Azure Key Vault

How many times have we stored our secret keys and passwords online? Do you know by doing that you are placing your data and yourself to significant exposure of theft that can have catastrophic effects?

Some of the largest organizations on the planet have been subjected to data breaches due to their carelessness in managing passwords and data. And a study even points out that it takes nearly 7 months for the organization to get back to its feet after being subjected to a cyber-theft.

Unless you want to be one of these unfortunate organizations, you have to enhance your security by adopting services like Azure Key Vault in your ecosystem. Azure Key Vault is a service from Azure that keeps your private data secure and is a perfect choice if your infrastructure is already hosted on Azure.

Want to know more about what is Azure Key Vault and how to keep your organization secure? Read on to understand how to use it successfully to keep yourself safe from data theft.

Table of Content:

1. What is Azure Key Vault

2. What are the different applications of Azure Key Vault?

3. How to use a Key Vault in any operation?

4. How to access a secret from the Azure Key Vault?

5. Wrapping Up

What is Azure Key Vault

Azure Key Vault is a cloud facility that allows you to store private information securely. It offers a single location for the collective storage of all your secrets. By using Azure Key Vaults, your sensitive information will not be exposed in the application’s database or the config files. All you have to do is create a key in the Azure Key Vault and access it through its URL from an application. The authentication and authorization for any operation against the Key Vault will be taken care by Azure Active Directory.

What are the different applications of Azure Key Vault?

To Manage Keys

Azure Key Vault enables you to create and control keys that are typically used in the encryption of data. You can even integrate other Azure services with Key Vault to enhance its security and decrypt secrets without even knowing the encryption keys. Azure Key Vault stores both software protected keys and HSM (Hardware Security Module) protected keys.

To Manage Secrets

Azure Key Vault can store secrets like passwords, database connection strings, and other elements whose size is less than 10 KB. Typically, any data can be encrypted and stored in the Azure Key Vault. After storing the encrypted data, a secret identifier is automatically generated which is then used to access the stored secret data.

To Manage Certificates

Azure Key Vault securely stores and manages X509 certificates. You can manage and deploy public and private SSL/TLS certificates. A certificate can be created and stored by a certificate owner or it can be imported and stored. It stores both self-signed and ‘Certificate Authority’ generated certificates. Even the expiry and renewal of certificates are notified to the certificate owner.

How to use a Key Vault in an operation?

Usually, to perform any operation, some data stored in the Key Vault might be needed by us. To access the data from the Key Vault, proper authentication to the Key Vault is required. There are three ways to authenticate yourself to the Key Vault:

1. Using Azure managed identity

In this, an identity for the virtual machine is created to get access to the Key Vault. Once the identity is successfully created, it is then completely managed by Azure. Azure automatically keeps altering the identity to enhance security even further. This the most widely used method to authenticate your access to the Key Vault. There are further two types of managed identities:

• System assigned identity: System assigned identity grants access only to the Azure resource in a particular instance. Once the instance is deleted, your authorization is deleted too.
• User assigned identity: User assigned identity grants access to multiple Azure resources without depending on any instance.

2. Using Service Principal and certificate

You can use the X.509 certificate for resource authentication. The certificate is completely managed by the application owner or developer.

3. Using Service Principal and Secret

This is the least secure method. Here the application is registered in the Azure Directory and stored as a secret. This secret is then used to authenticate to the Azure Key Vault.

How to access a secret from the Azure Key Vault?

You need to perform the below steps to access a secret from the Azure Key Vault:

Step 1:

Register a security principal. A security principal is an object which is created for representing any user, application, service principal and, managed identity wanting access to resources of the vault. The registration of the security principal is done by the security administrator in the following ways:

● First of all, a user or an application needs to be registered in the Azure Active Directory (AAD).

● The security administrator then decides the grounds on which any user or application is allowed access to the Key Vault. The security administrator not only creates the Key Vault but also the policies to access secrets stored in the Key Vault. The access policies contain a list of operations that a service principal is allowed to execute with the Key Vault. Pre-defined roles are present which have been allotted with role-specific operations. The service principal is granted operations of that role which it is assigned to. Roles can be separately created for a particular service principal and the operations it can perform can be separately assigned. The method of least privilege is generally followed for assigning operations and only those operations are allowed by the access policies which are necessary for the service principal.

● Azure Key Vault firewall is also configured by the security administrator. The firewall decides whether to permit a service principal to call the Key Vault. Configuration of the Key Vault firewall can be omitted and access can be granted through the public internet. Granting access through the public internet is less secure but easier to configure. Granting access to the Key Vault can be confined to specific ranges of IP addresses, service or private endpoints, and virtual networks. This is a more secure process.

Flowchart depicting access of secret from the Key Vault by service principal

Step 2: Authentication to the Azure Active Directory (AAD) is done using one of the following service principals:

● A username and password can be used by a user for logging into the Azure Key Vault.

● Any application can log-in to the Azure Key Vault using client id and by providing the Azure Active Directory (AAD) with a client certificate or client secret.

● A virtual machine that is a resource of Azure has a pre allotted identity i.e. an Azure Managed Identity. It receives an access token by approaching the Azure Instance Metadata Services(IMDS) –REST endpoint.

Step 3: An access token is provided to the service principal on successful authentication to the Azure Active Directory (AAD).

Step 4: The Key Vault is then called by the service principal and the access token is presented to the vault.

Step 5: The Azure Key Vault firewall decides whether to permit the call to the Key Vault. Once the caller is verified as an authorized caller, the call to the Key Vault is allowed.

Step 6: The Azure Key Vault verifies the access token by calling the Azure Active Directory (AAD).

Step 7: Key vault checks the access policies determined by the security administrator. Based on permissions on these policies it is decided whether to grant access of the Key Vault to the service principal.

Step 8: If the policies permit, then access is granted to the service principal. The service principal can now access the secret of the Key Vault for its purposes.

Retrieve secret from Azure Key vault

Create the service principal in the Azure portal and client certificate for the principal. The above code snippet shows how to get the secret after configuring Azure Key Vault i.e creating tenant id and client id.

Wrapping up

This post would have given you a basic understanding of what Azure Key Vault is and why is it so popular. It is a very simple way of securely storing secrets, certificates, and keys. Encryption keys can be created and managed easily in the Azure Key Vault. So go ahead and set up your customized Azure Key Vault and create a secure store for secrets.