we have created a key vault to store information, and also created an application that has access to read the key. Now, let's retrieve the secret! You will typically use a package or module, SDK, Azure CLI, PowerShell, or plain vanilla API. For the sake of simplicity, I will assume you know Node.js and use a package called masterkey.

Create a file

$ vi /usr/local/.masterkey/azuresecret.json
{
  "nodeAppName":{
    "clientId":"0e57c295-d206-4710-adb2-5f184d67f067",
    "clientSecret": "yW/T7ufh9bY5q0sSkwjhG6QkmXoBupz6omDMv2V9lD8=",
    "vaultUri": "https://attosol-demo.vault.azure.net/"
  }
}

Install masterkey

npm install -g masterkey  

Try to get the key, and you should hit an error! That's because, you have still not told Azure Key Vault to trust your application.

masterkey --get https://attosol-demo.vault.azure.net/secrets/dbstring --app nodeAppName  
#######################################
Listing all Secrets from the KeyVault  
#######################################
Unable to list secrets.  

Give the permission to your app:
Portal > Your Key Vault > Access Policies > Add New > Select Principal:
select principal

Select the principal, click Ok, and Save... the try the command again!

masterkey --get https://attosol-demo.vault.azure.net/secrets/dbstring --app nodeAppName  
###################################
Get a Secret from the KeyVault  
###################################
http://somevalue:9999/booyaa  

There you go... Your secret!!! And nothing to worry about the secrets I revealed about my app, since I am gonna delete it right away ;-)

What next?

Well, stay tuned for upcoming articles. Say hi, share this article, leave a comment or Subscribe now to stay updated through our newsletter. Also, check out our services or contact us at contact@attosol.com for your software and consultancy requirements.

Ads:

Rahul Soni

⌘⌘ Entrepreneur. Author. Geek. ⌘⌘

Kolkata, India

Subscribe to Attosol Technologies

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!